cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/java javaURLContextFactory.java

Thu, 25 Jan 2001 10:37:01 -0800 

remm        01/01/25 10:35:45

  Modified:    catalina/src/share/org/apache/naming
                        ContextAccessController.java ContextBindings.java
               catalina/src/share/org/apache/naming/java
                        javaURLContextFactory.java
  Log:
  - Security fix : A webapp could access the naming environment of another webapp by 
using
    the ContextBindings.getContext(String name) call. Since the resources are
    bound in the naming environment, that would have allowed it to access any
    static resource or class repository inside another webapp, just by knowing
    its name. This function is now package private.
  - The implementation wasn't virtual hosting ready. Fixed.
  - Class loader binding was broken. Fixed.
  - Catalina will now use class loader binding instead of thread binding, which
    saves a few calls during each request.
  
  Revision  Changes    Path
  1.2       +8 -8      
jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextAccessController.java
  
  Index: ContextAccessController.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextAccessController.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- ContextAccessController.java      2000/11/02 06:14:16     1.1
  +++ ContextAccessController.java      2001/01/25 18:35:10     1.2
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextAccessController.java,v
 1.1 2000/11/02 06:14:16 remm Exp $
  - * $Revision: 1.1 $
  - * $Date: 2000/11/02 06:14:16 $
  + * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextAccessController.java,v
 1.2 2001/01/25 18:35:10 remm Exp $
  + * $Revision: 1.2 $
  + * $Date: 2001/01/25 18:35:10 $
    *
    * ====================================================================
    *
  @@ -71,7 +71,7 @@
    * Handles the access control on the JNDI contexts.
    *
    * @author Remy Maucherat
  - * @version $Revision: 1.1 $ $Date: 2000/11/02 06:14:16 $
  + * @version $Revision: 1.2 $ $Date: 2001/01/25 18:35:10 $
    */
   
   public class ContextAccessController {
  @@ -101,7 +101,7 @@
        * @param name Name of the context
        * @param context Security token
        */
  -    public static void setSecurityToken(String name, Object token) {
  +    public static void setSecurityToken(Object name, Object token) {
           if ((!securityTokens.containsKey(name)) && (token != null)) {
               securityTokens.put(name, token);
           }
  @@ -117,7 +117,7 @@
        * @param context Submitted security token
        */
       public static boolean checkSecurityToken
  -        (String name, Object token) {
  +        (Object name, Object token) {
           Object refToken = securityTokens.get(name);
           if (refToken == null)
               return (true);
  @@ -133,7 +133,7 @@
        * @param name Name of the context
        * @param token Security token
        */
  -    public static void setWritable(String name, Object token) {
  +    public static void setWritable(Object name, Object token) {
           if (checkSecurityToken(name, token))
               readOnlyContexts.remove(name);
       }
  @@ -144,7 +144,7 @@
        * 
        * @param name Name of the context
        */
  -    public static void setReadOnly(String name) {
  +    public static void setReadOnly(Object name) {
           readOnlyContexts.put(name, name);
       }
   
  @@ -154,7 +154,7 @@
        * 
        * @param name Name of the context
        */
  -    public static boolean isWritable(String name) {
  +    public static boolean isWritable(Object name) {
           return !(readOnlyContexts.containsKey(name));
       }
   
  
  
  
  1.3       +39 -28    
jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextBindings.java
  
  Index: ContextBindings.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextBindings.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- ContextBindings.java      2000/11/11 01:47:47     1.2
  +++ ContextBindings.java      2001/01/25 18:35:15     1.3
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextBindings.java,v
 1.2 2000/11/11 01:47:47 remm Exp $
  - * $Revision: 1.2 $
  - * $Date: 2000/11/11 01:47:47 $
  + * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/ContextBindings.java,v
 1.3 2001/01/25 18:35:15 remm Exp $
  + * $Revision: 1.3 $
  + * $Date: 2001/01/25 18:35:15 $
    *
    * ====================================================================
    *
  @@ -76,7 +76,7 @@
    * </ul>
    *
    * @author Remy Maucherat
  - * @version $Revision: 1.2 $ $Date: 2000/11/11 01:47:47 $
  + * @version $Revision: 1.3 $ $Date: 2001/01/25 18:35:15 $
    */
   
   public class ContextBindings {
  @@ -131,7 +131,7 @@
        * @param name Name of the context
        * @param context Associated naming context instance
        */
  -    public static void bindContext(String name, Context context) {
  +    public static void bindContext(Object name, Context context) {
           bindContext(name, context, null);
       }
   
  @@ -143,7 +143,7 @@
        * @param context Associated naming context instance
        * @param token Security token
        */
  -    public static void bindContext(String name, Context context, 
  +    public static void bindContext(Object name, Context context, 
                                      Object token) {
           if (ContextAccessController.checkSecurityToken(name, token))
               contextNameBindings.put(name, context);
  @@ -155,7 +155,7 @@
        * 
        * @param name Name of the context
        */
  -    public static void unbindContext(String name) {
  +    public static void unbindContext(Object name) {
           unbindContext(name, null);
       }
   
  @@ -166,7 +166,7 @@
        * @param name Name of the context
        * @param token Security token
        */
  -    public static void unbindContext(String name, Object token) {
  +    public static void unbindContext(Object name, Object token) {
           if (ContextAccessController.checkSecurityToken(name, token))
               contextNameBindings.remove(name);
       }
  @@ -177,7 +177,7 @@
        * 
        * @param name Name of the context
        */
  -    public static Context getContext(String name) {
  +    static Context getContext(Object name) {
           return (Context) contextNameBindings.get(name);
       }
   
  @@ -187,7 +187,7 @@
        * 
        * @param name Name of the context
        */
  -    public static void bindThread(String name) 
  +    public static void bindThread(Object name) 
           throws NamingException {
           bindThread(name, null);
       }
  @@ -199,7 +199,7 @@
        * @param name Name of the context
        * @param token Security token
        */
  -    public static void bindThread(String name, Object token) 
  +    public static void bindThread(Object name, Object token) 
           throws NamingException {
           if (ContextAccessController.checkSecurityToken(name, token)) {
               Context context = (Context) contextNameBindings.get(name);
  @@ -217,7 +217,7 @@
        * 
        * @param name Name of the context
        */
  -    public static void unbindThread(String name) {
  +    public static void unbindThread(Object name) {
           unbindThread(null);
       }
   
  @@ -228,7 +228,7 @@
        * @param name Name of the context
        * @param token Security token
        */
  -    public static void unbindThread(String name, Object token) {
  +    public static void unbindThread(Object name, Object token) {
           if (ContextAccessController.checkSecurityToken(name, token)) {
               threadBindings.remove(Thread.currentThread());
               threadNameBindings.remove(Thread.currentThread());
  @@ -253,10 +253,9 @@
       /**
        * Retrieves the naming context name bound to a thread.
        */
  -    public static String getThreadName()
  +    static Object getThreadName()
           throws NamingException {
  -        String name = 
  -            (String) threadNameBindings.get(Thread.currentThread());
  +        Object name = threadNameBindings.get(Thread.currentThread());
           if (name == null)
               throw new NamingException
                   (sm.getString("contextBindings.noContextBoundToThread"));
  @@ -277,7 +276,7 @@
        * 
        * @param name Name of the context
        */
  -    public static void bindClassLoader(String name) 
  +    public static void bindClassLoader(Object name) 
           throws NamingException {
           bindClassLoader(name, null);
       }
  @@ -289,17 +288,29 @@
        * @param name Name of the context
        * @param token Security token
        */
  -    public static void bindClassLoader(String name, Object token) 
  +    public static void bindClassLoader(Object name, Object token) 
           throws NamingException {
  +        bindClassLoader
  +            (name, token, Thread.currentThread().getContextClassLoader());
  +    }
  +
  +
  +    /**
  +     * Binds a naming context to a thread.
  +     * 
  +     * @param name Name of the context
  +     * @param token Security token
  +     */
  +    public static void bindClassLoader(Object name, Object token, 
  +                                       ClassLoader classLoader) 
  +        throws NamingException {
           if (ContextAccessController.checkSecurityToken(name, token)) {
               Context context = (Context) contextNameBindings.get(name);
               if (context == null)
                   throw new NamingException
                       (sm.getString("contextBindings.unknownContext", name));
  -            clBindings.put(Thread.currentThread().getContextClassLoader(), 
  -                           context);
  -            clNameBindings.put(Thread.currentThread().getContextClassLoader(),
  -                               name);
  +            clBindings.put(classLoader, context);
  +            clNameBindings.put(classLoader, name);
           }
       }
   
  @@ -309,8 +320,8 @@
        * 
        * @param name Name of the context
        */
  -    public static void unbindClassLoader(String name) {
  -        unbindClassLoader(null);
  +    public static void unbindClassLoader(Object name) {
  +        unbindClassLoader(name, null);
       }
   
   
  @@ -320,7 +331,7 @@
        * @param name Name of the context
        * @param token Security token
        */
  -    public static void unbindClassLoader(String name, Object token) {
  +    public static void unbindClassLoader(Object name, Object token) {
           if (ContextAccessController.checkSecurityToken(name, token)) {
               clBindings.remove(Thread.currentThread().getContextClassLoader());
               clNameBindings.remove
  @@ -346,10 +357,10 @@
       /**
        * Retrieves the naming context name bound to a class loader.
        */
  -    public static String getClassLoaderName()
  +    static Object getClassLoaderName()
           throws NamingException {
  -        String name = (String) clNameBindings.get
  -            (Thread.currentThread().getContextClassLoader());
  +        Object name = 
  +            clNameBindings.get(Thread.currentThread().getContextClassLoader());
           if (name == null)
               throw new NamingException
                   (sm.getString("contextBindings.noContextBoundToCL"));
  
  
  
  1.2       +7 -5      
jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/java/javaURLContextFactory.java
  
  Index: javaURLContextFactory.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/java/javaURLContextFactory.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- javaURLContextFactory.java        2000/11/02 06:14:18     1.1
  +++ javaURLContextFactory.java        2001/01/25 18:35:35     1.2
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/java/javaURLContextFactory.java,v
 1.1 2000/11/02 06:14:18 remm Exp $
  - * $Revision: 1.1 $
  - * $Date: 2000/11/02 06:14:18 $
  + * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/naming/java/javaURLContextFactory.java,v
 1.2 2001/01/25 18:35:35 remm Exp $
  + * $Revision: 1.2 $
  + * $Date: 2001/01/25 18:35:35 $
    *
    * ====================================================================
    *
  @@ -90,7 +90,7 @@
    * </ul>
    * 
    * @author Remy Maucherat
  - * @version $Revision: 1.1 $ $Date: 2000/11/02 06:14:18 $
  + * @version $Revision: 1.2 $ $Date: 2001/01/25 18:35:35 $
    */
   
   public class javaURLContextFactory
  @@ -127,7 +127,8 @@
       public Object getObjectInstance(Object obj, Name name, Context nameCtx,
                                       Hashtable environment)
           throws NamingException {
  -        if (ContextBindings.isThreadBound()) {
  +        if ((ContextBindings.isThreadBound()) || 
  +            (ContextBindings.isClassLoaderBound())) {
               return new SelectorContext(environment);
           } else {
               return null;
  @@ -140,7 +141,8 @@
        */
       public Context getInitialContext(Hashtable environment)
           throws NamingException {
  -        if (ContextBindings.isThreadBound()) {
  +        if (ContextBindings.isThreadBound() || 
  +            (ContextBindings.isClassLoaderBound())) {
               // Redirect the request to the bound initial context
               return new SelectorContext(environment, true);
           } else {
  
  
  

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

Reply via email to