You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2001/01/25 19:35:47 UTC
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/java javaURLContextFactory.java
remm 01/01/25 10:35:45
Modified: catalina/src/share/org/apache/naming
ContextAccessController.java ContextBindings.java
catalina/src/share/org/apache/naming/java
javaURLContextFactory.java
Log:
- Security fix : A webapp could access the naming environment of another webapp by using
the ContextBindings.getContext(String name) call. Since the resources are
bound in the naming environment, that would have allowed it to access any
static resource or class repository inside another webapp, just by knowing
its name. This function is now package private.
- The implementation wasn't virtual hosting ready. Fixed.
- Class loader binding was broken. Fixed.
- Catalina will now use class loader binding instead of thread binding, which
saves a few calls during each request.
Revision Changes Path
1.2 +8 -8 jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextAccessController.java
Index: ContextAccessController.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextAccessController.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- ContextAccessController.java 2000/11/02 06:14:16 1.1
+++ ContextAccessController.java 2001/01/25 18:35:10 1.2
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextAccessController.java,v 1.1 2000/11/02 06:14:16 remm Exp $
- * $Revision: 1.1 $
- * $Date: 2000/11/02 06:14:16 $
+ * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextAccessController.java,v 1.2 2001/01/25 18:35:10 remm Exp $
+ * $Revision: 1.2 $
+ * $Date: 2001/01/25 18:35:10 $
*
* ====================================================================
*
@@ -71,7 +71,7 @@
* Handles the access control on the JNDI contexts.
*
* @author Remy Maucherat
- * @version $Revision: 1.1 $ $Date: 2000/11/02 06:14:16 $
+ * @version $Revision: 1.2 $ $Date: 2001/01/25 18:35:10 $
*/
public class ContextAccessController {
@@ -101,7 +101,7 @@
* @param name Name of the context
* @param context Security token
*/
- public static void setSecurityToken(String name, Object token) {
+ public static void setSecurityToken(Object name, Object token) {
if ((!securityTokens.containsKey(name)) && (token != null)) {
securityTokens.put(name, token);
}
@@ -117,7 +117,7 @@
* @param context Submitted security token
*/
public static boolean checkSecurityToken
- (String name, Object token) {
+ (Object name, Object token) {
Object refToken = securityTokens.get(name);
if (refToken == null)
return (true);
@@ -133,7 +133,7 @@
* @param name Name of the context
* @param token Security token
*/
- public static void setWritable(String name, Object token) {
+ public static void setWritable(Object name, Object token) {
if (checkSecurityToken(name, token))
readOnlyContexts.remove(name);
}
@@ -144,7 +144,7 @@
*
* @param name Name of the context
*/
- public static void setReadOnly(String name) {
+ public static void setReadOnly(Object name) {
readOnlyContexts.put(name, name);
}
@@ -154,7 +154,7 @@
*
* @param name Name of the context
*/
- public static boolean isWritable(String name) {
+ public static boolean isWritable(Object name) {
return !(readOnlyContexts.containsKey(name));
}
1.3 +39 -28 jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextBindings.java
Index: ContextBindings.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextBindings.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- ContextBindings.java 2000/11/11 01:47:47 1.2
+++ ContextBindings.java 2001/01/25 18:35:15 1.3
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextBindings.java,v 1.2 2000/11/11 01:47:47 remm Exp $
- * $Revision: 1.2 $
- * $Date: 2000/11/11 01:47:47 $
+ * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextBindings.java,v 1.3 2001/01/25 18:35:15 remm Exp $
+ * $Revision: 1.3 $
+ * $Date: 2001/01/25 18:35:15 $
*
* ====================================================================
*
@@ -76,7 +76,7 @@
* </ul>
*
* @author Remy Maucherat
- * @version $Revision: 1.2 $ $Date: 2000/11/11 01:47:47 $
+ * @version $Revision: 1.3 $ $Date: 2001/01/25 18:35:15 $
*/
public class ContextBindings {
@@ -131,7 +131,7 @@
* @param name Name of the context
* @param context Associated naming context instance
*/
- public static void bindContext(String name, Context context) {
+ public static void bindContext(Object name, Context context) {
bindContext(name, context, null);
}
@@ -143,7 +143,7 @@
* @param context Associated naming context instance
* @param token Security token
*/
- public static void bindContext(String name, Context context,
+ public static void bindContext(Object name, Context context,
Object token) {
if (ContextAccessController.checkSecurityToken(name, token))
contextNameBindings.put(name, context);
@@ -155,7 +155,7 @@
*
* @param name Name of the context
*/
- public static void unbindContext(String name) {
+ public static void unbindContext(Object name) {
unbindContext(name, null);
}
@@ -166,7 +166,7 @@
* @param name Name of the context
* @param token Security token
*/
- public static void unbindContext(String name, Object token) {
+ public static void unbindContext(Object name, Object token) {
if (ContextAccessController.checkSecurityToken(name, token))
contextNameBindings.remove(name);
}
@@ -177,7 +177,7 @@
*
* @param name Name of the context
*/
- public static Context getContext(String name) {
+ static Context getContext(Object name) {
return (Context) contextNameBindings.get(name);
}
@@ -187,7 +187,7 @@
*
* @param name Name of the context
*/
- public static void bindThread(String name)
+ public static void bindThread(Object name)
throws NamingException {
bindThread(name, null);
}
@@ -199,7 +199,7 @@
* @param name Name of the context
* @param token Security token
*/
- public static void bindThread(String name, Object token)
+ public static void bindThread(Object name, Object token)
throws NamingException {
if (ContextAccessController.checkSecurityToken(name, token)) {
Context context = (Context) contextNameBindings.get(name);
@@ -217,7 +217,7 @@
*
* @param name Name of the context
*/
- public static void unbindThread(String name) {
+ public static void unbindThread(Object name) {
unbindThread(null);
}
@@ -228,7 +228,7 @@
* @param name Name of the context
* @param token Security token
*/
- public static void unbindThread(String name, Object token) {
+ public static void unbindThread(Object name, Object token) {
if (ContextAccessController.checkSecurityToken(name, token)) {
threadBindings.remove(Thread.currentThread());
threadNameBindings.remove(Thread.currentThread());
@@ -253,10 +253,9 @@
/**
* Retrieves the naming context name bound to a thread.
*/
- public static String getThreadName()
+ static Object getThreadName()
throws NamingException {
- String name =
- (String) threadNameBindings.get(Thread.currentThread());
+ Object name = threadNameBindings.get(Thread.currentThread());
if (name == null)
throw new NamingException
(sm.getString("contextBindings.noContextBoundToThread"));
@@ -277,7 +276,7 @@
*
* @param name Name of the context
*/
- public static void bindClassLoader(String name)
+ public static void bindClassLoader(Object name)
throws NamingException {
bindClassLoader(name, null);
}
@@ -289,17 +288,29 @@
* @param name Name of the context
* @param token Security token
*/
- public static void bindClassLoader(String name, Object token)
+ public static void bindClassLoader(Object name, Object token)
throws NamingException {
+ bindClassLoader
+ (name, token, Thread.currentThread().getContextClassLoader());
+ }
+
+
+ /**
+ * Binds a naming context to a thread.
+ *
+ * @param name Name of the context
+ * @param token Security token
+ */
+ public static void bindClassLoader(Object name, Object token,
+ ClassLoader classLoader)
+ throws NamingException {
if (ContextAccessController.checkSecurityToken(name, token)) {
Context context = (Context) contextNameBindings.get(name);
if (context == null)
throw new NamingException
(sm.getString("contextBindings.unknownContext", name));
- clBindings.put(Thread.currentThread().getContextClassLoader(),
- context);
- clNameBindings.put(Thread.currentThread().getContextClassLoader(),
- name);
+ clBindings.put(classLoader, context);
+ clNameBindings.put(classLoader, name);
}
}
@@ -309,8 +320,8 @@
*
* @param name Name of the context
*/
- public static void unbindClassLoader(String name) {
- unbindClassLoader(null);
+ public static void unbindClassLoader(Object name) {
+ unbindClassLoader(name, null);
}
@@ -320,7 +331,7 @@
* @param name Name of the context
* @param token Security token
*/
- public static void unbindClassLoader(String name, Object token) {
+ public static void unbindClassLoader(Object name, Object token) {
if (ContextAccessController.checkSecurityToken(name, token)) {
clBindings.remove(Thread.currentThread().getContextClassLoader());
clNameBindings.remove
@@ -346,10 +357,10 @@
/**
* Retrieves the naming context name bound to a class loader.
*/
- public static String getClassLoaderName()
+ static Object getClassLoaderName()
throws NamingException {
- String name = (String) clNameBindings.get
- (Thread.currentThread().getContextClassLoader());
+ Object name =
+ clNameBindings.get(Thread.currentThread().getContextClassLoader());
if (name == null)
throw new NamingException
(sm.getString("contextBindings.noContextBoundToCL"));
1.2 +7 -5 jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/java/javaURLContextFactory.java
Index: javaURLContextFactory.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/java/javaURLContextFactory.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- javaURLContextFactory.java 2000/11/02 06:14:18 1.1
+++ javaURLContextFactory.java 2001/01/25 18:35:35 1.2
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/java/javaURLContextFactory.java,v 1.1 2000/11/02 06:14:18 remm Exp $
- * $Revision: 1.1 $
- * $Date: 2000/11/02 06:14:18 $
+ * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/java/javaURLContextFactory.java,v 1.2 2001/01/25 18:35:35 remm Exp $
+ * $Revision: 1.2 $
+ * $Date: 2001/01/25 18:35:35 $
*
* ====================================================================
*
@@ -90,7 +90,7 @@
* </ul>
*
* @author Remy Maucherat
- * @version $Revision: 1.1 $ $Date: 2000/11/02 06:14:18 $
+ * @version $Revision: 1.2 $ $Date: 2001/01/25 18:35:35 $
*/
public class javaURLContextFactory
@@ -127,7 +127,8 @@
public Object getObjectInstance(Object obj, Name name, Context nameCtx,
Hashtable environment)
throws NamingException {
- if (ContextBindings.isThreadBound()) {
+ if ((ContextBindings.isThreadBound()) ||
+ (ContextBindings.isClassLoaderBound())) {
return new SelectorContext(environment);
} else {
return null;
@@ -140,7 +141,8 @@
*/
public Context getInitialContext(Hashtable environment)
throws NamingException {
- if (ContextBindings.isThreadBound()) {
+ if (ContextBindings.isThreadBound() ||
+ (ContextBindings.isClassLoaderBound())) {
// Redirect the request to the bound initial context
return new SelectorContext(environment, true);
} else {