tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Luby <patrick.l...@sun.com>
Subject Re: [PATCH] Fix for bug when running with -security option
Date Sun, 14 Oct 2001 19:51:04 GMT
Glenn,

Remy posted a different patch to WebappClassLoader (version 1.21) that
fixes the problem that I was having without having to grant explicit
access to the URL InputStreams.

Since Remy's patch fixes the problem, my proposed patch is no longer
necessary and can be ignored.

Thanks,

Patrick

Glenn Nielsen wrote:
> 
> -1 This patch opens a security hole in the Java SecurityManager security model.
> 
> The WebappClassLoader has to be able to load and cache resources, but granting
> access to the resource as an InputStream should require that the codeBase
> requesting the resource have the appropriate SecurityPermission granted to it
> in the catalina.policy file.
> 
> What AccessControlException were you getting?
> 
> Regards,
> 
> Glenn
> 
> Patrick Luby wrote:
> >
> > All,
> >
> > Attached are patches to the following 2 files. If they are OK, these 2
> > patches should be applied to both the HEAD and tomcat_40_branch branches:
> >
> > jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/startup/Bootstrap.java
> > jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
> >
> > Basically, these patches fix a bug in
> > WebappClassLoader.getResourceAsStream() where, when Tomcat is run with the
> > -security option, a URL object is loaded into the resource cache using a
> > PrivilegedAction subclass and then the InputStream of that URL object is
> > opened without using a PrivilegedAction. This bug causes certain resource
> > files that are supposed to be accessible to a webapp to not be accessible.
> >
> > Thanks to Remy for showing the patch needed to Bootstrap.java.
> >
> > Patrick
> >
> >   ------------------------------------------------------------------------------------------
> >                            Name: Bootstrap.java.patch
> >    Bootstrap.java.patch    Type: Plain Text (text/plain)
> >                        Encoding: 7bit
> >
> >                                    Name: WebappClassLoader.java.patch
> >    WebappClassLoader.java.patch    Type: Plain Text (text/plain)
> >                                Encoding: 7bit
> 
> --
> ----------------------------------------------------------------------
> Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
> MOREnet System Programming               |  * if iz ina coment.      |
> Missouri Research and Education Network  |  */                       |
> ----------------------------------------------------------------------

Mime
View raw message