You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Matti Härö <ma...@infosto.fi> on 2004/03/04 10:46:31 UTC
[PATCH] JasperLoader - Security manager usage LoadClass concurrency problem fix
Hi,
the patch below fixes a bug that occasionally causes a NullPointerException in
loadClass() method. The problem was caused by the way the system security
manager was used in this class. For checking if there is a security manager, and
then using the security manager for checking the access, two (potentially
different) security managers were used. Checking for the existence of a security
manager was done by System.getSecurityManager(). Then inside the if block, a
reference to a class private variable securityManager was used.
The private variable securityManager had been set in the constructor of the
JasperLoader instance, and was often different from the one used in the
loadClass() method for checking if there was a securityManager. More
specifically, the private attribute securityManager was often null, while
System.getSecurityManager() returned a non-null value in loadClass() method.
This in turn caused the loadClass() to throw a NullPointerException.
Mr Matti Haro
--- JasperLoader.java 2004-03-04 08:57:52.000000000 +0200
+++
./tomcat-5-0-19-src/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet/JasperLoader.java
2004-03-04 08:59:43.000000000 +0200
@@ -75,6 +75,7 @@
* @author Anil K. Vijendran
* @author Harish Prabandham
* @author Jean-Francois Arcand
+ * @author Matti Haro
*/
public class JasperLoader extends URLClassLoader {
@@ -82,7 +83,6 @@
private CodeSource codeSource;
private String className;
private ClassLoader parent;
- private SecurityManager securityManager;
private PrivilegedLoadClass privLoadClass;
public JasperLoader(URL[] urls, ClassLoader parent,
@@ -93,7 +93,6 @@
this.codeSource = codeSource;
this.parent = parent;
this.privLoadClass = new PrivilegedLoadClass();
- this.securityManager = System.getSecurityManager();
}
/**
@@ -147,8 +146,9 @@
resolveClass(clazz);
return (clazz);
}
-
+
// (.5) Permission to access this class when using a SecurityManager
+ SecurityManager securityManager = System.getSecurityManager();
if (securityManager != null) {
int dot = name.lastIndexOf('.');
if (dot >= 0) {
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: [PATCH] JasperLoader - Security manager usage LoadClass concurrency problem fix
Posted by Glenn Nielsen <gl...@mail.more.net>.
This only occurs when Tomcat is started without a SecurityManager and
then later application code sets a SecurityManager.
Please see the following bug report for an explanation of why
that is not a good thing to do:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7052
Thanks for taking the time to analyze how this works but the
behaviour will not be changed.
Glenn
On Thu, Mar 04, 2004 at 11:46:31AM +0200, Matti Härö wrote:
> Hi,
>
> the patch below fixes a bug that occasionally causes a NullPointerException in
> loadClass() method. The problem was caused by the way the system security
> manager was used in this class. For checking if there is a security manager, and
> then using the security manager for checking the access, two (potentially
> different) security managers were used. Checking for the existence of a security
> manager was done by System.getSecurityManager(). Then inside the if block, a
> reference to a class private variable securityManager was used.
>
> The private variable securityManager had been set in the constructor of the
> JasperLoader instance, and was often different from the one used in the
> loadClass() method for checking if there was a securityManager. More
> specifically, the private attribute securityManager was often null, while
> System.getSecurityManager() returned a non-null value in loadClass() method.
> This in turn caused the loadClass() to throw a NullPointerException.
>
> Mr Matti Haro
>
> --- JasperLoader.java 2004-03-04 08:57:52.000000000 +0200
> +++
> ./tomcat-5-0-19-src/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet/JasperLoader.java
> 2004-03-04 08:59:43.000000000 +0200
> @@ -75,6 +75,7 @@
> * @author Anil K. Vijendran
> * @author Harish Prabandham
> * @author Jean-Francois Arcand
> + * @author Matti Haro
> */
> public class JasperLoader extends URLClassLoader {
>
> @@ -82,7 +83,6 @@
> private CodeSource codeSource;
> private String className;
> private ClassLoader parent;
> - private SecurityManager securityManager;
> private PrivilegedLoadClass privLoadClass;
>
> public JasperLoader(URL[] urls, ClassLoader parent,
> @@ -93,7 +93,6 @@
> this.codeSource = codeSource;
> this.parent = parent;
> this.privLoadClass = new PrivilegedLoadClass();
> - this.securityManager = System.getSecurityManager();
> }
>
> /**
> @@ -147,8 +146,9 @@
> resolveClass(clazz);
> return (clazz);
> }
> -
> +
> // (.5) Permission to access this class when using a SecurityManager
> + SecurityManager securityManager = System.getSecurityManager();
> if (securityManager != null) {
> int dot = name.lastIndexOf('.');
> if (dot >= 0) {
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org