tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeanfrancois Arcand <jeanfrancois.arc...@sun.com>
Subject [Q] WebappClassloader violates J2SE policy syntax?
Date Wed, 27 Nov 2002 01:13:00 GMT
Hi,

I've noticed a characteristic in the tomcat
loader.WebappClassloader and was wondering whether someone have any
recollection or insight as to why we did it that way.

Classes loaded with this classloader get a "jar:" tacked as prefix in
their codesource.

The javadoc has this to say:

  IMPLEMENTATION NOTE - The class loader generates source URLs which
  include the full JAR URL when a class is loaded from a JAR file,
  which allows setting security permission at the class level, even
  when a class is contained inside a JAR.

Which is indeed true and an interesting feature.

However, it violates the j2se policy syntax because the users
expectation of "/-" no longer works

In other words, with some structure like:

applications/web-modules/web_1
                                        /WEB-INF/lib/foo.jar
                              ...
                                        /web_2
                              ...

If the user wishes to grant permission X to all web module code, they
expect the following to work as documented in the policy syntax:

grant codeBase "file:.../applications/web-modules/-" {
   permission X;
};

Turns out it doesn't, because WebappClassloader will make the
codesource something like "jar:file:...../foo.jar!/MyClass.class",
which will not match the grant.

I've see the norte inside the RELEASE-NOTES file, but would like to know 
why exactly.

Merci,

-- Jeanfrancois


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message