https://bz.apache.org/bugzilla/show_bug.cgi?id=61154
--- Comment #4 from Konstantin Kolinko <knst.koli...@gmail.com> --- (In reply to Mark Thomas from comment #3) > > My thinking so far has reached the point of wondering if the privileged flag > on the context makes any sense at all when not running under a > SecurityManager. [1] http://tomcat.apache.org/tomcat-8.5-doc/config/context.html#Common_Attributes AFAIK, the "privileged" flag on Context has two effects [1]: a) allow this context to use container servlets b) change the context's parent class loader to be the Server class loader rather than the Shared class loader Anything else? I think that the permission to use servlets ("a)") does not make sense when running without SecurityManager. An idea: replace it with an explicit Permission to access specific container servlets? Manager web application needs only a subset of those servlets. The classloader hierarchy effect ("b)") is important regardless of SecurityManager, but there is no actual need for it. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
