Return-Path: 
 <tomcat-dev-return-29566-apmail-jakarta-tomcat-dev-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-dev-archive@jakarta.apache.org
Received: (qmail 70416 invoked by uid 500); 11 Oct 2001 20:13:12 -0000
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:tomcat-dev-help@jakarta.apache.org>
list-unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
list-post: <mailto:tomcat-dev@jakarta.apache.org>
Reply-To: tomcat-dev@jakarta.apache.org
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 70400 invoked from network); 11 Oct 2001 20:13:11 -0000
Sender: Patrick.Luby@sun.com
Message-ID: <3BC5FD5B.9F177314@sun.com>
Date: Thu, 11 Oct 2001 13:13:15 -0700
From: Patrick Luby <patrick.luby@sun.com>
Organization: Sun Microsystems
X-Mailer: Mozilla 4.76C-CCK-MCD Netscape [en] (X11; U; SunOS 5.8 sun4u)
X-Accept-Language: es, en
MIME-Version: 1.0
To: tomcat-dev@jakarta.apache.org
Subject: [PATCH] Fix for bug when running with -security option
Content-Type: multipart/mixed;
 boundary="------------B0C299C9366FEB69BBDB2040"
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

--------------B0C299C9366FEB69BBDB2040
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

All,

Attached are patches to the following 2 files. If they are OK, these 2
patches should be applied to both the HEAD and tomcat_40_branch branches:

jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/startup/Bootstrap.java
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java

Basically, these patches fix a bug in
WebappClassLoader.getResourceAsStream() where, when Tomcat is run with the
-security option, a URL object is loaded into the resource cache using a
PrivilegedAction subclass and then the InputStream of that URL object is
opened without using a PrivilegedAction. This bug causes certain resource
files that are supposed to be accessible to a webapp to not be accessible.

Thanks to Remy for showing the patch needed to Bootstrap.java.

Patrick
--------------B0C299C9366FEB69BBDB2040
Content-Type: text/plain; charset=us-ascii;
 name="Bootstrap.java.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="Bootstrap.java.patch"

Index: Bootstrap.java
===================================================================
RCS file: /home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/startup/Bootstrap.java,v
retrieving revision 1.29
diff -u -r1.29 Bootstrap.java
--- Bootstrap.java	2001/10/03 21:39:12	1.29
+++ Bootstrap.java	2001/10/11 20:06:31
@@ -201,6 +201,9 @@
                     (basePackage +
                      "loader.WebappClassLoader$PrivilegedFindResource");
                 catalinaLoader.loadClass
+                    (basePackage +
+                     "loader.WebappClassLoader$PrivilegedOpenStream");
+                catalinaLoader.loadClass
                     (basePackage + "session.StandardSession");
                 catalinaLoader.loadClass
                     (basePackage + "util.CookieTools");

--------------B0C299C9366FEB69BBDB2040
Content-Type: text/plain; charset=us-ascii;
 name="WebappClassLoader.java.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="WebappClassLoader.java.patch"

Index: WebappClassLoader.java
===================================================================
RCS file: /home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v
retrieving revision 1.20
diff -u -r1.20 WebappClassLoader.java
--- WebappClassLoader.java	2001/10/04 18:23:28	1.20
+++ WebappClassLoader.java	2001/10/11 20:07:34
@@ -147,7 +147,26 @@
 
     }
 
+    protected class PrivilegedOpenStream
+        implements PrivilegedAction {
 
+        private URL url;
+
+        PrivilegedOpenStream(URL url) {
+            this.url = url;
+        }
+
+        public Object run() {
+            try {
+                return (url.openStream());
+            } catch (IOException e) {
+                log("url.openStream(" + url.toString() + ")", e);
+                return (null);
+            }
+        }
+
+    }
+
     // ----------------------------------------------------------- Constructors
 
 
@@ -1113,11 +1132,17 @@
             // FIXME - cache???
             if (debug >= 2)
                 log("  --> Returning stream from local");
-            try {
-               return (url.openStream());
-            } catch (IOException e) {
-               log("url.openStream(" + url.toString() + ")", e);
-               return (null);
+            if (securityManager != null) {
+                PrivilegedAction dp =
+                    new PrivilegedOpenStream(url);
+                return ((InputStream)AccessController.doPrivileged(dp));
+            } else {
+                try {
+                    return (url.openStream());
+                } catch (IOException e) {
+                    log("url.openStream(" + url.toString() + ")", e);
+                    return (null);
+                }
             }
         }
 

--------------B0C299C9366FEB69BBDB2040--