You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2013/11/26 01:51:05 UTC
svn commit: r1545481 - in /tomcat/tc7.0.x/trunk: ./
java/org/apache/catalina/startup/ test/org/apache/catalina/startup/
webapps/docs/ webapps/docs/config/
Author: markt
Date: Tue Nov 26 00:51:05 2013
New Revision: 1545481
URL: http://svn.apache.org/r1545481
Log:
Prevent a web application from deploying if it contains a context.xml, deployXML is false and there is no explicit descriptor as the descriptor may contain necessary security information.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/startup/HostConfig.java
tomcat/tc7.0.x/trunk/java/org/apache/catalina/startup/LocalStrings.properties
tomcat/tc7.0.x/trunk/test/org/apache/catalina/startup/TestHostConfigAutomaticDeployment.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/automatic-deployment.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1545288,1545377
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/startup/HostConfig.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/startup/HostConfig.java?rev=1545481&r1=1545480&r2=1545481&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/startup/HostConfig.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/startup/HostConfig.java Tue Nov 26 00:51:05 2013
@@ -870,26 +870,24 @@ public class HostConfig
cn.getBaseName() + "/META-INF/context.xml");
boolean xmlInWar = false;
- if (deployXML) {
- JarEntry entry = null;
- try {
- jar = new JarFile(war);
- entry = jar.getJarEntry(Constants.ApplicationContextXml);
- if (entry != null) {
- xmlInWar = true;
- }
- } catch (IOException e) {
- /* Ignore */
- } finally {
- entry = null;
- if (jar != null) {
- try {
- jar.close();
- } catch (IOException ioe) {
- // Ignore;
- }
- jar = null;
+ JarEntry entry = null;
+ try {
+ jar = new JarFile(war);
+ entry = jar.getJarEntry(Constants.ApplicationContextXml);
+ if (entry != null) {
+ xmlInWar = true;
+ }
+ } catch (IOException e) {
+ /* Ignore */
+ } finally {
+ entry = null;
+ if (jar != null) {
+ try {
+ jar.close();
+ } catch (IOException ioe) {
+ // Ignore;
}
+ jar = null;
}
}
@@ -913,7 +911,6 @@ public class HostConfig
context.setConfigFile(xml.toURI().toURL());
} else if (deployXML && xmlInWar) {
synchronized (digesterLock) {
- JarEntry entry = null;
try {
jar = new JarFile(war);
entry =
@@ -951,6 +948,12 @@ public class HostConfig
digester.reset();
}
}
+ } else if (!deployXML && xmlInWar) {
+ // Block deployment as META-INF/context.xml may contain security
+ // configuration necessary for a secure deployment.
+ log.error(sm.getString("hostConfig.deployDescriptor.blocked",
+ cn.getPath(), Constants.ApplicationContextXml,
+ new File(host.getConfigBaseFile(), cn.getBaseName() + ".xml")));
} else {
context = (Context) Class.forName(contextClass).newInstance();
}
@@ -978,7 +981,7 @@ public class HostConfig
if (xmlInWar && copyThisXml) {
// Change location of XML file to config base
xml = new File(configBase(), cn.getBaseName() + ".xml");
- JarEntry entry = null;
+ entry = null;
try {
jar = new JarFile(war);
entry =
@@ -1205,6 +1208,12 @@ public class HostConfig
} else {
context.setConfigFile(xml.toURI().toURL());
}
+ } else if (!deployXML && xml.exists()) {
+ // Block deployment as META-INF/context.xml may contain security
+ // configuration necessary for a secure deployment.
+ log.error(sm.getString("hostConfig.deployDescriptor.blocked",
+ cn.getPath(), xml, xmlCopy));
+ context = new FailedContext();
} else {
context = (Context) Class.forName(contextClass).newInstance();
}
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/startup/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/startup/LocalStrings.properties?rev=1545481&r1=1545480&r2=1545481&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/startup/LocalStrings.properties (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/startup/LocalStrings.properties Tue Nov 26 00:51:05 2013
@@ -88,6 +88,7 @@ hostConfig.context.restart=Error during
hostConfig.createDirs=Unable to create directory for deployment: {0}
hostConfig.deploy=Deploying web application directory {0}
hostConfig.deployDescriptor=Deploying configuration descriptor {0}
+hostConfig.deployDescriptor.blocked=The web application with context path [{0}] was not deployed because it contained a deployment descriptor [{1}] which may include configuration necessary for the secure deployment of the application but processing of deployment descriptors is prevented by the deloyXML setting of this host. An appropriate descriptor should be created at [{2}] to deploy this application.
hostConfig.deployDescriptor.error=Error deploying configuration descriptor {0}
hostConfig.deployDescriptor.threaded.error=Error waiting for multi-thread deployment of context descriptors to complete
hostConfig.deployDescriptor.localDocBaseSpecified=A docBase {0} inside the host appBase has been specified, and will be ignored
Modified: tomcat/tc7.0.x/trunk/test/org/apache/catalina/startup/TestHostConfigAutomaticDeployment.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/catalina/startup/TestHostConfigAutomaticDeployment.java?rev=1545481&r1=1545480&r2=1545481&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/test/org/apache/catalina/startup/TestHostConfigAutomaticDeployment.java (original)
+++ tomcat/tc7.0.x/trunk/test/org/apache/catalina/startup/TestHostConfigAutomaticDeployment.java Tue Nov 26 00:51:05 2013
@@ -336,28 +336,28 @@ public class TestHostConfigAutomaticDepl
public void testDeploymentWarXmlFFF() throws Exception {
createWar(WAR_XML_SOURCE, true);
doTestDeployment(false, false, false,
- LifecycleState.STARTED, null, false, true, false);
+ LifecycleState.FAILED, null, false, true, false);
}
@Test
public void testDeploymentWarXmlFFT() throws Exception {
createWar(WAR_XML_SOURCE, true);
doTestDeployment(false, false, true,
- LifecycleState.STARTED, null, false, true, true);
+ LifecycleState.FAILED, null, false, true, true);
}
@Test
public void testDeploymentWarXmlFTF() throws Exception {
createWar(WAR_XML_SOURCE, true);
doTestDeployment(false, true, false,
- LifecycleState.STARTED, null, false, true, false);
+ LifecycleState.FAILED, null, false, true, false);
}
@Test
public void testDeploymentWarXmlFTT() throws Exception {
createWar(WAR_XML_SOURCE, true);
doTestDeployment(false, true, true,
- LifecycleState.STARTED, null, false, true, true);
+ LifecycleState.FAILED, null, false, true, true);
}
@Test
@@ -463,28 +463,28 @@ public class TestHostConfigAutomaticDepl
public void testDeploymentDirXmlFFF() throws Exception {
createDirInAppbase(true);
doTestDeployment(false, false, false,
- LifecycleState.STARTED, null, false, false, true);
+ LifecycleState.FAILED, null, false, false, true);
}
@Test
public void testDeploymentDirXmlFFT() throws Exception {
createDirInAppbase(true);
doTestDeployment(false, false, true,
- LifecycleState.STARTED, null, false, false, true);
+ LifecycleState.FAILED, null, false, false, true);
}
@Test
public void testDeploymentDirXmlFTF() throws Exception {
createDirInAppbase(true);
doTestDeployment(false, true, false,
- LifecycleState.STARTED, null, false, false, true);
+ LifecycleState.FAILED, null, false, false, true);
}
@Test
public void testDeploymentDirXmlFTT() throws Exception {
createDirInAppbase(true);
doTestDeployment(false, true, true,
- LifecycleState.STARTED, null, false, false, true);
+ LifecycleState.FAILED, null, false, false, true);
}
@Test
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1545481&r1=1545480&r2=1545481&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Tue Nov 26 00:51:05 2013
@@ -181,6 +181,19 @@
Define the expected behaviour of the automatic deployment and align the
implementation to that definition. (markt)
</fix>
+ <add>
+ When a security manager is configured change the default value of
+ <code>deployXML</code> of the Host element to <code>false</code>.
+ (markt)
+ </add>
+ <add>
+ If a Host is configured with a value of <code>false</code> for
+ <code>deployXML</code>, an application has an embedded descriptor at
+ <code>META-INF/context.xml</code> and no explicit descriptor has been
+ defined, do not allow the application to start as the descriptor may
+ contain configuration necessary for secure operation such as a
+ <code>RemoteAddrValve</code>. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/automatic-deployment.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/automatic-deployment.xml?rev=1545481&r1=1545480&r2=1545481&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/automatic-deployment.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/automatic-deployment.xml Tue Nov 26 00:51:05 2013
@@ -527,8 +527,9 @@
<li><em>unpackWARs</em> is ignored since there is no WAR file.</li>
<li>The context will fail to start because there is no content in the
expected <em>docBase</em>.</li>
- <li>The embedded META-INF/context.xml is ignored because <em>deployXML</em>
- is <code>false</code>.</li>
+ <li>The web application fails to deploy because it contains an embedded
+ META-INF/context.xml, <em>deployXML</em> is <code>false</code> and an
+ XML has not been provided in the <em>configBase</em>.</li>
<li>The XML file is only deleted if <em>copyXML</em> is <code>true</code>
and <em>deployXML</em> is <code>true</code>.</li>
<li>Although the external resource is still present, the web application is
Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml?rev=1545481&r1=1545480&r2=1545481&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml Tue Nov 26 00:51:05 2013
@@ -243,9 +243,13 @@
interacting with the container's configuration. The administrator will
then be responsible for providing an external context configuration
file, and putting it in the location defined by the
- <strong>xmlBase</strong> attribute. The flag's value defaults to
- <code>true</code> unless a security manager is enabled when the default
- is <code>false</code>.</p>
+ <strong>xmlBase</strong> attribute. If this flag is <code>false</code>,
+ a descriptor is located at <code>/META-INF/context.xml</code> and no
+ descriptor is present in <strong>xmlBase</strong> then the context will
+ fail to start in case the descriptor contains necessary configuration
+ for secure deployment (such as a RemoteAddrValve) which should not be
+ ignored. The flag's value defaults to <code>true</code> unless a
+ security manager is enabled when the default is <code>false</code>.</p>
</attribute>
<attribute name="errorReportValveClass" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org