tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jfarc...@apache.org>
Subject Re: securityManager in JasperLoader.java
Date Tue, 29 Jul 2003 17:56:50 GMT
Hi Jean-Frederic,

the current source have:

        int dot = name.lastIndexOf('.');
        if (securityManager != null) {
            if (dot >= 0) {
                try {
                    // Do not call the security manager since by 
default, we grant that package.
                    if 
(!"org.apache.jasper.runtime".equalsIgnoreCase(name.substring(0,dot))){
                        
securityManager.checkPackageAccess(name.substring(0,dot));
                    }
                } catch (SecurityException se) {

which is the correct way, althrough

int dot = name.lastIndexOf('.');

should be moved to be inside the "if", because dot is not used outside 
of it.

Thanks,

-- Jeanfrancois


jean-frederic clere wrote:

> Hi,
>
> One of my colleague has problems in JasperLoader.java: The 
> System.getSecurityManager() is null when creating the class but not 
> null later on.
>
> Why do we have the following code? (from 
> jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet/JasperLoader.java):

>
> +++
>         if (System.getSecurityManager() != null) {
>             if (dot >= 0) {
>                 try {
>                     
> securityManager.checkPackageAccess(name.substring(0,dot));
>                 } catch (SecurityException se) {
>                     String error = "Security Violation, attempt to use 
> " +
>                         "Restricted Class: " + name;
>                     System.out.println(error);
>                     throw new ClassNotFoundException(error);
>                 }
>             }
>         }
> +++
> We test System.getSecurityManager() but use securityManager!
>
> Cheers
>
> Jean-Frederic
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message