You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by jf...@apache.org on 2002/11/07 22:13:06 UTC
cvs commit: jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet JasperLoader.java
jfarcand 2002/11/07 13:13:06
Modified: jasper2/src/share/org/apache/jasper/servlet
JasperLoader.java
Log:
Securize the package so it can work under the SecurityManager whenthe org.apache.jasper
s protected. Fix bugs when the JSP 2.0 examples were executed under the SecurityManager.
Revision Changes Path
1.6 +38 -12 jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet/JasperLoader.java
Index: JasperLoader.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet/JasperLoader.java,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- JasperLoader.java 21 Oct 2002 18:44:00 -0000 1.5
+++ JasperLoader.java 7 Nov 2002 21:13:05 -0000 1.6
@@ -66,6 +66,8 @@
import java.security.CodeSource;
import java.security.PermissionCollection;
import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
import javax.servlet.http.*;
@@ -79,6 +81,7 @@
*
* @author Anil K. Vijendran
* @author Harish Prabandham
+ * @author Jean-Francois Arcand
*/
public class JasperLoader extends URLClassLoader {
@@ -140,7 +143,7 @@
*
* @exception ClassNotFoundException if the class was not found
*/
- public Class loadClass(String name, boolean resolve)
+ public Class loadClass(final String name, boolean resolve)
throws ClassNotFoundException {
Class clazz = null;
@@ -157,12 +160,15 @@
int dot = name.lastIndexOf('.');
if (securityManager != null) {
if (dot >= 0) {
- try {
- securityManager.checkPackageAccess(name.substring(0,dot));
+ try {
+ // Do not call the security manager since by default, we grant that package.
+ if (!"org.apache.jasper.runtime".equalsIgnoreCase(name.substring(0,dot))){
+ securityManager.checkPackageAccess(name.substring(0,dot));
+ }
} catch (SecurityException se) {
String error = "Security Violation, attempt to use " +
"Restricted Class: " + name;
- System.out.println(error);
+ se.printStackTrace();
throw new ClassNotFoundException(error);
}
}
@@ -170,13 +176,22 @@
// Class is in a package, delegate to thread context class loader
if( !name.startsWith(Constants.JSP_PACKAGE_NAME) ) {
- ClassLoader classLoader = null;
if (securityManager != null) {
- classLoader = (ClassLoader)AccessController.doPrivileged(privLoadClass);
- } else {
- classLoader = Thread.currentThread().getContextClassLoader();
- }
- clazz = classLoader.loadClass(name);
+ final ClassLoader classLoader = (ClassLoader)AccessController.doPrivileged(privLoadClass);
+ try{
+ clazz = (Class)AccessController.doPrivileged(new PrivilegedExceptionAction(){
+ public Object run() throws Exception{
+ return classLoader.loadClass(name);
+ }
+ });
+ } catch(PrivilegedActionException ex){
+ ex.getException().printStackTrace();
+
+ }
+ } else {
+ clazz = Thread.currentThread().getContextClassLoader().loadClass(name);
+ }
+
if( resolve )
resolveClass(clazz);
return clazz;
@@ -228,10 +243,21 @@
/*
* Load JSP class data from file.
*/
- private byte[] loadClassDataFromFile(String fileName) {
+ private byte[] loadClassDataFromFile(final String fileName) {
byte[] classBytes = null;
try {
- InputStream in = getResourceAsStream(fileName);
+ InputStream in = null;
+
+ if (System.getSecurityManager() != null){
+ in = (InputStream)AccessController.doPrivileged(new PrivilegedAction(){
+ public Object run(){
+ return getResourceAsStream(fileName);
+ }
+ });
+ } else {
+ in = getResourceAsStream(fileName);
+ }
+
if (in == null) {
return null;
}
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>