Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityClassLoad.java

[Jeanfrancois Arcand]

[EMAIL PROTECTED] wrote:

billbarker    2004/01/05 20:27:34

 Modified:    catalina/src/share/org/apache/catalina/security
                       SecurityClassLoad.java
 Log:
 Adding classes for Coyote-Jk.
 
 This addresses Bug #25819.
 
 Reported By: Dario Bonino [EMAIL PROTECTED]
 
 Revision  Changes    Path
 1.12      +13 -4     jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java
 
 Index: SecurityClassLoad.java
 ===================================================================
 RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java,v
 retrieving revision 1.11
 retrieving revision 1.12
 diff -u -r1.11 -r1.12
 --- SecurityClassLoad.java	31 Oct 2003 01:30:01 -0000	1.11
 +++ SecurityClassLoad.java	6 Jan 2004 04:27:34 -0000	1.12
 @@ -90,6 +90,7 @@
          loadJavaxPackage(loader);
          loadCoyotePackage(loader);        
          loadHttp11Package(loader);        
 +        loadJkPackage(loader);
      }
      
      
 @@ -239,6 +240,14 @@
          loader.loadClass
              (basePackage +
               "CoyoteResponse$3");
 +    }
 +
 +    private final static void loadJkPackage(ClassLoader loader)
 +        throws Exception {
 +        String basePackage = "org.apache.tomcat.util.";
 +        loader.loadClass
 +            (basePackage +
 +             "buff.C2BConverter");
      }
  
  }
 

-1. That breaks the way we are implementing security. The role of this 
class is to load security related inner classes. Doing this make the 
class available for all Servlet (that break the package protection 
mechanism). You should add a doPrivileged block within the jk code 
instead and load the inner class here. Also, it is now impossible to 
protect that class using the catalina.properties if you do that.

If you think C2BConverter is secure and should not be protected 
(avaiable to Servlet), add the package to the catalina.policy instead.

-- Jeanfrancois


 
 
 

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]