You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/08/18 18:32:40 UTC

[Bug 55446] New: static final boolean org.apache.jasper.Constants.IS_SECURITY_ENABLED results in erroneous state when security is enabled dynamically

https://issues.apache.org/bugzilla/show_bug.cgi?id=55446

            Bug ID: 55446
           Summary: static final boolean
                    org.apache.jasper.Constants.IS_SECURITY_ENABLED
                    results in erroneous state when security is enabled
                    dynamically
           Product: Tomcat 7
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Jasper
          Assignee: dev@tomcat.apache.org
          Reporter: raymond.auge@liferay.com

1) start app server normally (no security)
2) assuming any normal webapp is initialized, a JspRuntimeContext will be
created and at first invocation

Constants.IS_SECURITY_ENABLED = (System.getSecurityManager() != null);

is evaluated.

3) deploy some later component (ie. a webapp) which does:

System.setSecurityManager(new SecurityManager());

4) from that point, all Jasper code will provide the incorrect security state,
app server wide

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 55446] static final boolean org.apache.jasper.Constants.IS_SECURITY_ENABLED results in erroneous state when security is enabled dynamically

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=55446

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Web applications should not be setting a security manager. That is a container
concern.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org