Return-Path: 
 <dev-return-169529-apmail-tomcat-dev-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-dev-archive@www.apache.org
Delivered-To: apmail-tomcat-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id B702518E00
	for <apmail-tomcat-dev-archive@www.apache.org>;
 Mon,  4 Jan 2016 17:31:21 +0000 (UTC)
Received: (qmail 87944 invoked by uid 500); 4 Jan 2016 17:31:21 -0000
Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org
Received: (qmail 87873 invoked by uid 500); 4 Jan 2016 17:31:21 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 87863 invoked by uid 99); 4 Jan 2016 17:31:21 -0000
Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Jan 2016 17:31:21 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org)
 with ESMTP id 95448180503
	for <dev@tomcat.apache.org>; Mon,  4 Jan 2016 17:31:20 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.246
X-Spam-Level: *
X-Spam-Status: No, score=1.246 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, KAM_LAZY_DOMAIN_SECURITY=1,
	RP_MATCHES_RCVD=-0.554] autolearn=disabled
Received: from mx1-eu-west.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new,
 port 10024)
	with ESMTP id wqPEB5CTVCYe for <dev@tomcat.apache.org>;
	Mon,  4 Jan 2016 17:31:18 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org
 [209.188.14.139])
	by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with
 ESMTP id B956020C6A
	for <dev@tomcat.apache.org>; Mon,  4 Jan 2016 17:31:17 +0000 (UTC)
Received: from svn01-us-west.apache.org (svn.apache.org [10.41.0.6])
	by mailrelay1-us-west.apache.org (ASF Mail Server at
 mailrelay1-us-west.apache.org) with ESMTP id D5728E0428
	for <dev@tomcat.apache.org>; Mon,  4 Jan 2016 17:31:16 +0000 (UTC)
Received: from svn01-us-west.apache.org (localhost [127.0.0.1])
	by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org)
 with ESMTP id 930013A026D
	for <dev@tomcat.apache.org>; Mon,  4 Jan 2016 17:31:16 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1722923 - in /tomcat/trunk:
 java/org/apache/catalina/core/DefaultInstanceManager.java
 java/org/apache/catalina/core/LocalStrings.properties
 webapps/docs/changelog.xml
Date: Mon, 04 Jan 2016 17:31:16 -0000
To: dev@tomcat.apache.org
From: kkolinko@apache.org
X-Mailer: svnmailer-1.0.9
Message-Id: <20160104173116.930013A026D@svn01-us-west.apache.org>

Author: kkolinko
Date: Mon Jan  4 17:31:16 2016
New Revision: 1722923

URL: http://svn.apache.org/viewvc?rev=1722923&view=rev
Log:
Simplify code and fix messages in org.apache.catalina.core.DefaultInstanceManager class.

Modified:
    tomcat/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java
    tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java?rev=1722923&r1=1722922&r2=1722923&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java Mon Jan  4 17:31:16 2016
@@ -27,10 +27,13 @@ import java.security.PrivilegedAction;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
+import java.util.Set;
 import java.util.WeakHashMap;
 
 import javax.annotation.PostConstruct;
@@ -41,8 +44,6 @@ import javax.naming.Context;
 import javax.naming.NamingException;
 import javax.persistence.PersistenceContext;
 import javax.persistence.PersistenceUnit;
-import javax.servlet.Filter;
-import javax.servlet.Servlet;
 import javax.xml.ws.WebServiceRef;
 
 import org.apache.catalina.ContainerServlet;
@@ -72,9 +73,7 @@ public class DefaultInstanceManager impl
     protected final ClassLoader containerClassLoader;
     protected final boolean privileged;
     protected final boolean ignoreAnnotations;
-    private final Properties restrictedFilters;
-    private final Properties restrictedListeners;
-    private final Properties restrictedServlets;
+    private final Set<String> restrictedClasses;
     private final Map<Class<?>, AnnotationCacheEntry[]> annotationCache =
         new WeakHashMap<>();
     private final Map<String, String> postConstructMethods;
@@ -89,15 +88,17 @@ public class DefaultInstanceManager impl
         this.containerClassLoader = containerClassLoader;
         ignoreAnnotations = catalinaContext.getIgnoreAnnotations();
         Log log = catalinaContext.getLogger();
-        restrictedServlets = loadProperties(
+        Set<String> classNames = new HashSet<>();
+        loadProperties(classNames,
                 "org/apache/catalina/core/RestrictedServlets.properties",
                 "defaultInstanceManager.restrictedServletsResource", log);
-        restrictedListeners = loadProperties(
+        loadProperties(classNames,
                 "org/apache/catalina/core/RestrictedListeners.properties",
                 "defaultInstanceManager.restrictedListenersResource", log);
-        restrictedFilters = loadProperties(
+        loadProperties(classNames,
                 "org/apache/catalina/core/RestrictedFilters.properties",
                 "defaultInstanceManager.restrictedFiltersResource", log);
+        restrictedClasses = Collections.unmodifiableSet(classNames);
         this.context = context;
         this.injectionMap = injectionMap;
         this.postConstructMethods = catalinaContext.findPostConstructMethods();
@@ -521,27 +522,17 @@ public class DefaultInstanceManager impl
         if (privileged) {
             return;
         }
-        if (Filter.class.isAssignableFrom(clazz)) {
-            checkAccess(clazz, restrictedFilters);
-        } else if (Servlet.class.isAssignableFrom(clazz)) {
-            if (ContainerServlet.class.isAssignableFrom(clazz)) {
-                throw new SecurityException("Restricted (ContainerServlet) " +
-                        clazz);
-            }
-            checkAccess(clazz, restrictedServlets);
-        } else {
-            checkAccess(clazz, restrictedListeners);
+        if (ContainerServlet.class.isAssignableFrom(clazz)) {
+            throw new SecurityException(sm.getString(
+                    "defaultInstanceManager.restrictedContainerServlet", clazz));
         }
-    }
-
-    private void checkAccess(Class<?> clazz, Properties restricted) {
         while (clazz != null) {
-            if ("restricted".equals(restricted.getProperty(clazz.getName()))) {
-                throw new SecurityException("Restricted " + clazz);
+            if (restrictedClasses.contains(clazz.getName())) {
+                throw new SecurityException(sm.getString(
+                        "defaultInstanceManager.restrictedClass", clazz));
             }
             clazz = clazz.getSuperclass();
         }
-
     }
 
     /**
@@ -621,19 +612,31 @@ public class DefaultInstanceManager impl
         }
     }
 
-    private static Properties loadProperties(String resourceName, String messageKey, Log log) {
-        Properties result = new Properties();
+    private static void loadProperties(Set<String> classNames, String resourceName,
+            String messageKey, Log log) {
+        Properties properties = new Properties();
         ClassLoader cl = DefaultInstanceManager.class.getClassLoader();
         try (InputStream is = cl.getResourceAsStream(resourceName)) {
             if (is == null) {
                 log.error(sm.getString(messageKey, resourceName));
             } else {
-                result.load(is);
+                properties.load(is);
             }
         } catch (IOException ioe) {
             log.error(sm.getString(messageKey, resourceName), ioe);
         }
-        return result;
+        if (properties.isEmpty()) {
+            return;
+        }
+        for (Map.Entry<Object, Object> e : properties.entrySet()) {
+            if ("restricted".equals(e.getValue())) {
+                classNames.add(e.getKey().toString());
+            } else {
+                log.warn(sm.getString(
+                        "defaultInstanceManager.restrictedWrongValue",
+                        resourceName, e.getKey(), e.getValue()));
+            }
+        }
     }
 
     private static String normalize(String jndiName){

Modified: tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties?rev=1722923&r1=1722922&r2=1722923&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/catalina/core/LocalStrings.properties Mon Jan  4 17:31:16 2016
@@ -222,6 +222,9 @@ threadLocalLeakPreventionListener.lifecy
 threadLocalLeakPreventionListener.containerEvent.error=Exception processing container event {0}
 
 defaultInstanceManager.invalidInjection=Invalid method resource injection annotation
+defaultInstanceManager.restrictedClass=Access to class [{0}] is forbidden. It is a restricted class. A web application must be configured as privileged to be able to load it
+defaultInstanceManager.restrictedContainerServlet=Access to class [{0}] is forbidden. It is a restricted class (implements ContainerServlet interface). A web application must be configured as privileged to be able to load it
+defaultInstanceManager.restrictedWrongValue=Wrong value in restricted classes property file [{0}] for class name [{1}]. Expected value: [restricted], actual value: [{2}]
 defaultInstanceManager.restrictedFiltersResource=Restricted filters property file not found [{0}]
 defaultInstanceManager.restrictedListenersResource=Restricted listeners property file not found [{0}]
 defaultInstanceManager.restrictedServletsResource=Restricted servlets property file not found [{0}]

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1722923&r1=1722922&r2=1722923&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon Jan  4 17:31:16 2016
@@ -159,6 +159,11 @@
         Add the <code>StatusManagerServlet</code> to the list of Servlets that
         can only be loaded by privileged applications. (markt)
       </fix>
+      <fix>
+        Simplify code and fix messages in
+        <code>org.apache.catalina.core.DefaultInstanceManager</code> class.
+        (kkolinko)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org