https://issues.apache.org/bugzilla/show_bug.cgi?id=57142
--- Comment #3 from Konstantin Kolinko <knst.koli...@gmail.com> --- > The JSP 2.3 Spec mentions in "Table JSP.1-8" "Page Directive Attributes" that > "An import attribute describes the types that are available to > the scripting environment." Originally the "scripting environment" as mentioned in JSP spec is just the java language. If that covers EL as well then it would better be explicitly explained as a chapter in section JSP.2 that defines interaction between EL and JSP. In chapter JSP.1.10.1 The page Directive in Table JSP.1-8 it also says that "Packages java.lang.*, javax.servlet.*, javax.servlet.jsp.*, and javax.servlet.http.* are imported implicitely by the JSP container." The EL.3.0 chapter 1.22.1 Access Restrictions and Imports says that only "java.lang.*" is imported, for security reasons. [quote] For security, the following restrictions are enforced. ... 3. Except for classes with java.lang.* package names, a class has to be explicitly imported before its static fields or methods can be referenced. [/quote] So if page imports should affect the EL, then how does it deal with those default imports from servlet packages? The safer default would be to just import java.lang.*, but it would be odd to require someone to explicitly import those servlet packages with @page directive. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
