https://issues.apache.org/bugzilla/show_bug.cgi?id=55317
--- Comment #5 from Jeremy Boynes <jboy...@apache.org> --- I have reservations around the security consequences of providing anything that has access to the webapp classloader the ability to modify any code defined by that classloader. Currently, that has to be specifically enabled by adding an agent to the JVM or by adding special classloader to the container installation and enabling it in a web application's Context. This change would automatically enable this for all applications. Further, if an application was enabled for cross-context dispatch it would also be able to register a transformer to modify the code of other applications. Some sort of check seems needed here - for example, that transformers can only transform classes for their own web application where permission has been explicitly granted (perhaps based on ProtectionDomain). I'd think the ProtectionDomain should also be passed to any ClassFileTransformer called. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org