[EMAIL PROTECTED] wrote:
>
> On Sat, 23 Jun 2001, Craig R. McClanahan wrote:
>
> > > > A) the hierarchy should go:
> > > >
> > > > SystemCL
> > > > | <-- LAYER 1
> > > > lib/common CL
> > > > / \ <-- LAYER 2
> > > > lib/container lib/apps CL
> > > > | <-- LAYER 3
> > > > WEB-INF/lib << same CL, but with URLs
> > > > WEB-INF/classes from both dirs, in this
> > > > order...
> > >
> > > You are absolutely right, that's the intended hierarchy.
> >
> > One thing you might want to note for the future is that, in servlet 2.3,
> > the order of loading in the web-app classloader is specified to be
> > reversed from this (i.e. WEB-INF/classes first, then WEB-INF/lib). The
> > new spec also permits a web-app classloader to override classes in parent
> > classloaders by using a "look then delegate" policy, rather than "delegate
> > than look" in the usual Java2 fashion. (Tomcat 4's classloaders do both
> > of these things, against a very similar overall hierarchy.)
>
> > Neither of these behaviors is specified for 2.2, so you're pretty much
> > free to do what you want. But you should think about implementing similar
> > policies now, to improve the portability of apps to containers supporting
> > 2.3.
>
> That's why we have pluggable loader - if someone wants such a behavior
> he's free to implement a loader. For servlet 2.2 we are not required, and
> I'm not going to. And it shouldn't matter anyway - since the common loader
> is supposed to have minimal stuff ( javax, other things that should not be
> overriden without major risks for security - even if the 2.3 spec would
> require them to be - I'm talking about some common utils ).
>
> I believe there are important security issues, but I'm sure the spec took
> this into consideration - so probably I'm wrong ( of course, this will be
> easy to verify later on, there are quite a few ways someone could try to
> exploit a reversed order - but again I'm sure this was taken care of and
> it'll be just the fun of trying :-).
>
Yes there are security issues related to the Servlet 2.3 spec webapp CL.
Fortunately, the Java SecurityManager can protect you if you use
checkPackageDefinition() in the CL. This can prevent a Servlet 2.3 webapp
CL from redefining system or other sensitive classes.
> Costin
--
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
