> On Apr 23, 2021, at 5:09 PM, David Blevins <david.blev...@gmail.com> wrote: > >> On Apr 17, 2021, at 4:06 PM, David Blevins <david.blev...@gmail.com> wrote: >> >> Digging up this old discussion thread on removing the tomee-foo-webapp >> modules. >> >> At the moment our TCK progress is essentially halted due to issues created >> by the complexity of these webapps and how we build the server. > [...] >> There are duplicates of basically any SNAPSHOT dependency. > > Some overdue updates for everyone. First, I filed a JIRA for this effort and > linked this thread as Richard suggested (good suggestion, Richard!): > > - https://issues.apache.org/jira/browse/TOMEE-3724 > [...] > That's about as far as I'll take this for now. We can do more, but this was > enough to get the TCK functional again despite the additional snapshots. Digging up this old thread again. For those who do not have the thread in their history you can review it here: https://lists.apache.org/thread/31w7336d5ycqhmoy4pngbsjg3odm0yqx Essentially, we've been slowly removing these webapps over the years. We missed the opportunity to discontinue them for 8 and 9, but it would be wonderful to take another step in 10 and at least ensure they are not published. I've created a PR for that here: - https://github.com/apache/tomee/pull/1714 For those who do not understand the danger of these, it is essentially that they only sometimes work and the technique they use to sometimes work is quite dangerous and not something that should be allowed by any webapp. When they do work, here's how it goes: - The tomee webapp happens to start first (by chance) - It reads all the jar files in the webapp and one by one forces them into the parent classloader using `Unsafe` - It modifies Tomcat internal state in memory *during startup* which is not thread-safe, such as replacing lists and map instances that are in use. Again using `Unsafe` - We have now forced code into the Tomcat system classloader that wasn't there and hijacked Tomcat internals (easy to see how this can be dangerous) - The webapps that happen to start after very possibly work fine, but still may face classloading issues arising from the parent being so greatly changed and some resolution having already occurred which will not resolve differently for any classes loaded afterwards When they don't work, here's how it goes: - One or all of your webapps happen to start first (by chance) - No "tomee" classes are present and webapps needing that functionality cannot work - The webapp will still be started and all initialization code will still run. It may fail, or worse it may have "succeed" and created a critically flawed result - Tomcat will now direct real traffic to the webapp in this state and your webapp will begin trying to answer in its broken state. Requests may fail, or worse it may "succeed" and return a critically flawed result - The "tomee" webapp will start and begin the above modification process *while your webapp is runnning*!!! - The "tomee" webapp will finish its logic and then attempt to restart every webapp that started before it. Again, while Tomcat is currently serving traffic to those webapps - The previously started webapps will shutdown, start again and may possibly work I can only describe our decision to put that code in back in 2007 as youthful hubris. We were too clever for our own good. In our defense, the project was still called OpenEJB and this was the birth of what became TomEE. The webapp was simply called "openejb-tomcat-webapp" and was the only option for a few years. Here's where that was born: - https://github.com/apache/tomee/commits/3fa0420a7145a25e18ca202f4f170d60886e6e60/assembly/openejb-tomcat/openejb-tomcat-webapp?after=3fa0420a7145a25e18ca202f4f170d60886e6e60+104 There was no TomEE zip or tar with everything in it as we have them now. These were created by Jonathan Gallimore created a couple years later. I can understand that some people may be having success with these, but the dangers are significant and there is no longer any good reason for them to exist and remain in use. They should have been removed years ago and only have not been because the process we use to build the zips takes the webapps as one of the inputs. In the end result, however, the webapps are fully gone. We should still do the work to eliminate the creation of the webapps entirely, but for now the above PR simply ensures they are not published. If people want them, they should have to build them themselves and accept all responsibility. Definitely no new adoption should occur. While they're still used in the build for now, at the very least not publishing them and this email will hopefully scare people into putting the work into simply using a TomEE zip or tar. -David
