On Feb 26, 2013, at 11:21 AM, Christopher Schultz wrote: > Mark, > > On 2/21/13 8:34 AM, Mark Thomas wrote: >> JRE JARs. >> I think scanning of these should be made optional and disabled by >> default. This will reduce the list of JARs we have to maintain in >> jarsToSkip. I intend to implement this unless there are any objections. > > +1 > > Will you be checking the ClassLoader to determine whether this is a JRE > JAR or not? Does this apply to the JRE's "endorsed" JARs as well? > White-listing will still work to enable individual JARs in these > locations, right? > >> jarsToScan >> This is a little more complicated. >> First of all, how does it work? The suggestion is: >> - If jarsToScan matches, scan it >> - else if jarsToSkip matches, skip it >> - else scan it > > +1 > >> Assuming that the above is acceptable, it would require the following: >> a) three new system properties >> tomcat.util.scan.DefaultJarScanner.jarsToScan >> org.apache.catalina.startup.ContextConfig.jarsToScan >> org.apache.catalina.startup.TldConfig.jarsToScan > > -1 for the global-ness of these settings. > >> b) add a parameter to JarScanner.scan() >> >> There are a couple of issues here. >> 2. (and an issue with the current code [1]). These settings are all >> global rather than per web application. I would prefer that they were >> per web application with defaults configured globally. It is complicated >> by the fact that the JARs to skip/scan may vary depending on how the >> JarScanner is used. > > I would prefer to be able to set this stuff on a per-context basis. How > much of this configuration could be configured with a <Scanner>? > > -chris
There hasn't been any movement on this for a while, so I wanted to see if any decision was made or if any work is being done. Note that Log4j2 is going to have a log4j-taglib artifact that (naturally) will have a TLD in its META-INF. Since Tomcat by default excludes log4j*.jar, that has to be removed from catalina.properties in order to make it work. It would be great for Tomcat 7/8 to ship with jarsToScan set to whitelist log4j-taglib*.jar, or (perhaps better) *taglib*.jar (which would cover any JARs that accidentally fell under the blacklist but had the word taglib in them). Nick --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
