tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeanfrancois Arcand <>
Subject [Q] WebappClassloader violates J2SE policy syntax?
Date Wed, 27 Nov 2002 01:13:00 GMT

I've noticed a characteristic in the tomcat
loader.WebappClassloader and was wondering whether someone have any
recollection or insight as to why we did it that way.

Classes loaded with this classloader get a "jar:" tacked as prefix in
their codesource.

The javadoc has this to say:

  IMPLEMENTATION NOTE - The class loader generates source URLs which
  include the full JAR URL when a class is loaded from a JAR file,
  which allows setting security permission at the class level, even
  when a class is contained inside a JAR.

Which is indeed true and an interesting feature.

However, it violates the j2se policy syntax because the users
expectation of "/-" no longer works

In other words, with some structure like:


If the user wishes to grant permission X to all web module code, they
expect the following to work as documented in the policy syntax:

grant codeBase "file:.../applications/web-modules/-" {
   permission X;

Turns out it doesn't, because WebappClassloader will make the
codesource something like "jar:file:...../foo.jar!/MyClass.class",
which will not match the grant.

I've see the norte inside the RELEASE-NOTES file, but would like to know 
why exactly.


-- Jeanfrancois

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message