Author: kkolinko
Date: Tue Jan 19 12:50:38 2010
New Revision: 900755
URL: http://svn.apache.org/viewvc?rev=900755&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48097
Avoid throwing an AccessControlException which can lead to a
NoClassDefFoundError on first access of first jsp.
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=900755&r1=900754&r2=900755&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Tue Jan 19 12:50:38 2010
@@ -72,25 +72,6 @@
)
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48097
- There are two patches to be applied:
-
- 2) Add a new PrivilegedAction. Patch by markt
- http://svn.apache.org/viewvc?rev=834080&view=rev
- +1: kkolinko, markt, rjung
- -1:
- rjung: minus generics
-
- 3) Remove use of WebappClassLoader$PrivilegedFindResource,
- because all findResourceInternal(String,String) calls are now already
- wrapped with AccessController.doPrivileged, so additional wrapping is not
- needed. Add preloading of the new PrivilegedFindResourceByName class,
- (to fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48097#c13
- )
-
http://people.apache.org/~kkolinko/patches/2009-11-12_PrivilegedFindResource_tc6.patch
- +1: kkolinko, markt, rjung
- -1:
-
* Fix CVE-2009-3548 - Windows installer uses insecure default password
http://svn.apache.org/viewvc?rev=834047&view=rev
+1: markt, mturk
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java?rev=900755&r1=900754&r2=900755&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
Tue Jan 19 12:50:38 2010
@@ -114,6 +114,9 @@
public static final boolean ENABLE_CLEAR_REFERENCES =
Boolean.valueOf(System.getProperty("org.apache.catalina.loader.WebappClassLoader.ENABLE_CLEAR_REFERENCES",
"true")).booleanValue();
+ /**
+ * @deprecated Not used
+ */
protected class PrivilegedFindResource
implements PrivilegedAction {
@@ -131,6 +134,23 @@
}
+ protected class PrivilegedFindResourceByName
+ implements PrivilegedAction {
+
+ protected String name;
+ protected String path;
+
+ PrivilegedFindResourceByName(String name, String path) {
+ this.name = name;
+ this.path = path;
+ }
+
+ public Object run() {
+ return findResourceInternal(name, path);
+ }
+
+ }
+
protected final class PrivilegedGetClassLoader
implements PrivilegedAction {
@@ -961,7 +981,13 @@
ResourceEntry entry = (ResourceEntry) resourceEntries.get(name);
if (entry == null) {
- entry = findResourceInternal(name, name);
+ if (securityManager != null) {
+ PrivilegedAction dp =
+ new PrivilegedFindResourceByName(name, name);
+ entry = (ResourceEntry) AccessController.doPrivileged(dp);
+ } else {
+ entry = findResourceInternal(name, name);
+ }
}
if (entry != null) {
url = entry.source;
@@ -1844,7 +1870,13 @@
ResourceEntry entry = null;
- entry = findResourceInternal(name, classPath);
+ if (securityManager != null) {
+ PrivilegedAction dp =
+ new PrivilegedFindResourceByName(name, classPath);
+ entry = (ResourceEntry) AccessController.doPrivileged(dp);
+ } else {
+ entry = findResourceInternal(name, classPath);
+ }
if (entry == null)
throw new ClassNotFoundException(name);
@@ -1927,8 +1959,7 @@
}
/**
- * Find specified resource in local repositories. This block
- * will execute under an AccessControl.doPrivilege block.
+ * Find specified resource in local repositories.
*
* @return the loaded resource, or null if the resource isn't found
*/
@@ -1987,13 +2018,7 @@
// Note : Not getting an exception here means the resource was
// found
- if (securityManager != null) {
- PrivilegedAction dp =
- new PrivilegedFindResource(files[i], path);
- entry = (ResourceEntry)AccessController.doPrivileged(dp);
- } else {
- entry = findResourceInternal(files[i], path);
- }
+ entry = findResourceInternal(files[i], path);
ResourceAttributes attributes =
(ResourceAttributes) resources.getAttributes(fullPath);
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java?rev=900755&r1=900754&r2=900755&view=diff
==============================================================================
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java
Tue Jan 19 12:50:38 2010
@@ -76,7 +76,7 @@
String basePackage = "org.apache.catalina.";
loader.loadClass
(basePackage +
- "loader.WebappClassLoader$PrivilegedFindResource");
+ "loader.WebappClassLoader$PrivilegedFindResourceByName");
}
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=900755&r1=900754&r2=900755&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Tue Jan 19
12:50:38 2010
@@ -95,6 +95,11 @@
AccessControlException. (kkolinko)
</update>
<fix>
+ <bug>48097</bug>: Avoid throwing an AccessControlException which can
+ lead to a NoClassDefFoundError on first access of first jsp.
+ (kkolinko/markt)
+ </fix>
+ <fix>
Add an additional permission required by JULI when running under newer
JDKs and a security manager. (markt)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
