Author: markt
Date: Mon Nov 25 10:30:24 2013
New Revision: 1545214
URL: http://svn.apache.org/r1545214
Log:
When running under a security manager disabled deployXML by default.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardHost.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml
tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1545213
Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardHost.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardHost.java?rev=1545214&r1=1545213&r2=1545214&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardHost.java
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/StandardHost.java Mon
Nov 25 10:30:24 2013
@@ -27,6 +27,7 @@ import java.util.regex.Pattern;
import org.apache.catalina.Container;
import org.apache.catalina.Context;
+import org.apache.catalina.Globals;
import org.apache.catalina.Host;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent;
@@ -120,7 +121,7 @@ public class StandardHost extends Contai
/**
* deploy Context XML config files property.
*/
- private boolean deployXML = true;
+ private boolean deployXML = !Globals.IS_SECURITY_ENABLED;
/**
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1545214&r1=1545213&r2=1545214&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Mon Nov 25 10:30:24 2013
@@ -160,6 +160,11 @@
control if Jasper (the JSP engine) uses a validating parser when
processing *.jspx and *.tagx files. (markt)
</add>
+ <add>
+ When running under a security manager, change the default value of the
+ Host's <code>deloyXML</code> attribute to <code>false</code>.
+ (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
Modified: tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml?rev=1545214&r1=1545213&r2=1545214&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/config/host.xml Mon Nov 25 10:30:24 2013
@@ -244,7 +244,8 @@
then be responsible for providing an external context configuration
file, and putting it in the location defined by the
<strong>xmlBase</strong> attribute. The flag's value defaults to
- <code>true</code>.</p>
+ <code>true</code> unless a security manager is enabled when the default
+ is <code>false</code>.</p>
</attribute>
<attribute name="errorReportValveClass" required="false">
Modified: tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml?rev=1545214&r1=1545213&r2=1545214&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml Mon Nov 25 10:30:24
2013
@@ -173,6 +173,13 @@
manager should be introduced at the start of the development cycle as it
can
be time-consuming to track down and fix issues caused by enabling a
security
manager for a mature application.</p>
+
+ <p>Enabling the security manager changes the defaults for the following
+ settings:</p>
+ <ul>
+ <li>The default value for the <strong>deployXML</strong> attribute of the
+ <strong>Host</strong> element is changed to <code>false</code>.</li>
+ </ul>
</section>
<section name="server.xml">
@@ -293,9 +300,11 @@
</p>
<p>In a hosted environment where web applications may not be trusted, set
- the <strong>deployXML</strong> attribute to <code>false</code> to ignore
any
- context.xml packaged with the web application that may try to assign
- increased privileges to the web application. </p>
+ the <strong>deployXML</strong> attribute to <code>false</code> to ignore
+ any context.xml packaged with the web application that may try to assign
+ increased privileges to the web application. Note that if the security
+ manager is enabled that the <strong>deployXML</strong> attribute will
+ default to <code>false</code>.</p>
</subsection>
<subsection name="Context">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
