DO NOT REPLY [Bug 48928] New: An alternative solution to preloading classes when running with SecurityManager

Wed, 17 Mar 2010 01:55:54 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=48928

           Summary: An alternative solution to preloading classes when
                    running with SecurityManager
           Product: Tomcat 6
           Version: 6.0.26
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: knst.koli...@gmail.com


Created an attachment (id=25140)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=25140)
2010-03-17_tc6_CatalinaSecurityManager.patch

While looking again at those AccessControlException exceptions
that are cured by preloading classes in SecurityClassLoad classes
of Catalina and Jasper,

e.g. bug 48581, bug 48580, bug 48438, bug 48323

I thought of a solution that disables package access check in
sun.misc.Launcher$AppClassLoader.loadClass()

I am attaching the patch.

The patch is for tc6.0.x. It implements a new class,
o.a.c.security.CatalinaSecurityManager, modifies build.xml to pack it into
bootstrap.jar, and modifies *.bat/*.sh scripts and SecurityClassLoad classes to
make use of it.

It allows to get rid of all preloading in SecurityClassLoad classes of catalina
and jasper, except one call in Jasper that is still necessary.


While package access protection in loadClass() is removed,
I know that the package access protection is certainly still present in the
following cases:
- ClassLoader.defineClass() (e.g. bug 48218  still happens in 6.0)
- When trying to use reflection, as implemented in
java.lang.Class.checkMemberAccess()

As of now, I do not see any harm in what this patch does.
Comments are welcome.



I tested it running Sun JRE 6u18 on Windows with Tomcat examples and other
sample applications (changes to catalina.sh are not tested). All runs well,
without AccessControlException (except the expected ones from ChatServlet -
described in bug 48218).

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to