I agree that both of those packages should be protected.
Why they are not included? org.apache.coyote is most likely missing
because it is a relatively new package. org.apache.util may just have
been missed.
The code below is in both startup/Catalina.java and startup/CatalinaService.java
I wil
IMO sealing is the best protection against insertion,
and using URLClassLoader ( or making sure all the checks from
URLClassLoader are reproduced ).
I agree, this is a potential risk - as untrusted code may access
package fields. So far I don't see any, but better to be sure.
Costin
Jean-Franc
HI,
is somebody aware why package org.apache.coyote.* and
org.apache.tomcat.* are not protected againts package insertion/access
in Catalina.java. What is the reasons? Actually, classes are not
available to a Webapp (the Classloader is taking care of it) but when
Tomcat is embedded in an app
