This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 9a020d7f79 Avoid CNFEs with custom managers deployed with the web
application
9a020d7f79 is described below
commit 9a020d7f7941ea6dd4b756df3681e5d5c21389a3
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Sun Mar 26 14:09:48 2023 +0100
Avoid CNFEs with custom managers deployed with the web application
---
java/org/apache/catalina/connector/Request.java | 59 ++++++++++++++-----------
webapps/docs/changelog.xml | 5 +++
2 files changed, 39 insertions(+), 25 deletions(-)
diff --git a/java/org/apache/catalina/connector/Request.java
b/java/org/apache/catalina/connector/Request.java
index 9d58b76a9f..ccf7320508 100644
--- a/java/org/apache/catalina/connector/Request.java
+++ b/java/org/apache/catalina/connector/Request.java
@@ -2483,38 +2483,47 @@ public class Request implements HttpServletRequest {
return false;
}
- Manager manager = context.getManager();
- if (manager == null) {
- return false;
- }
-
- Session session = null;
+ /*
+ * As per PR #594, the manager could be provided by the web
application and calls to findSession() could trigger
+ * class loading so set the thread context class loader appropriately
to void ClassNotFoundException.
+ */
+ ClassLoader originalClassLoader = context.bind(null);
try {
- session = manager.findSession(requestedSessionId);
- } catch (IOException e) {
- // Can't find the session
- }
-
- if ((session == null) || !session.isValid()) {
- // Check for parallel deployment contexts
- if (getMappingData().contexts == null) {
+ Manager manager = context.getManager();
+ if (manager == null) {
return false;
- } else {
- for (int i = (getMappingData().contexts.length); i > 0; i--) {
- Context ctxt = getMappingData().contexts[i - 1];
- try {
- if (ctxt.getManager().findSession(requestedSessionId)
!= null) {
- return true;
+ }
+
+ Session session = null;
+ try {
+ session = manager.findSession(requestedSessionId);
+ } catch (IOException e) {
+ // Can't find the session
+ }
+
+ if ((session == null) || !session.isValid()) {
+ // Check for parallel deployment contexts
+ if (getMappingData().contexts == null) {
+ return false;
+ } else {
+ for (int i = (getMappingData().contexts.length); i > 0;
i--) {
+ Context ctxt = getMappingData().contexts[i - 1];
+ try {
+ if
(ctxt.getManager().findSession(requestedSessionId) != null) {
+ return true;
+ }
+ } catch (IOException e) {
+ // Ignore
}
- } catch (IOException e) {
- // Ignore
}
+ return false;
}
- return false;
}
- }
- return true;
+ return true;
+ } finally {
+ context.unbind(originalClassLoader);
+ }
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 0a64a52983..fd7c709548 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -159,6 +159,11 @@
with some OSGi custom URL schemes that can trigger potentially slow DNS
lookups in some configurations. (markt)
</fix>
+ <fix>
+ When using a custom session manager deployed as part of the web
+ application, avoid <code>ClassNotFoundException</code>s when validating
+ session IDs extracted from requests. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
