https://bz.apache.org/bugzilla/show_bug.cgi?id=57736
rs...@idfconnect.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
Version|8.0.20 |8.0.30
--- Comment #12 from rs...@idfconnect.com ---
Apologies for re-opening this case. I'm using the RSA crypto jars and have the
same behavior with 8.0.30. I think the thread below misses the point of where
the actual bug is.
When not unpacking the war file, the jar signature check is seeing that the jar
is signed (in my case the RSA jar, in the previous user's case, the BC jar),
but is then checking the signature on the war file itself, instead of the jar.
It seems that the functionality of leaving a war file packed, where the war
file has a signed jar in its WEB-INF/lib, is simply broken.
Of course there are workarounds - unpacking the war, or moving the signed jars
into the tomcat/lib folder - but these are both workarounds for something that
is broken.
If it is the intent of the tomcat community to no longer allow/support signed
jars inside packed war files, then there is no choice but to use a workaround,
and this limitation should be called out. But I suspect that this behavior is
probably inadvertent and should be fixed, rather than insist that war files
with signed jars must be unpacked in tomcat8 and beyond.
What do you think?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
