https://bz.apache.org/bugzilla/show_bug.cgi?id=59167
Bug ID: 59167
Summary: ManagerBase does not respect security manager to
transfer objects across members in the cluster
Product: Tomcat 8
Version: 8.0.32
Hardware: PC
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Cluster
Assignee: [email protected]
Reporter: [email protected]
I have a cluster of two nodes, using DeltaManager to transfer session data in a
failover scheme.
I noticed that only certain session attributes were being replicated. On some
variables I was getting a warning, which caused me to trace the code and I
found this in org.apache.catalina.session.ManagerBase:
public ManagerBase() {
if (Globals.IS_SECURITY_ENABLED) {
// Minimum set required for default distribution/persistence to
work
// plus String
setSessionAttributeValueClassNameFilter(
"java\\.lang\\.(?:Boolean|Integer|Long|Number|String)");
setWarnOnSessionAttributeFilterFailure(true);
}
}
Later in the code it uses the sessionAttributeValueClassNamePattern to
determine what can be sent or not. The problem is this doesn't respect the
security manager. I should be able to explicitly grant permission to this
class and have it sent via the DeltaManager.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
