Am 2018-12-03 um 20:30 schrieb Mark Thomas:
Hi,
I have been looking at [1]. This is a request to be able to specify a
URL for a WAR, including a URL that points to a WAR file packaged inside
a JAR. This request is in the context of embedded Tomcat.
The embedded aspects are just part of this. Fixes would also be required
to the core Tomcat code.
The Javadoc for Context indicates that a URL is acceptable for the
docBase. However, the code does not support this. The code expects a
file path (absolute or relative to appBase) that points to either a
directory or a WAR.
How can a URL with a scheme be relative?!
I've been looking at the code and there are multiple places where the
assumption is made that the docBase is a file path. They are fixable but...
I am wondering whether it would be better to fix this or to change the
Javadoc.
In favour of fixing this:
- the code would match the intention as described in the Javadoc
- the requirements of [1] would be addressed
- loading a WAR from a URL offers a lot more flexibility
In favour of changing the Javadoc
- there are multiple places that would need to be fixed
- loading a WAR from a URL broadens the attack surface if a malicious
user can get to the configuration files
- there doesn't seem to be much demand for loading from a URL (one bug
report with no activity and no votes in ~5 years)
I'm somewhat on the fence on this one.
Thoughts?
I strive for simplicity, so I'd go with option 2. Moreover, we should
clearly document which URL schemes are supported, e.g., file:// only.
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
