You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/03/11 19:34:14 UTC
[Bug 59167] New: ManagerBase does not respect security manager to
transfer objects across members in the cluster
https://bz.apache.org/bugzilla/show_bug.cgi?id=59167
Bug ID: 59167
Summary: ManagerBase does not respect security manager to
transfer objects across members in the cluster
Product: Tomcat 8
Version: 8.0.32
Hardware: PC
OS: All
Status: NEW
Severity: major
Priority: P2
Component: Cluster
Assignee: dev@tomcat.apache.org
Reporter: mwenk@posportal.com
I have a cluster of two nodes, using DeltaManager to transfer session data in a
failover scheme.
I noticed that only certain session attributes were being replicated. On some
variables I was getting a warning, which caused me to trace the code and I
found this in org.apache.catalina.session.ManagerBase:
public ManagerBase() {
if (Globals.IS_SECURITY_ENABLED) {
// Minimum set required for default distribution/persistence to
work
// plus String
setSessionAttributeValueClassNameFilter(
"java\\.lang\\.(?:Boolean|Integer|Long|Number|String)");
setWarnOnSessionAttributeFilterFailure(true);
}
}
Later in the code it uses the sessionAttributeValueClassNamePattern to
determine what can be sent or not. The problem is this doesn't respect the
security manager. I should be able to explicitly grant permission to this
class and have it sent via the DeltaManager.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 59167] ManagerBase does not respect security manager to
transfer objects across members in the cluster
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59167
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |NEEDINFO
--- Comment #3 from Christopher Schultz <ch...@christopherschultz.net> ---
Trying vinegar, eh?
I was involved in the design of the feature you are complaining about, and I
have no idea what you mean when you say "isn't respecting the SecurityManager".
Is there some overlooked
TomcatPermission.allowThisClassNametoBeDeserializedFromARemoteSource() method?
Seriously, please use the user's list to discuss this. Not saying there isn't a
bug here. Just saying that long discussions about why and how to fix things is
best done on a mailing list and not in BZ comments.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 59167] ManagerBase does not respect security manager to
transfer objects across members in the cluster
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59167
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEEDINFO |RESOLVED
--- Comment #4 from Mark Thomas <ma...@apache.org> ---
For the last time, this belongs on the users mailing list, not in Bugzilla.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 59167] ManagerBase does not respect security manager to
transfer objects across members in the cluster
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59167
Michael Wenk <mw...@posportal.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |---
--- Comment #2 from Michael Wenk <mw...@posportal.com> ---
The user mailing list isn't going to fix the fact that the tomcat source code
is not respecting the security manager.
I have two workarounds, and to be honest both suck.
If you're reaching into the security manager, then you should respect it. If
not, then why the hell are you going into it?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 59167] ManagerBase does not respect security manager to
transfer objects across members in the cluster
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59167
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Please user the users mailing list for assistance.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org