Jeanfrancois Arcand wrote:
Hi,
I've noticed a characteristic in the tomcat
loader.WebappClassloader and was wondering whether someone have any
recollection or insight as to why we did it that way.
Classes loaded with this classloader get a "jar:" tacked as prefix in
their codesource.
The javadoc has this to say:
IMPLEMENTATION NOTE - The class loader generates source URLs which
include the full JAR URL when a class is loaded from a JAR file,
which allows setting security permission at the class level, even
when a class is contained inside a JAR.
Which is indeed true and an interesting feature.
However, it violates the j2se policy syntax because the users
expectation of "/-" no longer works
In other words, with some structure like:
applications/web-modules/web_1
/WEB-INF/lib/foo.jar
...
/web_2
...
If the user wishes to grant permission X to all web module code, they
expect the following to work as documented in the policy syntax:
grant codeBase "file:.../applications/web-modules/-" {
permission X;
};
Turns out it doesn't, because WebappClassloader will make the
codesource something like "jar:file:...../foo.jar!/MyClass.class",
which will not match the grant.
I've see the norte inside the RELEASE-NOTES file, but would like to know why exactly.
Merci,
-- Jeanfrancois
You can do the grant to the entire jar file like this:
"jar:file:..../foo.jar!/-" The jar:file syntax is no longer required in Tomcat 4.1, the code for Tomcat 5 must have been forked before this change, or the documentation didn't get updated. I did a quick search of the release notes and found that it was changed in Tomcat 4.1.1 to fix bugzilla bug 8611. The change was needed to fix a bug with sealed jar files. Regards, Glenn -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
