Hi,
I've noticed a characteristic in the tomcat
loader.WebappClassloader and was wondering whether someone have any
recollection or insight as to why we did it that way.
Classes loaded with this classloader get a "jar:" tacked as prefix in
their codesource.
The javadoc has this to say:
IMPLEMENTATION NOTE - The class loader generates source URLs which
include the full JAR URL when a class is loaded from a JAR file,
which allows setting security permission at the class level, even
when a class is contained inside a JAR.
Which is indeed true and an interesting feature.
However, it violates the j2se policy syntax because the users
expectation of "/-" no longer works
In other words, with some structure like:
applications/web-modules/web_1
/WEB-INF/lib/foo.jar
...
/web_2
...
If the user wishes to grant permission X to all web module code, they
expect the following to work as documented in the policy syntax:
grant codeBase "file:.../applications/web-modules/-" {
permission X;
};
Turns out it doesn't, because WebappClassloader will make the
codesource something like "jar:file:...../foo.jar!/MyClass.class",
which will not match the grant.
I've see the norte inside the RELEASE-NOTES file, but would like to know
why exactly.
Merci,
-- Jeanfrancois
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
- Re: [Q] WebappClassloader violates J2SE policy syntax? Jeanfrancois Arcand
- Re: [Q] WebappClassloader violates J2SE policy sy... Glenn Nielsen
- Re: [Q] WebappClassloader violates J2SE polic... Remy Maucherat
