Author: markt
Date: Mon Nov 25 10:26:26 2013
New Revision: 1545213
URL: http://svn.apache.org/r1545213
Log:
When running under a security manager disabled deployXML by default.
Modified:
tomcat/trunk/java/org/apache/catalina/core/StandardHost.java
tomcat/trunk/webapps/docs/config/host.xml
tomcat/trunk/webapps/docs/security-howto.xml
Modified: tomcat/trunk/java/org/apache/catalina/core/StandardHost.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardHost.java?rev=1545213&r1=1545212&r2=1545213&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/core/StandardHost.java (original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardHost.java Mon Nov 25
10:26:26 2013
@@ -31,6 +31,7 @@ import javax.management.ObjectName;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
import org.apache.catalina.Engine;
+import org.apache.catalina.Globals;
import org.apache.catalina.Host;
import org.apache.catalina.JmxEnabled;
import org.apache.catalina.Lifecycle;
@@ -128,7 +129,7 @@ public class StandardHost extends Contai
/**
* deploy Context XML config files property.
*/
- private boolean deployXML = true;
+ private boolean deployXML = !Globals.IS_SECURITY_ENABLED;
/**
Modified: tomcat/trunk/webapps/docs/config/host.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/host.xml?rev=1545213&r1=1545212&r2=1545213&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/host.xml (original)
+++ tomcat/trunk/webapps/docs/config/host.xml Mon Nov 25 10:26:26 2013
@@ -242,7 +242,8 @@
then be responsible for providing an external context configuration
file, and putting it in the location defined by the
<strong>xmlBase</strong> attribute. The flag's value defaults to
- <code>true</code>.</p>
+ <code>true</code> unless a security manager is enabled when the default
+ is <code>false</code>.</p>
</attribute>
<attribute name="errorReportValveClass" required="false">
Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1545213&r1=1545212&r2=1545213&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Mon Nov 25 10:26:26 2013
@@ -173,6 +173,13 @@
manager should be introduced at the start of the development cycle as it
can
be time-consuming to track down and fix issues caused by enabling a
security
manager for a mature application.</p>
+
+ <p>Enabling the security manager changes the defaults for the following
+ settings:</p>
+ <ul>
+ <li>The default value for the <strong>deployXML</strong> attribute of the
+ <strong>Host</strong> element is changed to <code>false</code>.</li>
+ </ul>
</section>
<section name="server.xml">
@@ -293,9 +300,11 @@
</p>
<p>In a hosted environment where web applications may not be trusted, set
- the <strong>deployXML</strong> attribute to <code>false</code> to ignore
any
- context.xml packaged with the web application that may try to assign
- increased privileges to the web application. </p>
+ the <strong>deployXML</strong> attribute to <code>false</code> to ignore
+ any context.xml packaged with the web application that may try to assign
+ increased privileges to the web application. Note that if the security
+ manager is enabled that the <strong>deployXML</strong> attribute will
+ default to <code>false</code>.</p>
</subsection>
<subsection name="Context">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
