Author: markt
Date: Fri May 22 14:54:32 2009
New Revision: 777554
URL: http://svn.apache.org/viewvc?rev=777554&view=rev
Log:
Port security manager fixes from trunk. JSP TCK now passes when running under a
SecurityManager.
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/conf/catalina.policy
tomcat/tc6.0.x/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/DefaultAnnotationProcessor.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ELContextImpl.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ELResolverImpl.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ExpressionEvaluatorImpl.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/runtime/JspApplicationContextImpl.java
tomcat/tc6.0.x/trunk/java/org/apache/jasper/runtime/JspFactoryImpl.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri May 22 14:54:32 2009
@@ -1 +1 @@
-/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,718360,719119,719124,719602,719626,719628,720046,720069,721040,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,753039,757774,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335
+/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,673796,673820,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,753039,757335,757774,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=777554&r1=777553&r2=777554&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Fri May 22 14:54:32 2009
@@ -47,32 +47,6 @@
So to make this bug actually worth while fixing, and not impact
performance, then it should only do this check on files that
are relevant to the reload of an application, in other words a watched
resource
-* Changes required to run with a security manager
- http://svn.apache.org/viewvc?rev=721286&view=rev (original)
- http://svn.apache.org/viewvc?rev=721704&view=rev (original)
- http://svn.apache.org/viewvc?rev=721708&view=rev (original)
- http://svn.apache.org/viewvc?rev=721886&view=rev (original)
- http://svn.apache.org/viewvc?rev=746425&view=rev (to address Bill's concerns)
- http://svn.apache.org/viewvc?rev=757335&view=rev (to remove the Catalina dep)
- +1: markt, billbarker
- +1: kkolinko (good, but I have some concerns:
- r721286 :
- You have added an anonymous inner class to JspFactoryImpl. That class is
- preloaded by o.a.jasper.security.SecurityClassLoad. I wonder, whether the
- new inner class should also be preloaded. Do not have experience to prove
- it, though.
- Plus, see issue #47214 in Bugzilla for my concerns on naming.
- r721704 :
- o.k.
- (I have concerns about DefaultInstanceManager (see issue #47214), but
- that class does not exist in TC 6.0)
- r746425:
- Implementation of ELResolverImpl.getDefaultResolver():
- All those "(CompositeELResolver)" casts can be removed if you change
- type of the local variable.
- r721708, r721886, r757335: o.k.
- )
-
* Backport cleanup of semantics of thisAccessedTime and
lastAccessedTime for sessions:
- preparational whitespace changes
Modified: tomcat/tc6.0.x/trunk/conf/catalina.policy
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/conf/catalina.policy?rev=777554&r1=777553&r2=777554&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/conf/catalina.policy (original)
+++ tomcat/tc6.0.x/trunk/conf/catalina.policy Fri May 22 14:54:32 2009
@@ -134,13 +134,14 @@
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
- // Precompiled JSPs need access to this package.
+ // Precompiled JSPs need access to these packages.
+ permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.el";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.runtime.*";
- // Precompiled JSPs need access to this system property.
+ // Precompiled JSPs need access to these system properties.
permission java.util.PropertyPermission
"org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
-
+ permission java.util.PropertyPermission
"org.apache.el.parser.COERCE_TO_ZERO", "read";
};
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/security/SecurityClassLoad.java?rev=777554&r1=777553&r2=777554&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
Fri May 22 14:54:32 2009
@@ -100,6 +100,10 @@
loader.loadClass
(basePackage + "util.URL");
loader.loadClass(basePackage + "util.Enumerator");
+ loader.loadClass(basePackage + "util.DefaultAnnotationProcessor$1");
+ loader.loadClass(basePackage + "util.DefaultAnnotationProcessor$2");
+ loader.loadClass(basePackage + "util.DefaultAnnotationProcessor$3");
+ loader.loadClass(basePackage + "util.DefaultAnnotationProcessor$4");
}
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/DefaultAnnotationProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/DefaultAnnotationProcessor.java?rev=777554&r1=777553&r2=777554&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/DefaultAnnotationProcessor.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/util/DefaultAnnotationProcessor.java
Fri May 22 14:54:32 2009
@@ -111,7 +111,20 @@
Class<?> clazz = instance.getClass();
while (clazz != null) {
- Method[] methods = clazz.getDeclaredMethods();
+ Method[] methods;
+ // Hack so PrivilegedAction can access clazz object
+ final Class<?> clazz2 = clazz;
+ if (Globals.IS_SECURITY_ENABLED) {
+ methods = AccessController.doPrivileged(
+ new PrivilegedAction<Method[]>(){
+ public Method[] run(){
+ return clazz2.getDeclaredMethods();
+ }
+ });
+ } else {
+ methods = clazz.getDeclaredMethods();
+ }
+
Method preDestroy = null;
for (int i = 0; i < methods.length; i++) {
if (methods[i].isAnnotationPresent(PreDestroy.class)) {
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ELContextImpl.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ELContextImpl.java?rev=777554&r1=777553&r2=777554&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ELContextImpl.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ELContextImpl.java Fri May
22 14:54:32 2009
@@ -26,6 +26,8 @@
import javax.el.ValueExpression;
import javax.el.VariableMapper;
+import org.apache.jasper.Constants;
+
/**
* Implementation of ELContext
*
@@ -61,12 +63,21 @@
private final ELResolver resolver;
- private FunctionMapper functionMapper = NullFunctionMapper; // immutable
+ private FunctionMapper functionMapper;
private VariableMapper variableMapper;
public ELContextImpl() {
- this(ELResolverImpl.DefaultResolver);
+ this(ELResolverImpl.getDefaultResolver());
+ if (Constants.IS_SECURITY_ENABLED) {
+ functionMapper = new FunctionMapper() {
+ public Method resolveFunction(String prefix, String localName)
{
+ return null;
+ }
+ };
+ } else {
+ functionMapper = NullFunctionMapper;
+ }
}
public ELContextImpl(ELResolver resolver) {
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ELResolverImpl.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ELResolverImpl.java?rev=777554&r1=777553&r2=777554&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ELResolverImpl.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ELResolverImpl.java Fri May
22 14:54:32 2009
@@ -32,8 +32,10 @@
import javax.el.ResourceBundleELResolver;
import javax.servlet.jsp.el.VariableResolver;
+import org.apache.jasper.Constants;
+
public final class ELResolverImpl extends ELResolver {
-
+ /** @deprecated - Use getDefaultResolver(). Needs to be made private */
public final static ELResolver DefaultResolver = new
CompositeELResolver();
static {
@@ -69,7 +71,7 @@
}
if (!context.isPropertyResolved()) {
- return DefaultResolver.getValue(context, base,
property);
+ return getDefaultResolver().getValue(context, base,
property);
}
return null;
}
@@ -94,7 +96,7 @@
}
if (!context.isPropertyResolved()) {
- return DefaultResolver.getType(context, base, property);
+ return getDefaultResolver().getType(context, base,
property);
}
return null;
}
@@ -114,7 +116,7 @@
}
if (!context.isPropertyResolved()) {
- DefaultResolver.setValue(context, base, property,
value);
+ getDefaultResolver().setValue(context, base, property,
value);
}
}
@@ -129,18 +131,31 @@
return true;
}
- return DefaultResolver.isReadOnly(context, base, property);
+ return getDefaultResolver().isReadOnly(context, base, property);
}
public Iterator<java.beans.FeatureDescriptor>
getFeatureDescriptors(ELContext context, Object base) {
- return DefaultResolver.getFeatureDescriptors(context, base);
+ return getDefaultResolver().getFeatureDescriptors(context,
base);
}
public Class<?> getCommonPropertyType(ELContext context, Object base) {
if (base == null) {
return String.class;
}
- return DefaultResolver.getCommonPropertyType(context, base);
+ return getDefaultResolver().getCommonPropertyType(context,
base);
}
+ public static ELResolver getDefaultResolver() {
+ if (Constants.IS_SECURITY_ENABLED) {
+ ELResolver defaultResolver = new CompositeELResolver();
+ ((CompositeELResolver) defaultResolver).add(new
MapELResolver());
+ ((CompositeELResolver) defaultResolver).add(new
ResourceBundleELResolver());
+ ((CompositeELResolver) defaultResolver).add(new
ListELResolver());
+ ((CompositeELResolver) defaultResolver).add(new
ArrayELResolver());
+ ((CompositeELResolver) defaultResolver).add(new
BeanELResolver());
+ return defaultResolver;
+ } else {
+ return DefaultResolver;
+ }
+ }
}
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ExpressionEvaluatorImpl.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ExpressionEvaluatorImpl.java?rev=777554&r1=777553&r2=777554&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ExpressionEvaluatorImpl.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/el/ExpressionEvaluatorImpl.java
Fri May 22 14:54:32 2009
@@ -38,7 +38,8 @@
public Expression parseExpression(String expression, Class expectedType,
FunctionMapper fMapper) throws ELException {
try {
- ELContextImpl ctx = new
ELContextImpl(ELResolverImpl.DefaultResolver);
+ ELContextImpl ctx =
+ new
ELContextImpl(ELResolverImpl.getDefaultResolver());
if (fMapper != null) {
ctx.setFunctionMapper(new FunctionMapperImpl(fMapper));
}
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/jasper/runtime/JspApplicationContextImpl.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/runtime/JspApplicationContextImpl.java?rev=777554&r1=777553&r2=777554&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/jasper/runtime/JspApplicationContextImpl.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/jasper/runtime/JspApplicationContextImpl.java
Fri May 22 14:54:32 2009
@@ -16,6 +16,8 @@
*/
package org.apache.jasper.runtime;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
@@ -37,6 +39,7 @@
import javax.servlet.jsp.el.ScopedAttributeELResolver;
import org.apache.el.ExpressionFactoryImpl;
+import org.apache.jasper.Constants;
import org.apache.jasper.el.ELContextImpl;
/**
@@ -88,8 +91,19 @@
}
// create ELContext for JspContext
- ELResolver r = this.createELResolver();
- ELContextImpl ctx = new ELContextImpl(r);
+ final ELResolver r = this.createELResolver();
+ ELContextImpl ctx;
+ if (Constants.IS_SECURITY_ENABLED) {
+ ctx = AccessController.doPrivileged(
+ new PrivilegedAction<ELContextImpl>() {
+ public ELContextImpl run() {
+ return new ELContextImpl(r);
+ }
+ });
+ } else {
+ ctx = new ELContextImpl(r);
+ }
+
ctx.putContext(JspContext.class, context);
// alert all ELContextListeners
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/jasper/runtime/JspFactoryImpl.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/runtime/JspFactoryImpl.java?rev=777554&r1=777553&r2=777554&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/runtime/JspFactoryImpl.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/runtime/JspFactoryImpl.java Fri
May 22 14:54:32 2009
@@ -196,7 +196,17 @@
}
- public JspApplicationContext getJspApplicationContext(ServletContext
context) {
- return JspApplicationContextImpl.getInstance(context);
+ public JspApplicationContext getJspApplicationContext(
+ final ServletContext context) {
+ if (Constants.IS_SECURITY_ENABLED) {
+ return AccessController.doPrivileged(
+ new PrivilegedAction<JspApplicationContext>() {
+ public JspApplicationContext run() {
+ return JspApplicationContextImpl.getInstance(context);
+ }
+ });
+ } else {
+ return JspApplicationContextImpl.getInstance(context);
+ }
}
}
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=777554&r1=777553&r2=777554&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Fri May 22 14:54:32 2009
@@ -32,6 +32,17 @@
</properties>
<body>
+<section name="Tomcat 6.0.21 (remm)">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ Fix issues with expression language when running under a
+ SecurityManager. (markt)
+ </fix>
+ </changelog>
+ </subsection>
+</section>
+
<section name="Tomcat 6.0.20 (remm)">
<subsection name="Catalina">
<changelog>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
