You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/08/18 18:32:40 UTC
[Bug 55446] New: static final boolean
org.apache.jasper.Constants.IS_SECURITY_ENABLED results in erroneous state
when security is enabled dynamically
https://issues.apache.org/bugzilla/show_bug.cgi?id=55446
Bug ID: 55446
Summary: static final boolean
org.apache.jasper.Constants.IS_SECURITY_ENABLED
results in erroneous state when security is enabled
dynamically
Product: Tomcat 7
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Jasper
Assignee: dev@tomcat.apache.org
Reporter: raymond.auge@liferay.com
1) start app server normally (no security)
2) assuming any normal webapp is initialized, a JspRuntimeContext will be
created and at first invocation
Constants.IS_SECURITY_ENABLED = (System.getSecurityManager() != null);
is evaluated.
3) deploy some later component (ie. a webapp) which does:
System.setSecurityManager(new SecurityManager());
4) from that point, all Jasper code will provide the incorrect security state,
app server wide
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 55446] static final boolean
org.apache.jasper.Constants.IS_SECURITY_ENABLED results in erroneous state
when security is enabled dynamically
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=55446
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Web applications should not be setting a security manager. That is a container
concern.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org