Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 42198 invoked from network); 3 Jan 2002 16:36:26 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 3 Jan 2002 16:36:26 -0000 Received: (qmail 17531 invoked by uid 97); 3 Jan 2002 16:36:15 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 17488 invoked by uid 97); 3 Jan 2002 16:36:14 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 17477 invoked by uid 97); 3 Jan 2002 16:36:13 -0000 Date: 3 Jan 2002 16:36:09 -0000 Message-ID: <20020103163609.11242.qmail@icarus.apache.org> From: remm@apache.org To: jakarta-tomcat-4.0-cvs@apache.org Subject: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader WebappClassLoader.java X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N remm 02/01/03 08:36:09 Modified: catalina/src/share/org/apache/catalina/loader WebappClassLoader.java Log: - Adds some filtering on the JARs, similar to what is done by the ClassLoaderFactory. That should prevent overriding classes which shouldn't be overridden (and which is actually a spec requirement). For example, it is now possible to actually run JSPs even with an old servlet.jar in the /WEB-INF/lib directory. - I think this patch should be ported to the 4.0.x branch, since it prevents lots of user errors. Revision Changes Path 1.30 +88 -11 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java Index: WebappClassLoader.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v retrieving revision 1.29 retrieving revision 1.30 diff -u -r1.29 -r1.30 --- WebappClassLoader.java 20 Nov 2001 03:33:07 -0000 1.29 +++ WebappClassLoader.java 3 Jan 2002 16:36:09 -0000 1.30 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v 1.29 2001/11/20 03:33:07 remm Exp $ - * $Revision: 1.29 $ - * $Date: 2001/11/20 03:33:07 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v 1.30 2002/01/03 16:36:09 remm Exp $ + * $Revision: 1.30 $ + * $Date: 2002/01/03 16:36:09 $ * * ==================================================================== * @@ -122,7 +122,7 @@ * * @author Remy Maucherat * @author Craig R. McClanahan - * @version $Revision: 1.29 $ $Date: 2001/11/20 03:33:07 $ + * @version $Revision: 1.30 $ $Date: 2002/01/03 16:36:09 $ */ public class WebappClassLoader extends URLClassLoader @@ -146,6 +146,32 @@ } + // ------------------------------------------------------- Static Variables + + + /** + * The set of trigger classes that will cause a proposed repository not + * to be added if this class is visible to the class loader that loaded + * this factory class. Typically, trigger classes will be listed for + * components that have been integrated into the JDK for later versions, + * but where the corresponding JAR files are required to run on + * earlier versions. + */ + private static final String[] triggers = { + "com.sun.jndi.ldap.LdapCtxFactory", // LDAP added in 1.3 + "com.sun.net.ssl.internal.ssl.Provider", // JSSE added in 1.4 + "javax.security.auth.Subject", // JAAS added in 1.4 + "javax.naming.Context", // JNDI added in 1.3 + "javax.net.SocketFactory", // JSSE added in 1.4 + "javax.security.cert.X509Certificate", // JSSE added in 1.4 + "javax.sql.DataSource", // JDBC ext. added in 1.4 + "javax.xml.parsers.DocumentBuilder", // JAXP added in 1.4 + "javax.servlet.Servlet", // Servlet API + // "org.apache.crimson.jaxp.DocumentBuilderImpl", + // Crimson added in 1.4 + }; + + // ----------------------------------------------------------- Constructors @@ -565,13 +591,6 @@ } - JarFile[] result2 = new JarFile[jarFiles.length + 1]; - for (i = 0; i < jarFiles.length; i++) { - result2[i] = jarFiles[i]; - } - result2[jarFiles.length] = jarFile; - jarFiles = result2; - try { // Register the JAR for tracking @@ -595,7 +614,23 @@ lastModifiedDates = result3; } catch (NamingException e) { + // Ignore + } + + if (!validateJarFile(file)) + System.out.println("Didn't validate:" + file); + + // If the JAR currently contains invalid classes, don't actually use it + // for classloading + if (!validateJarFile(file)) + return; + + JarFile[] result2 = new JarFile[jarFiles.length + 1]; + for (i = 0; i < jarFiles.length; i++) { + result2[i] = jarFiles[i]; } + result2[jarFiles.length] = jarFile; + jarFiles = result2; // Add the file to the list File[] result4 = new File[jarRealFiles.length + 1]; @@ -1879,6 +1914,48 @@ return false; return true; + + } + + + /** + * Check the specified JAR file, and return true if it does + * not contain any of the trigger classes. + * + * @param jarFile The JAR file to be checked + * + * @exception IOException if an input/output error occurs + */ + private boolean validateJarFile(File jarfile) + throws IOException { + + if (triggers == null) + return (true); + JarFile jarFile = new JarFile(jarfile); + for (int i = 0; i < triggers.length; i++) { + Class clazz = null; + try { + if (parent != null) { + clazz = parent.loadClass(triggers[i]); + } else { + clazz = Class.forName(triggers[i]); + } + } catch (Throwable t) { + clazz = null; + } + if (clazz == null) + continue; + String name = triggers[i].replace('.', '/') + ".class"; + if (debug >= 2) + log(" Checking for " + name); + JarEntry jarEntry = jarFile.getJarEntry(name); + if (jarEntry != null) { + jarFile.close(); + return (false); + } + } + jarFile.close(); + return (true); } -- To unsubscribe, e-mail: For additional commands, e-mail: