You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/04/20 09:29:36 UTC

[Bug 59357] New: Doesn't seem to be a way to totally disable TLD scanning

https://bz.apache.org/bugzilla/show_bug.cgi?id=59357

            Bug ID: 59357
           Summary: Doesn't seem to be a way to totally disable TLD
                    scanning
           Product: Tomcat 8
           Version: 8.0.33
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Jasper
          Assignee: dev@tomcat.apache.org
          Reporter: valliantster@gmail.com

There doesn't seem to be a way to disable TLD scanning completely.

There apparently used to be an attribute for the context called "processTlds"
which was replaced at some point, with some/all of the following:

<Context processTlds="false" tldValidation="false" xmlBlockExternal="false">
<JarScanner scanClassPath="false" scanAllFiles="false"
scanAllDirectories="false">
<JarScanFilter tldSkip="*" defaultTldScan="false"/>
</JarScanner>
</Context>

This is well and good, but in my case I have a TLD file (just the file itself,
not inside a jar) below WEB-INF, and even with every possible "don't scan for
TLDs" setting set, it's still being picked up. (jarsToSkip, fwiw, is *)

Is there a setting I'm missing which will totally disable TLD scanning?

A quick look at the sources makes it seem like there is no way to avoid the
scan for files with .tld extensions, as filters and such are only applied to
jar scanning?  I could be missing something, but that's what it looks like.

To reproduce, just stick a TLD with a bad DTD reference somewhere below
/WEB-INF.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59357] Doesn't seem to be a way to totally disable TLD scanning

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59357

--- Comment #2 from Denny <va...@gmail.com> ---
Ah, I should have realized it was spec.

The issue I'm running into is a bad DTD location in a TLD.

It's been broken for a while I think, I'm surprised we haven't run into this
problem before now.  I thought it might be related to the change of the default
for xmlBlockExternal at first, but that must have just been correlation.

Okay, so skipping scanning is a no-go, but what about skipping TLD files with
errors?

I thought maybe tldValidation="false" might do the trick, but it gets parsed
before validated, I guess, and the bad DTD ref borks that.

If you think setting tldValidation to false should skip *any* type of
validation, I'll open a ticket for that, but I'm assuming it still has to
parse, if not validate... and maybe the setting is about TagLibraryValidators,
versus XML validation?

Anyways, thanks for the prompt feedback, wontfix makes total sense, and I'd
rather solve the problem long term than ignore it short term anyhow.  Cheers!

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 59357] Doesn't seem to be a way to totally disable TLD scanning

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=59357

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Scanning for TLDs under WEB-INF is required by the JSP specification.

Scanning within JARs is configurable because of the performance impact. It
allows JARs to be skipped when they are known not to contain TLDs.

TLD scanning was refactored between 7.0.x and 8.0.x. In 7.0.x, both Catalina
(the Servlet engine) and Jasper (the JSP engine) scanned for TLDs. Catalina
scanned for TLDs on web application start looking for listeners. Jasper scanned
for TLDs lazily (once a JSP referred to a TLD) but looked for everything else.
processTlds only affected the Catalina scan.

In 8.0.x, Jasper does all the scanning (on web application start) and notifies
Catalina of any listeners found.

It looks like you are seeing the results of making the Jasper scan non-lazy.

At this point I don't see a good reason to change the current behaviour.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org