All, I went looking into WebappClassLoader's validateJarFile() and filter() methods, and I noticed two things:
1. The error message for locating an illegal class being loaded from a JAR file references servlet spec 2.3 section 9.7.2. The current published version of the spec (3.0) is now section 10.7.2. Any objections to changing the message to reflect the new spec version supported by Tomcat and the new section number? 2. In spite of the above spec section, Tomcat only checks for javax.servlet.Servlet and/or javax.el.Expression and then rejects the entire JAR file. It doesn't look like classes such as java.lang.String or javax.xml.parsers.SAXParser, etc. are prohibited. This seems to be a spec violation. 3. If a JAR file is found to contain a prohibited class, the entire JAR file is rejected. This behavior is not mandated by the servlet spec and may be over-reaching. I'm sure there are all kinds of practical reasons to only look for certain classes, and not to prohibit replacement of things like JSTL, etc. But it seems like this should be tightened-up a bit, even if through configuration things can be relaxed to their current state. Any thoughts? -chris
signature.asc
Description: OpenPGP digital signature
