This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push: new 4fa1a1a1b2 Remove Globals.IS_SECURITY_ENABLED 4fa1a1a1b2 is described below commit 4fa1a1a1b25aabca96c349072d742ae16316b7cc Author: Mark Thomas <ma...@apache.org> AuthorDate: Thu Jan 12 16:32:04 2023 +0000 Remove Globals.IS_SECURITY_ENABLED --- java/org/apache/catalina/Globals.java | 6 - java/org/apache/catalina/ant/ValidatorTask.java | 4 +- java/org/apache/catalina/connector/Connector.java | 7 +- java/org/apache/catalina/connector/Request.java | 27 - .../catalina/core/ApplicationContextFacade.java | 549 +++------------------ .../catalina/core/ApplicationFilterConfig.java | 12 +- .../catalina/core/ApplicationFilterFactory.java | 11 +- .../org/apache/catalina/core/AsyncContextImpl.java | 9 +- java/org/apache/catalina/core/StandardHost.java | 3 +- .../apache/catalina/core/StandardHostValve.java | 4 +- java/org/apache/catalina/core/StandardWrapper.java | 33 +- .../org/apache/catalina/security/SecurityUtil.java | 19 - .../apache/catalina/servlets/DefaultServlet.java | 94 +--- .../apache/catalina/session/DataSourceStore.java | 9 +- java/org/apache/catalina/session/FileStore.java | 5 +- java/org/apache/catalina/session/ManagerBase.java | 16 - .../apache/catalina/session/StandardSession.java | 9 +- .../apache/catalina/valves/PersistentValve.java | 5 +- 18 files changed, 93 insertions(+), 729 deletions(-) diff --git a/java/org/apache/catalina/Globals.java b/java/org/apache/catalina/Globals.java index f04839ff79..5c7eaa6d43 100644 --- a/java/org/apache/catalina/Globals.java +++ b/java/org/apache/catalina/Globals.java @@ -262,12 +262,6 @@ public final class Globals { Boolean.parseBoolean(System.getProperty("org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "false")); - /** - * Has security been turned on? - */ - public static final boolean IS_SECURITY_ENABLED = (System.getSecurityManager() != null); - - /** * Default domain for MBeans if none can be determined */ diff --git a/java/org/apache/catalina/ant/ValidatorTask.java b/java/org/apache/catalina/ant/ValidatorTask.java index d239684d3e..28a145362c 100644 --- a/java/org/apache/catalina/ant/ValidatorTask.java +++ b/java/org/apache/catalina/ant/ValidatorTask.java @@ -22,7 +22,6 @@ import java.io.File; import java.io.FileInputStream; import java.io.InputStream; -import org.apache.catalina.Globals; import org.apache.tomcat.util.descriptor.DigesterFactory; import org.apache.tomcat.util.digester.Digester; import org.apache.tools.ant.BuildException; @@ -87,8 +86,7 @@ public class ValidatorTask extends BaseRedirectorHelperTask { // Called through trusted manager interface. If running under a // SecurityManager assume that untrusted applications may be deployed. - Digester digester = DigesterFactory.newDigester( - true, true, null, Globals.IS_SECURITY_ENABLED); + Digester digester = DigesterFactory.newDigester(true, true, null, false); try (InputStream stream = new BufferedInputStream(new FileInputStream(file.getCanonicalFile()))) { InputSource is = new InputSource(file.toURI().toURL().toExternalForm()); is.setByteStream(stream); diff --git a/java/org/apache/catalina/connector/Connector.java b/java/org/apache/catalina/connector/Connector.java index 3b6d94a788..ad6fde7d32 100644 --- a/java/org/apache/catalina/connector/Connector.java +++ b/java/org/apache/catalina/connector/Connector.java @@ -25,7 +25,6 @@ import java.util.HashSet; import javax.management.ObjectName; -import org.apache.catalina.Globals; import org.apache.catalina.LifecycleException; import org.apache.catalina.LifecycleState; import org.apache.catalina.Service; @@ -404,12 +403,10 @@ public class Connector extends LifecycleMBeanBase { /** - * @return <code>true</code> if the object facades are discarded, either - * when the discardFacades value is <code>true</code> or when the - * security manager is enabled. + * @return <code>true</code> if the object facades are discarded. */ public boolean getDiscardFacades() { - return discardFacades || Globals.IS_SECURITY_ENABLED; + return discardFacades; } diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java index 07b40ed463..e35dbcd085 100644 --- a/java/org/apache/catalina/connector/Request.java +++ b/java/org/apache/catalina/connector/Request.java @@ -1929,37 +1929,10 @@ public class Request implements HttpServletRequest { * @param principal The user Principal */ public void setUserPrincipal(final Principal principal) { - if (Globals.IS_SECURITY_ENABLED && principal != null) { - if (subject == null) { - final HttpSession session = getSession(false); - if (session == null) { - // Cache the subject in the request - subject = newSubject(principal); - } else { - // Cache the subject in the request and the session - subject = (Subject) session.getAttribute(Globals.SUBJECT_ATTR); - if (subject == null) { - subject = newSubject(principal); - session.setAttribute(Globals.SUBJECT_ATTR, subject); - } else { - subject.getPrincipals().add(principal); - } - } - } else { - subject.getPrincipals().add(principal); - } - } userPrincipal = principal; } - private Subject newSubject(final Principal principal) { - final Subject result = new Subject(); - result.getPrincipals().add(principal); - return result; - } - - // --------------------------------------------- HttpServletRequest Methods @Override diff --git a/java/org/apache/catalina/core/ApplicationContextFacade.java b/java/org/apache/catalina/core/ApplicationContextFacade.java index ff89aa0b9e..93a0fe49ae 100644 --- a/java/org/apache/catalina/core/ApplicationContextFacade.java +++ b/java/org/apache/catalina/core/ApplicationContextFacade.java @@ -18,17 +18,13 @@ package org.apache.catalina.core; import java.io.InputStream; -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; import java.net.MalformedURLException; import java.net.URL; -import java.security.PrivilegedActionException; import java.util.Enumeration; import java.util.EventListener; import java.util.HashMap; import java.util.Map; import java.util.Set; -import java.util.concurrent.ConcurrentHashMap; import jakarta.servlet.Filter; import jakarta.servlet.FilterRegistration; @@ -42,10 +38,6 @@ import jakarta.servlet.SessionCookieConfig; import jakarta.servlet.SessionTrackingMode; import jakarta.servlet.descriptor.JspConfigDescriptor; -import org.apache.catalina.Globals; -import org.apache.catalina.security.SecurityUtil; -import org.apache.tomcat.util.ExceptionUtils; - /** * Facade object which masks the internal <code>ApplicationContext</code> @@ -62,15 +54,8 @@ public class ApplicationContextFacade implements ServletContext { private final Map<String,Class<?>[]> classCache; - /** - * Cache method object. - */ - private final Map<String,Method> objectCache; - - // ----------------------------------------------------------- Constructors - /** * Construct a new instance of this class, associated with the specified * Context instance. @@ -82,7 +67,6 @@ public class ApplicationContextFacade implements ServletContext { this.context = context; classCache = new HashMap<>(); - objectCache = new ConcurrentHashMap<>(); initClassCache(); } @@ -135,13 +119,7 @@ public class ApplicationContextFacade implements ServletContext { @Override public ServletContext getContext(String uripath) { - ServletContext theContext = null; - if (SecurityUtil.isPackageProtectionEnabled()) { - theContext = (ServletContext) - doPrivileged("getContext", new Object[]{uripath}); - } else { - theContext = context.getContext(uripath); - } + ServletContext theContext = context.getContext(uripath); if ((theContext != null) && (theContext instanceof ApplicationContext)){ theContext = ((ApplicationContext)theContext).getFacade(); @@ -164,711 +142,310 @@ public class ApplicationContextFacade implements ServletContext { @Override public String getMimeType(String file) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (String)doPrivileged("getMimeType", new Object[]{file}); - } else { - return context.getMimeType(file); - } + return context.getMimeType(file); } @Override - @SuppressWarnings("unchecked") // doPrivileged() returns the correct type public Set<String> getResourcePaths(String path) { - if (SecurityUtil.isPackageProtectionEnabled()){ - return (Set<String>)doPrivileged("getResourcePaths", - new Object[]{path}); - } else { - return context.getResourcePaths(path); - } + return context.getResourcePaths(path); } @Override - public URL getResource(String path) - throws MalformedURLException { - if (Globals.IS_SECURITY_ENABLED) { - try { - return (URL) invokeMethod(context, "getResource", - new Object[]{path}); - } catch(Throwable t) { - ExceptionUtils.handleThrowable(t); - if (t instanceof MalformedURLException){ - throw (MalformedURLException)t; - } - return null; - } - } else { - return context.getResource(path); - } + public URL getResource(String path) throws MalformedURLException { + return context.getResource(path); } @Override public InputStream getResourceAsStream(String path) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (InputStream) doPrivileged("getResourceAsStream", - new Object[]{path}); - } else { - return context.getResourceAsStream(path); - } + return context.getResourceAsStream(path); } @Override public RequestDispatcher getRequestDispatcher(final String path) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (RequestDispatcher) doPrivileged("getRequestDispatcher", - new Object[]{path}); - } else { - return context.getRequestDispatcher(path); - } + return context.getRequestDispatcher(path); } @Override public RequestDispatcher getNamedDispatcher(String name) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (RequestDispatcher) doPrivileged("getNamedDispatcher", - new Object[]{name}); - } else { - return context.getNamedDispatcher(name); - } + return context.getNamedDispatcher(name); } @Override public void log(String msg) { - if (SecurityUtil.isPackageProtectionEnabled()) { - doPrivileged("log", new Object[]{msg} ); - } else { - context.log(msg); - } + context.log(msg); } @Override public void log(String message, Throwable throwable) { - if (SecurityUtil.isPackageProtectionEnabled()) { - doPrivileged("log", new Class[]{String.class, Throwable.class}, - new Object[]{message, throwable}); - } else { - context.log(message, throwable); - } + context.log(message, throwable); } @Override public String getRealPath(String path) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (String) doPrivileged("getRealPath", new Object[]{path}); - } else { - return context.getRealPath(path); - } + return context.getRealPath(path); } @Override public String getServerInfo() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (String) doPrivileged("getServerInfo", null); - } else { - return context.getServerInfo(); - } + return context.getServerInfo(); } @Override public String getInitParameter(String name) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (String) doPrivileged("getInitParameter", - new Object[]{name}); - } else { - return context.getInitParameter(name); - } + return context.getInitParameter(name); } @Override - @SuppressWarnings("unchecked") // doPrivileged() returns the correct type public Enumeration<String> getInitParameterNames() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (Enumeration<String>) doPrivileged( - "getInitParameterNames", null); - } else { - return context.getInitParameterNames(); - } + return context.getInitParameterNames(); } @Override public Object getAttribute(String name) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return doPrivileged("getAttribute", new Object[]{name}); - } else { - return context.getAttribute(name); - } + return context.getAttribute(name); } @Override - @SuppressWarnings("unchecked") // doPrivileged() returns the correct type public Enumeration<String> getAttributeNames() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (Enumeration<String>) doPrivileged( - "getAttributeNames", null); - } else { - return context.getAttributeNames(); - } + return context.getAttributeNames(); } @Override public void setAttribute(String name, Object object) { - if (SecurityUtil.isPackageProtectionEnabled()) { - doPrivileged("setAttribute", new Object[]{name,object}); - } else { - context.setAttribute(name, object); - } + context.setAttribute(name, object); } @Override public void removeAttribute(String name) { - if (SecurityUtil.isPackageProtectionEnabled()) { - doPrivileged("removeAttribute", new Object[]{name}); - } else { - context.removeAttribute(name); - } + context.removeAttribute(name); } @Override public String getServletContextName() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (String) doPrivileged("getServletContextName", null); - } else { - return context.getServletContextName(); - } + return context.getServletContextName(); } @Override public String getContextPath() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (String) doPrivileged("getContextPath", null); - } else { - return context.getContextPath(); - } + return context.getContextPath(); } @Override - public FilterRegistration.Dynamic addFilter(String filterName, - String className) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (FilterRegistration.Dynamic) doPrivileged( - "addFilter", new Object[]{filterName, className}); - } else { - return context.addFilter(filterName, className); - } + public FilterRegistration.Dynamic addFilter(String filterName, String className) { + return context.addFilter(filterName, className); } @Override - public FilterRegistration.Dynamic addFilter(String filterName, - Filter filter) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (FilterRegistration.Dynamic) doPrivileged("addFilter", - new Class[]{String.class, Filter.class}, - new Object[]{filterName, filter}); - } else { - return context.addFilter(filterName, filter); - } + public FilterRegistration.Dynamic addFilter(String filterName, Filter filter) { + return context.addFilter(filterName, filter); } @Override public FilterRegistration.Dynamic addFilter(String filterName, Class<? extends Filter> filterClass) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (FilterRegistration.Dynamic) doPrivileged("addFilter", - new Class[]{String.class, Class.class}, - new Object[]{filterName, filterClass}); - } else { - return context.addFilter(filterName, filterClass); - } + return context.addFilter(filterName, filterClass); } @Override - @SuppressWarnings("unchecked") // doPrivileged() returns the correct type - public <T extends Filter> T createFilter(Class<T> c) - throws ServletException { - if (SecurityUtil.isPackageProtectionEnabled()) { - try { - return (T) invokeMethod(context, "createFilter", - new Object[]{c}); - } catch (Throwable t) { - ExceptionUtils.handleThrowable(t); - if (t instanceof ServletException) { - throw (ServletException) t; - } - return null; - } - } else { - return context.createFilter(c); - } + public <T extends Filter> T createFilter(Class<T> c) throws ServletException { + return context.createFilter(c); } @Override public FilterRegistration getFilterRegistration(String filterName) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (FilterRegistration) doPrivileged( - "getFilterRegistration", new Object[]{filterName}); - } else { - return context.getFilterRegistration(filterName); - } + return context.getFilterRegistration(filterName); } @Override - public ServletRegistration.Dynamic addServlet(String servletName, - String className) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (ServletRegistration.Dynamic) doPrivileged( - "addServlet", new Object[]{servletName, className}); - } else { - return context.addServlet(servletName, className); - } + public ServletRegistration.Dynamic addServlet(String servletName, String className) { + return context.addServlet(servletName, className); } @Override - public ServletRegistration.Dynamic addServlet(String servletName, - Servlet servlet) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (ServletRegistration.Dynamic) doPrivileged("addServlet", - new Class[]{String.class, Servlet.class}, - new Object[]{servletName, servlet}); - } else { - return context.addServlet(servletName, servlet); - } + public ServletRegistration.Dynamic addServlet(String servletName, Servlet servlet) { + return context.addServlet(servletName, servlet); } @Override - public ServletRegistration.Dynamic addServlet(String servletName, - Class<? extends Servlet> servletClass) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (ServletRegistration.Dynamic) doPrivileged("addServlet", - new Class[]{String.class, Class.class}, - new Object[]{servletName, servletClass}); - } else { - return context.addServlet(servletName, servletClass); - } + public ServletRegistration.Dynamic addServlet(String servletName, Class<? extends Servlet> servletClass) { + return context.addServlet(servletName, servletClass); } @Override public Dynamic addJspFile(String jspName, String jspFile) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (ServletRegistration.Dynamic) doPrivileged("addJspFile", - new Object[]{jspName, jspFile}); - } else { - return context.addJspFile(jspName, jspFile); - } + return context.addJspFile(jspName, jspFile); } @Override - @SuppressWarnings("unchecked") // doPrivileged() returns the correct type - public <T extends Servlet> T createServlet(Class<T> c) - throws ServletException { - if (SecurityUtil.isPackageProtectionEnabled()) { - try { - return (T) invokeMethod(context, "createServlet", - new Object[]{c}); - } catch (Throwable t) { - ExceptionUtils.handleThrowable(t); - if (t instanceof ServletException) { - throw (ServletException) t; - } - return null; - } - } else { - return context.createServlet(c); - } + public <T extends Servlet> T createServlet(Class<T> c) throws ServletException { + return context.createServlet(c); } @Override public ServletRegistration getServletRegistration(String servletName) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (ServletRegistration) doPrivileged( - "getServletRegistration", new Object[]{servletName}); - } else { - return context.getServletRegistration(servletName); - } + return context.getServletRegistration(servletName); } @Override - @SuppressWarnings("unchecked") // doPrivileged() returns the correct type public Set<SessionTrackingMode> getDefaultSessionTrackingModes() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (Set<SessionTrackingMode>) - doPrivileged("getDefaultSessionTrackingModes", null); - } else { - return context.getDefaultSessionTrackingModes(); - } + return context.getDefaultSessionTrackingModes(); } @Override - @SuppressWarnings("unchecked") // doPrivileged() returns the correct type public Set<SessionTrackingMode> getEffectiveSessionTrackingModes() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (Set<SessionTrackingMode>) - doPrivileged("getEffectiveSessionTrackingModes", null); - } else { - return context.getEffectiveSessionTrackingModes(); - } + return context.getEffectiveSessionTrackingModes(); } @Override public SessionCookieConfig getSessionCookieConfig() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (SessionCookieConfig) - doPrivileged("getSessionCookieConfig", null); - } else { - return context.getSessionCookieConfig(); - } + return context.getSessionCookieConfig(); } @Override - public void setSessionTrackingModes( - Set<SessionTrackingMode> sessionTrackingModes) { - if (SecurityUtil.isPackageProtectionEnabled()) { - doPrivileged("setSessionTrackingModes", - new Object[]{sessionTrackingModes}); - } else { - context.setSessionTrackingModes(sessionTrackingModes); - } + public void setSessionTrackingModes(Set<SessionTrackingMode> sessionTrackingModes) { + context.setSessionTrackingModes(sessionTrackingModes); } @Override public boolean setInitParameter(String name, String value) { - if (SecurityUtil.isPackageProtectionEnabled()) { - return ((Boolean) doPrivileged("setInitParameter", - new Object[]{name, value})).booleanValue(); - } else { - return context.setInitParameter(name, value); - } + return context.setInitParameter(name, value); } @Override public void addListener(Class<? extends EventListener> listenerClass) { - if (SecurityUtil.isPackageProtectionEnabled()) { - doPrivileged("addListener", - new Class[]{Class.class}, - new Object[]{listenerClass}); - } else { - context.addListener(listenerClass); - } + context.addListener(listenerClass); } @Override public void addListener(String className) { - if (SecurityUtil.isPackageProtectionEnabled()) { - doPrivileged("addListener", - new Object[]{className}); - } else { - context.addListener(className); - } + context.addListener(className); } @Override public <T extends EventListener> void addListener(T t) { - if (SecurityUtil.isPackageProtectionEnabled()) { - doPrivileged("addListener", - new Class[]{EventListener.class}, - new Object[]{t}); - } else { - context.addListener(t); - } + context.addListener(t); } @Override - @SuppressWarnings("unchecked") // doPrivileged() returns the correct type - public <T extends EventListener> T createListener(Class<T> c) - throws ServletException { - if (SecurityUtil.isPackageProtectionEnabled()) { - try { - return (T) invokeMethod(context, "createListener", - new Object[]{c}); - } catch (Throwable t) { - ExceptionUtils.handleThrowable(t); - if (t instanceof ServletException) { - throw (ServletException) t; - } - return null; - } - } else { - return context.createListener(c); - } + public <T extends EventListener> T createListener(Class<T> c) throws ServletException { + return context.createListener(c); } @Override public void declareRoles(String... roleNames) { - if (SecurityUtil.isPackageProtectionEnabled()) { - doPrivileged("declareRoles", new Object[]{roleNames}); - } else { - context.declareRoles(roleNames); - } + context.declareRoles(roleNames); } @Override public ClassLoader getClassLoader() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (ClassLoader) doPrivileged("getClassLoader", null); - } else { - return context.getClassLoader(); - } + return context.getClassLoader(); } @Override public int getEffectiveMajorVersion() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return ((Integer) doPrivileged("getEffectiveMajorVersion", - null)).intValue(); - } else { - return context.getEffectiveMajorVersion(); - } + return context.getEffectiveMajorVersion(); } @Override public int getEffectiveMinorVersion() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return ((Integer) doPrivileged("getEffectiveMinorVersion", - null)).intValue(); - } else { - return context.getEffectiveMinorVersion(); - } + return context.getEffectiveMinorVersion(); } @Override - @SuppressWarnings("unchecked") // doPrivileged() returns the correct type public Map<String, ? extends FilterRegistration> getFilterRegistrations() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (Map<String, ? extends FilterRegistration>) doPrivileged( - "getFilterRegistrations", null); - } else { - return context.getFilterRegistrations(); - } + return context.getFilterRegistrations(); } @Override public JspConfigDescriptor getJspConfigDescriptor() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (JspConfigDescriptor) doPrivileged("getJspConfigDescriptor", - null); - } else { - return context.getJspConfigDescriptor(); - } + return context.getJspConfigDescriptor(); } @Override - @SuppressWarnings("unchecked") // doPrivileged() returns the correct type public Map<String, ? extends ServletRegistration> getServletRegistrations() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (Map<String, ? extends ServletRegistration>) doPrivileged( - "getServletRegistrations", null); - } else { - return context.getServletRegistrations(); - } + return context.getServletRegistrations(); } @Override public String getVirtualServerName() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (String) doPrivileged("getVirtualServerName", null); - } else { - return context.getVirtualServerName(); - } + return context.getVirtualServerName(); } @Override public int getSessionTimeout() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return ((Integer) doPrivileged("getSessionTimeout", null)).intValue(); - } else { - return context.getSessionTimeout(); - } + return context.getSessionTimeout(); } @Override public void setSessionTimeout(int sessionTimeout) { - if (SecurityUtil.isPackageProtectionEnabled()) { - doPrivileged("setSessionTimeout", new Object[] { Integer.valueOf(sessionTimeout) }); - } else { - context.setSessionTimeout(sessionTimeout); - } + context.setSessionTimeout(sessionTimeout); } @Override public String getRequestCharacterEncoding() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (String) doPrivileged("getRequestCharacterEncoding", null); - } else { - return context.getRequestCharacterEncoding(); - } + return context.getRequestCharacterEncoding(); } @Override public void setRequestCharacterEncoding(String encoding) { - if (SecurityUtil.isPackageProtectionEnabled()) { - doPrivileged("setRequestCharacterEncoding", new Object[] { encoding }); - } else { - context.setRequestCharacterEncoding(encoding); - } + context.setRequestCharacterEncoding(encoding); } @Override public String getResponseCharacterEncoding() { - if (SecurityUtil.isPackageProtectionEnabled()) { - return (String) doPrivileged("getResponseCharacterEncoding", null); - } else { - return context.getResponseCharacterEncoding(); - } + return context.getResponseCharacterEncoding(); } @Override public void setResponseCharacterEncoding(String encoding) { - if (SecurityUtil.isPackageProtectionEnabled()) { - doPrivileged("setResponseCharacterEncoding", new Object[] { encoding }); - } else { - context.setResponseCharacterEncoding(encoding); - } - } - - - /** - * Use reflection to invoke the requested method. Cache the method object - * to speed up the process - * @param methodName The method to call. - * @param params The arguments passed to the called method. - */ - private Object doPrivileged(final String methodName, final Object[] params) { - try{ - return invokeMethod(context, methodName, params); - }catch(Throwable t){ - ExceptionUtils.handleThrowable(t); - throw new RuntimeException(t.getMessage(), t); - } - } - - - /** - * Use reflection to invoke the requested method. Cache the method object - * to speed up the process - * @param appContext The ApplicationContext object on which the method - * will be invoked - * @param methodName The method to call. - * @param params The arguments passed to the called method. - */ - private Object invokeMethod(ApplicationContext appContext, - final String methodName, - Object[] params) - throws Throwable{ - - try{ - Method method = objectCache.get(methodName); - if (method == null){ - method = appContext.getClass() - .getMethod(methodName, classCache.get(methodName)); - objectCache.put(methodName, method); - } - - return method.invoke(context, params); - } catch (Exception ex){ - handleException(ex); - return null; - } finally { - params = null; - } - } - - /** - * Use reflection to invoke the requested method. Cache the method object - * to speed up the process - * @param methodName The method to invoke. - * @param clazz The class where the method is. - * @param params The arguments passed to the called method. - */ - private Object doPrivileged(final String methodName, - final Class<?>[] clazz, - Object[] params) { - - try{ - Method method = context.getClass().getMethod(methodName, clazz); - return method.invoke(context, params); - } catch (Exception ex){ - try { - handleException(ex); - } catch (Throwable t){ - ExceptionUtils.handleThrowable(t); - throw new RuntimeException(t.getMessage()); - } - return null; - } finally { - params = null; - } - } - - - /** - * Throw the real exception. - * - * @param ex The current exception - */ - private void handleException(Exception ex) - throws Throwable { - - Throwable realException; - - if (ex instanceof PrivilegedActionException) { - ex = ((PrivilegedActionException) ex).getException(); - } - - if (ex instanceof InvocationTargetException) { - realException = ex.getCause(); - if (realException == null) { - realException = ex; - } - } else { - realException = ex; - } - - throw realException; + context.setResponseCharacterEncoding(encoding); } } diff --git a/java/org/apache/catalina/core/ApplicationFilterConfig.java b/java/org/apache/catalina/core/ApplicationFilterConfig.java index 3b81f7303e..ac8626bb34 100644 --- a/java/org/apache/catalina/core/ApplicationFilterConfig.java +++ b/java/org/apache/catalina/core/ApplicationFilterConfig.java @@ -34,8 +34,6 @@ import jakarta.servlet.ServletContext; import jakarta.servlet.ServletException; import org.apache.catalina.Context; -import org.apache.catalina.Globals; -import org.apache.catalina.security.SecurityUtil; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.ExceptionUtils; @@ -294,15 +292,7 @@ public final class ApplicationFilterConfig implements FilterConfig, Serializable if (this.filter != null) { try { - if (Globals.IS_SECURITY_ENABLED) { - try { - SecurityUtil.doAsPrivilege("destroy", filter); - } finally { - SecurityUtil.remove(filter); - } - } else { - filter.destroy(); - } + filter.destroy(); } catch (Throwable t) { ExceptionUtils.handleThrowable(t); context.getLogger().error(sm.getString( diff --git a/java/org/apache/catalina/core/ApplicationFilterFactory.java b/java/org/apache/catalina/core/ApplicationFilterFactory.java index 62bae04237..18dc37561b 100644 --- a/java/org/apache/catalina/core/ApplicationFilterFactory.java +++ b/java/org/apache/catalina/core/ApplicationFilterFactory.java @@ -62,15 +62,10 @@ public final class ApplicationFilterFactory { ApplicationFilterChain filterChain = null; if (request instanceof Request) { Request req = (Request) request; - if (Globals.IS_SECURITY_ENABLED) { - // Security: Do not recycle + filterChain = (ApplicationFilterChain) req.getFilterChain(); + if (filterChain == null) { filterChain = new ApplicationFilterChain(); - } else { - filterChain = (ApplicationFilterChain) req.getFilterChain(); - if (filterChain == null) { - filterChain = new ApplicationFilterChain(); - req.setFilterChain(filterChain); - } + req.setFilterChain(filterChain); } } else { // Request dispatcher in use diff --git a/java/org/apache/catalina/core/AsyncContextImpl.java b/java/org/apache/catalina/core/AsyncContextImpl.java index d38f1ae8f9..776aa8acf9 100644 --- a/java/org/apache/catalina/core/AsyncContextImpl.java +++ b/java/org/apache/catalina/core/AsyncContextImpl.java @@ -37,7 +37,6 @@ import jakarta.servlet.http.HttpServletResponse; import org.apache.catalina.AsyncDispatcher; import org.apache.catalina.Context; -import org.apache.catalina.Globals; import org.apache.catalina.Host; import org.apache.catalina.Valve; import org.apache.catalina.connector.Request; @@ -99,7 +98,7 @@ public class AsyncContextImpl implements AsyncContext, AsyncContextCallback { } List<AsyncListenerWrapper> listenersCopy = new ArrayList<>(listeners); - ClassLoader oldCL = context.bind(Globals.IS_SECURITY_ENABLED, null); + ClassLoader oldCL = context.bind(false, null); try { for (AsyncListenerWrapper listener : listenersCopy) { try { @@ -113,7 +112,7 @@ public class AsyncContextImpl implements AsyncContext, AsyncContextCallback { } finally { context.fireRequestDestroyEvent(request.getRequest()); clearServletRequestResponse(); - context.unbind(Globals.IS_SECURITY_ENABLED, oldCL); + context.unbind(false, oldCL); } } @@ -544,7 +543,7 @@ public class AsyncContextImpl implements AsyncContext, AsyncContextCallback { @Override public void run() { - ClassLoader oldCL = context.bind(Globals.IS_SECURITY_ENABLED, null); + ClassLoader oldCL = context.bind(false, null); try { wrapped.run(); } catch (Throwable t) { @@ -555,7 +554,7 @@ public class AsyncContextImpl implements AsyncContext, AsyncContextCallback { coyoteResponse.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); coyoteResponse.setError(); } finally { - context.unbind(Globals.IS_SECURITY_ENABLED, oldCL); + context.unbind(false, oldCL); } // Since this runnable is not executing as a result of a socket diff --git a/java/org/apache/catalina/core/StandardHost.java b/java/org/apache/catalina/core/StandardHost.java index 07df3d9f1f..2f5a758617 100644 --- a/java/org/apache/catalina/core/StandardHost.java +++ b/java/org/apache/catalina/core/StandardHost.java @@ -32,7 +32,6 @@ import javax.management.ObjectName; import org.apache.catalina.Container; import org.apache.catalina.Context; import org.apache.catalina.Engine; -import org.apache.catalina.Globals; import org.apache.catalina.Host; import org.apache.catalina.JmxEnabled; import org.apache.catalina.Lifecycle; @@ -139,7 +138,7 @@ public class StandardHost extends ContainerBase implements Host { /** * deploy Context XML config files property. */ - private boolean deployXML = !Globals.IS_SECURITY_ENABLED; + private boolean deployXML = true; /** diff --git a/java/org/apache/catalina/core/StandardHostValve.java b/java/org/apache/catalina/core/StandardHostValve.java index 8e0c5b283f..159eb26296 100644 --- a/java/org/apache/catalina/core/StandardHostValve.java +++ b/java/org/apache/catalina/core/StandardHostValve.java @@ -100,7 +100,7 @@ final class StandardHostValve extends ValveBase { boolean asyncAtStart = request.isAsync(); try { - context.bind(Globals.IS_SECURITY_ENABLED, MY_CLASSLOADER); + context.bind(false, MY_CLASSLOADER); if (!asyncAtStart && !context.fireRequestInitEvent(request.getRequest())) { // Don't fire listeners during async processing (the listener @@ -167,7 +167,7 @@ final class StandardHostValve extends ValveBase { request.getSession(false); } - context.unbind(Globals.IS_SECURITY_ENABLED, MY_CLASSLOADER); + context.unbind(false, MY_CLASSLOADER); } } diff --git a/java/org/apache/catalina/core/StandardWrapper.java b/java/org/apache/catalina/core/StandardWrapper.java index c54680a8f8..540bf0ce3a 100644 --- a/java/org/apache/catalina/core/StandardWrapper.java +++ b/java/org/apache/catalina/core/StandardWrapper.java @@ -47,11 +47,9 @@ import jakarta.servlet.annotation.MultipartConfig; import org.apache.catalina.Container; import org.apache.catalina.ContainerServlet; import org.apache.catalina.Context; -import org.apache.catalina.Globals; import org.apache.catalina.LifecycleException; import org.apache.catalina.LifecycleState; import org.apache.catalina.Wrapper; -import org.apache.catalina.security.SecurityUtil; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; import org.apache.tomcat.InstanceManager; @@ -973,25 +971,7 @@ public class StandardWrapper extends ContainerBase // Call the initialization method of this servlet try { - if( Globals.IS_SECURITY_ENABLED) { - boolean success = false; - try { - Object[] args = new Object[] { facade }; - SecurityUtil.doAsPrivilege("init", - servlet, - classType, - args); - success = true; - } finally { - if (!success) { - // destroy() will not be called, thus clear the reference now - SecurityUtil.remove(servlet); - } - } - } else { - servlet.init(facade); - } - + servlet.init(facade); instanceInitialized = true; } catch (UnavailableException f) { unavailable(f); @@ -1142,16 +1122,7 @@ public class StandardWrapper extends ContainerBase // Call the servlet destroy() method try { - if( Globals.IS_SECURITY_ENABLED) { - try { - SecurityUtil.doAsPrivilege("destroy", instance); - } finally { - SecurityUtil.remove(instance); - } - } else { - instance.destroy(); - } - + instance.destroy(); } catch (Throwable t) { t = ExceptionUtils.unwrapInvocationTargetException(t); ExceptionUtils.handleThrowable(t); diff --git a/java/org/apache/catalina/security/SecurityUtil.java b/java/org/apache/catalina/security/SecurityUtil.java index 20b5c0e498..5a245217b8 100644 --- a/java/org/apache/catalina/security/SecurityUtil.java +++ b/java/org/apache/catalina/security/SecurityUtil.java @@ -76,10 +76,6 @@ public final class SecurityUtil{ private static final Log log = LogFactory.getLog(SecurityUtil.class); - private static final boolean packageDefinitionEnabled = - (System.getProperty("package.definition") == null && - System.getProperty("package.access") == null) ? false : true; - /** * The string resources for this package. */ @@ -413,19 +409,4 @@ public final class SecurityUtil{ public static void remove(Object cachedObject){ classCache.remove(cachedObject); } - - - /** - * Return the <code>SecurityManager</code> only if Security is enabled AND - * package protection mechanism is enabled. - * @return <code>true</code> if package level protection is enabled - */ - public static boolean isPackageProtectionEnabled(){ - if (packageDefinitionEnabled && Globals.IS_SECURITY_ENABLED){ - return true; - } - return false; - } - - } diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java index 7a647b0804..dc00ef6897 100644 --- a/java/org/apache/catalina/servlets/DefaultServlet.java +++ b/java/org/apache/catalina/servlets/DefaultServlet.java @@ -43,14 +43,10 @@ import java.util.List; import java.util.Locale; import java.util.function.Function; -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.Source; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; -import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamSource; @@ -83,10 +79,6 @@ import org.apache.tomcat.util.http.parser.EntityTag; import org.apache.tomcat.util.http.parser.Ranges; import org.apache.tomcat.util.res.StringManager; import org.apache.tomcat.util.security.Escape; -import org.w3c.dom.Document; -import org.xml.sax.InputSource; -import org.xml.sax.SAXException; -import org.xml.sax.ext.EntityResolver2; /** @@ -140,10 +132,6 @@ public class DefaultServlet extends HttpServlet { */ protected static final StringManager sm = StringManager.getManager(DefaultServlet.class); - private static final DocumentBuilderFactory factory; - - private static final SecureEntityResolver secureEntityResolver; - /** * Full range marker. */ @@ -162,21 +150,6 @@ public class DefaultServlet extends HttpServlet { protected static final int BUFFER_SIZE = 4096; - // ----------------------------------------------------- Static Initializer - - static { - if (Globals.IS_SECURITY_ENABLED) { - factory = DocumentBuilderFactory.newInstance(); - factory.setNamespaceAware(true); - factory.setValidating(false); - secureEntityResolver = new SecureEntityResolver(); - } else { - factory = null; - secureEntityResolver = null; - } - } - - // ----------------------------------------------------- Instance Variables /** @@ -2008,11 +1981,7 @@ public class DefaultServlet extends HttpServlet { if (resource.isFile()) { InputStream is = resource.getInputStream(); if (is != null) { - if (Globals.IS_SECURITY_ENABLED) { - return secureXslt(is); - } else { - return new StreamSource(is); - } + return new StreamSource(is); } } if (debug > 10) { @@ -2024,11 +1993,7 @@ public class DefaultServlet extends HttpServlet { InputStream is = getServletContext().getResourceAsStream(contextXsltFile); if (is != null) { - if (Globals.IS_SECURITY_ENABLED) { - return secureXslt(is); - } else { - return new StreamSource(is); - } + return new StreamSource(is); } if (debug > 10) { @@ -2104,31 +2069,6 @@ public class DefaultServlet extends HttpServlet { } - private Source secureXslt(InputStream is) { - // Need to filter out any external entities - Source result = null; - try { - DocumentBuilder builder = factory.newDocumentBuilder(); - builder.setEntityResolver(secureEntityResolver); - Document document = builder.parse(is); - result = new DOMSource(document); - } catch (ParserConfigurationException | SAXException | IOException e) { - if (debug > 0) { - log(e.getMessage(), e); - } - } finally { - if (is != null) { - try { - is.close(); - } catch (IOException e) { - // Ignore - } - } - } - return result; - } - - // -------------------------------------------------------- protected Methods /** @@ -2656,36 +2596,6 @@ public class DefaultServlet extends HttpServlet { } - /** - * This is secure in the sense that any attempt to use an external entity - * will trigger an exception. - */ - private static class SecureEntityResolver implements EntityResolver2 { - - @Override - public InputSource resolveEntity(String publicId, String systemId) - throws SAXException, IOException { - throw new SAXException(sm.getString("defaultServlet.blockExternalEntity", - publicId, systemId)); - } - - @Override - public InputSource getExternalSubset(String name, String baseURI) - throws SAXException, IOException { - throw new SAXException(sm.getString("defaultServlet.blockExternalSubset", - name, baseURI)); - } - - @Override - public InputSource resolveEntity(String name, String publicId, - String baseURI, String systemId) throws SAXException, - IOException { - throw new SAXException(sm.getString("defaultServlet.blockExternalEntity2", - name, publicId, baseURI, systemId)); - } - } - - /** * Gets the ordering character to be used for a particular column. * diff --git a/java/org/apache/catalina/session/DataSourceStore.java b/java/org/apache/catalina/session/DataSourceStore.java index 1178eac41d..7bd8957a1e 100644 --- a/java/org/apache/catalina/session/DataSourceStore.java +++ b/java/org/apache/catalina/session/DataSourceStore.java @@ -37,7 +37,6 @@ import javax.naming.NamingException; import javax.sql.DataSource; import org.apache.catalina.Container; -import org.apache.catalina.Globals; import org.apache.catalina.Session; import org.apache.juli.logging.Log; @@ -466,7 +465,7 @@ public class DataSourceStore extends StoreBase { return null; } - ClassLoader oldThreadContextCL = context.bind(Globals.IS_SECURITY_ENABLED, null); + ClassLoader oldThreadContextCL = context.bind(false, null); try (PreparedStatement preparedLoadSql = _conn.prepareStatement(loadSql)){ preparedLoadSql.setString(1, id); @@ -493,7 +492,7 @@ public class DataSourceStore extends StoreBase { } catch (SQLException e) { contextLog.error(sm.getString(getStoreName() + ".SQLException", e)); } finally { - context.unbind(Globals.IS_SECURITY_ENABLED, oldThreadContextCL); + context.unbind(false, oldThreadContextCL); release(_conn); } numberOfTries--; @@ -698,7 +697,7 @@ public class DataSourceStore extends StoreBase { org.apache.catalina.Context context = getManager().getContext(); ClassLoader oldThreadContextCL = null; if (localDataSource) { - oldThreadContextCL = context.bind(Globals.IS_SECURITY_ENABLED, null); + oldThreadContextCL = context.bind(false, null); } Context initCtx; @@ -712,7 +711,7 @@ public class DataSourceStore extends StoreBase { this.dataSourceName), e); } finally { if (localDataSource) { - context.unbind(Globals.IS_SECURITY_ENABLED, oldThreadContextCL); + context.unbind(false, oldThreadContextCL); } } } diff --git a/java/org/apache/catalina/session/FileStore.java b/java/org/apache/catalina/session/FileStore.java index 1aba87e719..22107f3141 100644 --- a/java/org/apache/catalina/session/FileStore.java +++ b/java/org/apache/catalina/session/FileStore.java @@ -30,7 +30,6 @@ import java.util.List; import jakarta.servlet.ServletContext; import org.apache.catalina.Context; -import org.apache.catalina.Globals; import org.apache.catalina.Session; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; @@ -226,7 +225,7 @@ public final class FileStore extends StoreBase { contextLog.debug(sm.getString(getStoreName()+".loading", id, file.getAbsolutePath())); } - ClassLoader oldThreadContextCL = context.bind(Globals.IS_SECURITY_ENABLED, null); + ClassLoader oldThreadContextCL = context.bind(false, null); try (FileInputStream fis = new FileInputStream(file.getAbsolutePath()); ObjectInputStream ois = getObjectInputStream(fis)) { @@ -241,7 +240,7 @@ public final class FileStore extends StoreBase { } return null; } finally { - context.unbind(Globals.IS_SECURITY_ENABLED, oldThreadContextCL); + context.unbind(false, oldThreadContextCL); } } diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java index c78b1ae4c2..a5973932cd 100644 --- a/java/org/apache/catalina/session/ManagerBase.java +++ b/java/org/apache/catalina/session/ManagerBase.java @@ -206,22 +206,6 @@ public abstract class ManagerBase extends LifecycleMBeanBase implements Manager private boolean sessionLastAccessAtStart = Globals.STRICT_SERVLET_COMPLIANCE; - // ------------------------------------------------------------ Constructors - - public ManagerBase() { - if (Globals.IS_SECURITY_ENABLED) { - // Minimum set required for default distribution/persistence to work - // plus String - // plus SerializablePrincipal and String[] (required for authentication persistence) - setSessionAttributeValueClassNameFilter( - "java\\.lang\\.(?:Boolean|Integer|Long|Number|String)" - + "|org\\.apache\\.catalina\\.realm\\.GenericPrincipal\\$SerializablePrincipal" - + "|\\[Ljava.lang.String;"); - setWarnOnSessionAttributeFilterFailure(true); - } - } - - // -------------------------------------------------------------- Properties @Override diff --git a/java/org/apache/catalina/session/StandardSession.java b/java/org/apache/catalina/session/StandardSession.java index bb02064506..13b7d2af7d 100644 --- a/java/org/apache/catalina/session/StandardSession.java +++ b/java/org/apache/catalina/session/StandardSession.java @@ -48,7 +48,6 @@ import jakarta.servlet.http.HttpSessionIdListener; import jakarta.servlet.http.HttpSessionListener; import org.apache.catalina.Context; -import org.apache.catalina.Globals; import org.apache.catalina.Manager; import org.apache.catalina.Session; import org.apache.catalina.SessionEvent; @@ -764,7 +763,7 @@ public class StandardSession implements HttpSession, Session, Serializable { if (notify) { ClassLoader oldContextClassLoader = null; try { - oldContextClassLoader = context.bind(Globals.IS_SECURITY_ENABLED, null); + oldContextClassLoader = context.bind(false, null); Object listeners[] = context.getApplicationLifecycleListeners(); if (listeners != null && listeners.length > 0) { HttpSessionEvent event = @@ -796,7 +795,7 @@ public class StandardSession implements HttpSession, Session, Serializable { } } } finally { - context.unbind(Globals.IS_SECURITY_ENABLED, oldContextClassLoader); + context.unbind(false, oldContextClassLoader); } } @@ -832,12 +831,12 @@ public class StandardSession implements HttpSession, Session, Serializable { String keys[] = keys(); ClassLoader oldContextClassLoader = null; try { - oldContextClassLoader = context.bind(Globals.IS_SECURITY_ENABLED, null); + oldContextClassLoader = context.bind(false, null); for (String key : keys) { removeAttributeInternal(key, notify); } } finally { - context.unbind(Globals.IS_SECURITY_ENABLED, oldContextClassLoader); + context.unbind(false, oldContextClassLoader); } } diff --git a/java/org/apache/catalina/valves/PersistentValve.java b/java/org/apache/catalina/valves/PersistentValve.java index a63794caa1..cd36b1386d 100644 --- a/java/org/apache/catalina/valves/PersistentValve.java +++ b/java/org/apache/catalina/valves/PersistentValve.java @@ -26,7 +26,6 @@ import jakarta.servlet.http.HttpServletResponse; import org.apache.catalina.Container; import org.apache.catalina.Context; import org.apache.catalina.Engine; -import org.apache.catalina.Globals; import org.apache.catalina.Host; import org.apache.catalina.Manager; import org.apache.catalina.Session; @@ -231,14 +230,14 @@ public class PersistentValve extends ValveBase { private void bind(Context context) { if (clBindRequired) { - context.bind(Globals.IS_SECURITY_ENABLED, MY_CLASSLOADER); + context.bind(false, MY_CLASSLOADER); } } private void unbind(Context context) { if (clBindRequired) { - context.unbind(Globals.IS_SECURITY_ENABLED, MY_CLASSLOADER); + context.unbind(false, MY_CLASSLOADER); } } --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org