Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 9060 invoked from network); 16 May 2002 01:06:34 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 16 May 2002 01:06:34 -0000 Received: (qmail 3396 invoked by uid 97); 16 May 2002 01:06:32 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 3379 invoked by uid 97); 16 May 2002 01:06:32 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 3365 invoked by uid 97); 16 May 2002 01:06:31 -0000 X-Antivirus: nagoya (v4198 created Apr 24 2002) Date: 16 May 2002 01:06:30 -0000 Message-ID: <20020516010630.7619.qmail@icarus.apache.org> From: remm@apache.org To: jakarta-tomcat-4.0-cvs@apache.org Subject: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader WebappClassLoader.java X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N remm 02/05/15 18:06:29 Modified: catalina/src/share/org/apache/catalina/loader WebappClassLoader.java Log: - Slightly experimental change. - Slightly modify the class filters: now, the filtered classes will be delegated to the parent CL. If the parent doesn't load them, the webapp CL will try to load them. - Add filter for all javax.*, Xerces and Xalan. This should put an end to whatever problems still existed with the XML parsers and XSL processors. Revision Changes Path 1.38 +41 -25 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java Index: WebappClassLoader.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v retrieving revision 1.37 retrieving revision 1.38 diff -u -r1.37 -r1.38 --- WebappClassLoader.java 29 Apr 2002 12:46:54 -0000 1.37 +++ WebappClassLoader.java 16 May 2002 01:06:29 -0000 1.38 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v 1.37 2002/04/29 12:46:54 remm Exp $ - * $Revision: 1.37 $ - * $Date: 2002/04/29 12:46:54 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v 1.38 2002/05/16 01:06:29 remm Exp $ + * $Revision: 1.38 $ + * $Date: 2002/05/16 01:06:29 $ * * ==================================================================== * @@ -145,7 +145,7 @@ * * @author Remy Maucherat * @author Craig R. McClanahan - * @version $Revision: 1.37 $ $Date: 2002/04/29 12:46:54 $ + * @version $Revision: 1.38 $ $Date: 2002/05/16 01:06:29 $ */ public class WebappClassLoader extends URLClassLoader @@ -187,16 +187,14 @@ /** * Set of package names which are not allowed to be loaded from a webapp - * class loader. + * class loader without delegating first. */ private static final String[] packageTriggers = { - "javax.naming", // JNDI - "javax.naming.directory", // JNDI - "javax.xml.parsers", // JAXP + "javax", // Java extensions "org.xml.sax", // SAX 1 & 2 - "org.xml.sax.ext", // SAX 1 & 2 - "org.xml.sax.helpers", // SAX 1 & 2 - "org.w3c.dom" // DOM 1 & 2 + "org.w3c.dom", // DOM 1 & 2 + "org.apache.xerces", // Xerces 1 & 2 + "org.apache.xalan" // Xalan }; @@ -1344,8 +1342,10 @@ } } + boolean delegateLoad = delegate || filter(name); + // (1) Delegate to our parent if requested - if (delegate) { + if (delegateLoad) { if (debug >= 3) log(" Delegating to parent classloader"); ClassLoader loader = parent; @@ -1382,7 +1382,7 @@ } // (3) Delegate to parent unconditionally - if (!delegate) { + if (!delegateLoad) { if (debug >= 3) log(" Delegating to parent classloader"); ClassLoader loader = parent; @@ -1907,21 +1907,15 @@ /** - * Validate a classname. As per SRV.9.7.2, we must restict loading of - * classes from J2SE (java.*) and classes of the servlet API - * (javax.servlet.*). That should enhance robustness and prevent a number - * of user error (where an older version of servlet.jar would be present - * in /WEB-INF/lib). + * Filter classes. * * @param name class name - * @return true if the name is valid + * @return true if the class should be filtered */ - protected boolean validate(String name) { + protected boolean filter(String name) { if (name == null) return false; - if (name.startsWith("java.")) - return false; // Looking up the package String packageName = null; @@ -1929,12 +1923,34 @@ if (pos != -1) packageName = name.substring(0, pos); else - return true; + return false; for (int i = 0; i < packageTriggers.length; i++) { - if (packageName.equals(packageTriggers[i])) - return false; + if (packageName.startsWith(packageTriggers[i])) + return true; } + + return false; + + } + + + /** + * Validate a classname. As per SRV.9.7.2, we must restict loading of + * classes from J2SE (java.*) and classes of the servlet API + * (javax.servlet.*). That should enhance robustness and prevent a number + * of user error (where an older version of servlet.jar would be present + * in /WEB-INF/lib). + * + * @param name class name + * @return true if the name is valid + */ + protected boolean validate(String name) { + + if (name == null) + return false; + if (name.startsWith("java.")) + return false; return true; -- To unsubscribe, e-mail: For additional commands, e-mail: