Re: svn commit: r1539873 - /tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java

Tue, 12 Nov 2013 01:31:21 -0800 

On 11/11/2013 22:50, Konstantin Kolinko wrote:
> 2013/11/8  <ma...@apache.org>:
>> Author: markt
>> Date: Fri Nov  8 00:09:19 2013
>> New Revision: 1539873
>>
>> URL: http://svn.apache.org/r1539873
>> Log:
>> Correctly implement delegation filtering for container packages.
>>
>> Modified:
>>     tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
>>
>> Modified: tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
>> URL: 
>> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java?rev=1539873&r1=1539872&r2=1539873&view=diff
>> ==============================================================================
>> --- tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java 
>> (original)
>> +++ tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java Fri 
>> Nov  8 00:09:19 2013
>> @@ -47,7 +47,6 @@ import java.util.ConcurrentModificationE
>>  import java.util.Date;
>>  import java.util.Enumeration;
>>  import java.util.HashMap;
>> -import java.util.HashSet;
>>  import java.util.Iterator;
>>  import java.util.LinkedHashSet;
>>  import java.util.List;
>> @@ -61,6 +60,8 @@ import java.util.concurrent.ThreadPoolEx
>>  import java.util.jar.Attributes;
>>  import java.util.jar.Attributes.Name;
>>  import java.util.jar.Manifest;
>> +import java.util.regex.Matcher;
>> +import java.util.regex.Pattern;
>>
>>  import org.apache.catalina.Globals;
>>  import org.apache.catalina.Lifecycle;
>> @@ -179,18 +180,23 @@ public class WebappClassLoader extends U
>>      // ------------------------------------------------------- Static 
>> Variables
>>
>>      /**
>> -     * Set of package names which are not allowed to be loaded from a webapp
>> -     * class loader without delegating first.
>> +     * Regular expression of package names which are not allowed to be 
>> loaded
>> +     * from a webapp class loader without delegating first.
>>       */
>> -    protected static final Set<String> packageTriggersDeny = new 
>> HashSet<>();
>> +    protected final Matcher packageTriggersDeny = Pattern.compile(
>> +            "^javax\\.el\\.|" +
>> +            "^javax\\.servlet\\.|" +
>> +            
>> "^org\\.apache\\.(catalina|coyote|el|jasper|juli|naming|tomcat)\\."
>> +            ).matcher("");
>>
>>
>>      /**
>> -     * Set of package names which are allowed to be loaded from a webapp 
>> class
>> -     * loader without delegating first and override any set by
>> +     * Regular expression of package names which are allowed to be loaded 
>> from a
>> +     * webapp class loader without delegating first and override any set by
>>       * {@link #packageTriggersDeny}.
>>       */
>> -    protected static final Set<String> packageTriggersPermit = new 
>> HashSet<>();
>> +    protected final Matcher packageTriggersPermit =
>> +            Pattern.compile("^javax\\.servlet\\.jsp\\.jstl\\.").matcher("");
>>
> 
> Looking at other Tomcat projects...
> 
> Standard Taglib uses  org.apache.taglibs.standard.**, so it is not
> affected by the above patterns.
> 
> Maven Plugin uses org.apache.tomcat.maven.**, so it is affected.
> (Even though it is unlikely that those classes would be used in a web
> application, it is not illegal).

I'm not sure. Isn't the Maven plug-in effectively acting as a container?
If yes, that makes those classes part of the container so they should
not be loadable by the webapp so the pattern is OK.

I am no Maven expert, nor do I really understand the Maven plug-in but
looking at the source, it certainly looks like container code to me.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to