HI,
is somebody aware why package org.apache.coyote.* and
org.apache.tomcat.* are not protected againts package insertion/access
in Catalina.java. What is the reasons? Actually, classes are not
available to a Webapp (the Classloader is taking care of it) but when
Tomcat is embedded in an app container (or when there is a special
Classloader), those classes are available :-(
Actually, we only protect the following package:
if( System.getSecurityManager() != null ) {
String access = Security.getProperty("package.access");
if( access != null && access.length() > 0 )
access += ",";
else
access = "sun.,";
Security.setProperty("package.access",
access + "org.apache.catalina.,org.apache.jasper.");
String definition = Security.getProperty("package.definition");
if( definition != null && definition.length() > 0 )
definition += ",";
else
definition = "sun.,";
Security.setProperty("package.definition",
// FIX ME package "javax." was removed to prevent HotSpot
// fatal internal errors
definition +
"java.,org.apache.catalina.,org.apache.jasper.");
}
Thanks,
-- Jeanfrancois
--
To unsubscribe, e-mail: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
|