You are viewing a plain text version of this content. The canonical link for it is here.
Posted to taglibs-dev@jakarta.apache.org by bu...@apache.org on 2006/05/03 22:33:27 UTC
DO NOT REPLY [Bug 39480] New: - calling getContextClassLoader without doPriv
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39480>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39480
Summary: calling getContextClassLoader without doPriv
Product: Taglibs
Version: 1.2.0
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Standard Taglib
AssignedTo: taglibs-dev@jakarta.apache.org
ReportedBy: kenna@us.ibm.com
Getting the following exception when running JSTL in the webcontainer runtime
with security turned on:
java.security.AccessControlException: Access denied (java.lang.RuntimePermission
getClassLoader)
at java.security.AccessController.checkPermission(AccessController.java:104)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
at
com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:189)
at java.lang.Thread.getContextClassLoader(Thread.java:484)
at org.apache.taglibs.standard.tag.common.fmt.BundleSupport.findMatch(Unknown
Source)
According to http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html,
the following restrictions are applied:
If the caller's class loader is null, or is the same as or an ancestor of the
context class loader for the thread whose context class loader is being
requested, no permission is needed. Otherwise,
java.lang.RuntimePermission "getClassLoader"
is required.
In the org.apache.taglibs.standard.tag.common.fmt.BundleSupport.findMatch, among
other areas, JSTL is calling Thread.currentThread().getContextClassLoader());
Since JSTL is now a part of the JEE5 runtime and not a jar added to an
application, these calls to the classloader need to be wrappered with a doPriv
block.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: taglibs-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: taglibs-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 39480] - calling getContextClassLoader without doPriv
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39480>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39480
kenna@us.ibm.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P2 |P1
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: taglibs-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: taglibs-dev-help@jakarta.apache.org
DO NOT REPLY [Bug 39480] - calling getContextClassLoader without doPriv
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39480>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39480
------- Additional Comments From bayard@apache.org 2006-12-27 14:20 -------
I see three locations that call getContextClassLoader():
src/org/apache/taglibs/standard/tag/common/fmt/BundleSupport.java (twice)
src/org/apache/taglibs/standard/tag/common/sql/DataSourceWrapper.java
While JSTL is a part of JEE5; we currently don't have any strong plans for a 1.2
compliant release, so effort is on a version of the 1.1 spec with bugfixes. So
you should still be adding a jar to the runtime. If the JEE5 one is the only
scenario for this bug, then it's probably best reported to the Glassfish
implementation.
https://glassfish.dev.java.net/
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: taglibs-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: taglibs-dev-help@jakarta.apache.org