You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2002/05/16 03:06:30 UTC
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader WebappClassLoader.java
remm 02/05/15 18:06:29
Modified: catalina/src/share/org/apache/catalina/loader
WebappClassLoader.java
Log:
- Slightly experimental change.
- Slightly modify the class filters: now, the filtered classes will be delegated to
the parent CL. If the parent doesn't load them, the webapp CL will try to load
them.
- Add filter for all javax.*, Xerces and Xalan. This should put an end to whatever
problems still existed with the XML parsers and XSL processors.
Revision Changes Path
1.38 +41 -25 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
Index: WebappClassLoader.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- WebappClassLoader.java 29 Apr 2002 12:46:54 -0000 1.37
+++ WebappClassLoader.java 16 May 2002 01:06:29 -0000 1.38
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v 1.37 2002/04/29 12:46:54 remm Exp $
- * $Revision: 1.37 $
- * $Date: 2002/04/29 12:46:54 $
+ * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v 1.38 2002/05/16 01:06:29 remm Exp $
+ * $Revision: 1.38 $
+ * $Date: 2002/05/16 01:06:29 $
*
* ====================================================================
*
@@ -145,7 +145,7 @@
*
* @author Remy Maucherat
* @author Craig R. McClanahan
- * @version $Revision: 1.37 $ $Date: 2002/04/29 12:46:54 $
+ * @version $Revision: 1.38 $ $Date: 2002/05/16 01:06:29 $
*/
public class WebappClassLoader
extends URLClassLoader
@@ -187,16 +187,14 @@
/**
* Set of package names which are not allowed to be loaded from a webapp
- * class loader.
+ * class loader without delegating first.
*/
private static final String[] packageTriggers = {
- "javax.naming", // JNDI
- "javax.naming.directory", // JNDI
- "javax.xml.parsers", // JAXP
+ "javax", // Java extensions
"org.xml.sax", // SAX 1 & 2
- "org.xml.sax.ext", // SAX 1 & 2
- "org.xml.sax.helpers", // SAX 1 & 2
- "org.w3c.dom" // DOM 1 & 2
+ "org.w3c.dom", // DOM 1 & 2
+ "org.apache.xerces", // Xerces 1 & 2
+ "org.apache.xalan" // Xalan
};
@@ -1344,8 +1342,10 @@
}
}
+ boolean delegateLoad = delegate || filter(name);
+
// (1) Delegate to our parent if requested
- if (delegate) {
+ if (delegateLoad) {
if (debug >= 3)
log(" Delegating to parent classloader");
ClassLoader loader = parent;
@@ -1382,7 +1382,7 @@
}
// (3) Delegate to parent unconditionally
- if (!delegate) {
+ if (!delegateLoad) {
if (debug >= 3)
log(" Delegating to parent classloader");
ClassLoader loader = parent;
@@ -1907,21 +1907,15 @@
/**
- * Validate a classname. As per SRV.9.7.2, we must restict loading of
- * classes from J2SE (java.*) and classes of the servlet API
- * (javax.servlet.*). That should enhance robustness and prevent a number
- * of user error (where an older version of servlet.jar would be present
- * in /WEB-INF/lib).
+ * Filter classes.
*
* @param name class name
- * @return true if the name is valid
+ * @return true if the class should be filtered
*/
- protected boolean validate(String name) {
+ protected boolean filter(String name) {
if (name == null)
return false;
- if (name.startsWith("java."))
- return false;
// Looking up the package
String packageName = null;
@@ -1929,12 +1923,34 @@
if (pos != -1)
packageName = name.substring(0, pos);
else
- return true;
+ return false;
for (int i = 0; i < packageTriggers.length; i++) {
- if (packageName.equals(packageTriggers[i]))
- return false;
+ if (packageName.startsWith(packageTriggers[i]))
+ return true;
}
+
+ return false;
+
+ }
+
+
+ /**
+ * Validate a classname. As per SRV.9.7.2, we must restict loading of
+ * classes from J2SE (java.*) and classes of the servlet API
+ * (javax.servlet.*). That should enhance robustness and prevent a number
+ * of user error (where an older version of servlet.jar would be present
+ * in /WEB-INF/lib).
+ *
+ * @param name class name
+ * @return true if the name is valid
+ */
+ protected boolean validate(String name) {
+
+ if (name == null)
+ return false;
+ if (name.startsWith("java."))
+ return false;
return true;
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>