https://issues.apache.org/bugzilla/show_bug.cgi?id=54261
--- Comment #3 from Konstantin Kolinko <knst.koli...@gmail.com> ---
(In reply to comment #2)
> The relevant section is:
> <quote>
> If a framework wants its META-INF/web-fragment.xml honored in such a way
> that it augments a web application's web.xml, (...)
OK, this explains web fragments.
It should also imply that they
- are NOT scanned for @WebServlet/@WebFilter/@WebListener
based on a) support for metadata-complete attribute in web-fragmrnt.xml, b) 8.1
mentions WEB-INF/lib and WEB-INF/classes only
<quote from=8.1>
In a web application, classes using annotations will have their annotations
processed
only if they are located in the WEB-INF/classes directory, or if they are
packaged
in a jar file located in WEB-INF/lib within the application.
</quote>
Regarding static resources see ch.4.6 that mentions WEB-INF/lib only, thus they
are "NOT scanned",
<quote from=4.6>
The getResource and getResourceAsStream methods take a String with a leading
“/” as an argument that gives the path of the resource relative to the root of
the
context or relative to the META-INF/resources directory of a JAR file inside
the
web application’s WEB-INF/lib directory
</quote>
The "resources" mentioned in the fragment of 8.2.1 that Mark quoted, I think
are referring to class and property files available through classloader, and
are not talking about "static resources".
I think we can straighten this for Tomcat 8 (with its better support for
resources),
but for Tomcat 7 I am a bit afraid to change things.
I think that a reason behind disallowing web fragments at container level could
be
a) to lessen surprise for web applications that are moved between different
environments.
b) it simplifies requirements for declaration of web fragment ordering
c) it simplifies requirements for containers implementing this new feature
d) if a web fragment is in the container, it will be injected into all webapps
indiscriminately. Some of them may not expect this. It might even lead to some
security problems. Well, a SCI can inject the same servlets/filters/listeners
as a web fragment, but usually programmers are more accurate.
If we do change things for Tomcat 7, I think at most we can disallow
web-fragments coming from the parent ("common") classloader, based on security
concerns from "d)". I think whatever is injected into specific web application
(via a DirContext (like used by Eclipse IDE - see bug 51741) or via
VirtualWebappLoader in its context.xml) is under control of a specific web
application and should be allowed.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
