https://bz.apache.org/bugzilla/show_bug.cgi?id=60674
--- Comment #3 from Mark Thomas <ma...@apache.org> --- (In reply to Ralf Hauser from comment #2) > Other security classes are not final. > And an attacker would also have to alter the web.xml to have the subclass > used at all to begin with. > > IMHO, putting such a class as "final" is also against the open source spirit: > > "No one after me will be smarter than and adding more value with > sub-classing it" or are there other reasonings behind this? There is no need for such an antagonistic comment. A review of the history of the file shows that the explanation is as simple as the class was marked as final in the contribution from the original developer. It is always easier to start off with a more restrictive API and relax it as necessary, than to start with everything open and try and lock it down later. The fields are private (and final where marked) by design. Getters are provided (which for the collections also allow modification). If you'd like additional getters (or setters) then please make your case. The expectation is that the configuration is set on init and remains unchanged for the lifetime of the Filter. Changing that expectation is not impossible but is likely to be a very invasive change. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
