STATUS.txt

markt Wed, 27 Aug 2008 13:36:14 -0700

Author: markt
Date: Wed Aug 27 13:35:45 2008
New Revision: 689608

URL: http://svn.apache.org/viewvc?rev=689608&view=rev
Log:
Fix http://issues.apache.org/bugzilla/show_bug.cgi?id=44282
Do call to getClassLoader() in a privileged block.
Note the security manager test also had to change slightly to work with 5.5.x


Modified:
    
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
    tomcat/container/tc5.5.x/webapps/docs/changelog.xml
    tomcat/current/tc5.5.x/STATUS.txt

Modified: 
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
URL: 
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java?rev=689608&r1=689607&r2=689608&view=diff
==============================================================================
--- 
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
 (original)
+++ 
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
 Wed Aug 27 13:35:45 2008
@@ -131,6 +131,20 @@
 
     }
 
+    protected final class PrivilegedGetClassLoader
+        implements PrivilegedAction {
+
+        public Class clazz;
+
+        public PrivilegedGetClassLoader(Class<?> clazz){
+            this.clazz = clazz;
+        }
+
+        public ClassLoader run() {       
+            return clazz.getClassLoader();
+        }           
+    }
+
 
     // ------------------------------------------------------- Static Variables
 
@@ -911,8 +925,17 @@
         // Return the class we have located
         if (log.isTraceEnabled())
             log.debug("      Returning class " + clazz);
-        if ((log.isTraceEnabled()) && (clazz != null))
-            log.debug("      Loaded by " + clazz.getClassLoader());
+
+        if ((log.isTraceEnabled()) && (clazz != null)) {
+            ClassLoader cl;
+            if (securityManager != null){
+                cl = (ClassLoader) AccessController.doPrivileged(
+                        new PrivilegedGetClassLoader(clazz));
+            } else {
+                cl = clazz.getClassLoader();
+            }
+            log.debug("      Loaded by " + cl.toString());
+        }
         return (clazz);
 
     }

Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?rev=689608&r1=689607&r2=689608&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Wed Aug 27 13:35:45 2008
@@ -72,6 +72,11 @@
         CATALINA_HOME. Patch provided by Takayuki Kaneko. (markt)
       </fix>
       <fix>
+        <bug>44282</bug>: Prevent security exception in trace level logging for
+        web application class loader when running under a security manager.
+        (markt)
+      </fix>
+      <fix>
         <bug>44529</bug>: No roles specified (deny all) should take precedence
         over no auth-constraint specified (allow-all). (markt)
       </fix> 

Modified: tomcat/current/tc5.5.x/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=689608&r1=689607&r2=689608&view=diff
==============================================================================
--- tomcat/current/tc5.5.x/STATUS.txt (original)
+++ tomcat/current/tc5.5.x/STATUS.txt Wed Aug 27 13:35:45 2008
@@ -25,16 +25,6 @@
 PATCHES PROPOSED TO BACKPORT:
   [ New proposals should be added at the end of the list ]
 
-* Fix http://issues.apache.org/bugzilla/show_bug.cgi?id=44282
-  Do call to getClassLoader() in a privileged block.
-  http://svn.apache.org/viewvc?rev=616953&view=rev (less the generics stuff)
-  +1: markt, fhanik, rjung
-  -1:
-  0: yoavs (because I think there might be a bug when we're only diong the 
work if log.isTraceEnabled)
-     markt I believe this is correct. The privileged block is only required for
-           the getClassloader() call. This call is only ever made if trace is
-           enabled
-
 * Better handling of lack of permission for context specific logging
   http://svn.apache.org/viewvc?rev=646543&view=rev
   +1: markt



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

svn commit: r689608 - in /tomcat: container/tc5.5.x/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java container/tc5.5.x/webapps/docs/changelog.xml current/tc5.5.x/STATUS.txt

Reply via email to