tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Remy Maucherat" <>
Subject Re: classloader issues (ClassCastException on org.xml.sax.Parser)
Date Wed, 23 Jan 2002 02:14:18 GMT
> Hi --
> I think the fundamental problem is a bad specification (allowing people
> to override some classes in a child classloader -- and trying to prevent
> them from loading others -- is just silly); but it could be improved in
> tomcat in a couple of ways.  I haven't yet tested this, but I think you
> would have *far* better protection from bad .jar files if you moved
> those security checks (which are currently used to disable .jar files
> entirely -- IMO, that's wrong) into loadClass -- and change them so that
> they check the class name against a list of packages, rather than just
> looking for a few specific packages.

Unfortunately, you can't do that, since JSP uses javac to compile the pages.
javac accesses JARs as a whole, so either you have to filter out the whole
JAR or you allow Jasper to load all the classes it contains, which will make
JSPs behave differently from servlets (bad).
It's a complex issue, so I really don't know what to do ...


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message