tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40150] - Incorrect User/Role classnames are silently ignored.
Date Thu, 13 Dec 2007 14:13:56 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40150>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40150


ate@douma.nu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |




------- Additional Comments From ate@douma.nu  2007-12-13 06:13 -------
While this patch might have improved feedback when an incorrect classnames are
provided, it actually fully *breaks* JAASRealm usage when correct classnames are
provided but need to be accessed through a ContextClassLoader.

We at Apache Jetspeed-2 use the useContextClassLoader=true setting for hooking
up our own custom Principal classes as these are provided through the portal
application itself, not from a common/shared classloader.

Because the new parseClassNames only does a simple Class.forName() check this
now fails to validate our classnames for Tomcat 5.5.24 and later and thereby
breaking our JAAS based security :(

I suggest this to be solved by either:
- reverting the patch
- keep the current patch but *ignore* a ClassNotFoundException except for
logging that it happened
- run this method in the appropriate ContextClassLoader for the web app if possible

FYI: we have a Jetspeed JIRA issue opened on this bug with some additional
information: https://issues.apache.org/jira/browse/JS2-828

Hopefully this issue can be resolved quickly as right now we cannot run Jetspeed
on Tomcat >= 5.5.24

Regards, Ate

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message