Re: [PATCH] JasperLoader - Security manager usage LoadClass concurrency problem fix

2004-03-04 Thread ax 
This account does not exist



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[PATCH] JasperLoader - Security manager usage LoadClass concurrency problem fix

2004-03-04 Thread Matti Härö 
Hi,

the patch below fixes a bug that occasionally causes a NullPointerException in
loadClass() method. The problem was caused by the way the system security
manager was used in this class. For checking if there is a security manager, and
then using the security manager for checking the access, two (potentially
different) security managers were used. Checking for the existence of a security
manager was done by System.getSecurityManager(). Then inside the if block, a
reference to a class private variable securityManager was used.

The private variable securityManager had been set in the constructor of the
JasperLoader instance, and was often different from the one used in the
loadClass() method for checking if there was a securityManager. More
specifically, the private attribute securityManager was often null, while
System.getSecurityManager() returned a non-null value in loadClass() method.
This in turn caused the loadClass() to throw a NullPointerException.

Mr Matti Haro

--- JasperLoader.java   2004-03-04 08:57:52.0 +0200
+++
./tomcat-5-0-19-src/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet/JasperLoader.java
   2004-03-04 08:59:43.0 +0200
@@ -75,6 +75,7 @@
  * @author Anil K. Vijendran
  * @author Harish Prabandham
  * @author Jean-Francois Arcand
+ * @author Matti Haro
  */
 public class JasperLoader extends URLClassLoader {

@@ -82,7 +83,6 @@
 private CodeSource codeSource;
 private String className;
 private ClassLoader parent;
-private SecurityManager securityManager;
 private PrivilegedLoadClass privLoadClass;

 public JasperLoader(URL[] urls, ClassLoader parent,
@@ -93,7 +93,6 @@
this.codeSource = codeSource;
this.parent = parent;
 this.privLoadClass = new PrivilegedLoadClass();
-   this.securityManager = System.getSecurityManager();
 }

 /**
@@ -147,8 +146,9 @@
 resolveClass(clazz);
 return (clazz);
 }
-
+
 // (.5) Permission to access this class when using a SecurityManager
+SecurityManager securityManager = System.getSecurityManager();
 if (securityManager != null) {
 int dot = name.lastIndexOf('.');
 if (dot = 0) {

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [PATCH] JasperLoader - Security manager usage LoadClass concurrency problem fix

2004-03-04 Thread Glenn Nielsen 
This only occurs when Tomcat is started without a SecurityManager and
then later application code sets a SecurityManager.

Please see the following bug report for an explanation of why
that is not a good thing to do:

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7052

Thanks for taking the time to analyze how this works but the
behaviour will not be changed.

Glenn

On Thu, Mar 04, 2004 at 11:46:31AM +0200, Matti Härö wrote:
 Hi,
 
 the patch below fixes a bug that occasionally causes a NullPointerException in
 loadClass() method. The problem was caused by the way the system security
 manager was used in this class. For checking if there is a security manager, and
 then using the security manager for checking the access, two (potentially
 different) security managers were used. Checking for the existence of a security
 manager was done by System.getSecurityManager(). Then inside the if block, a
 reference to a class private variable securityManager was used.
 
 The private variable securityManager had been set in the constructor of the
 JasperLoader instance, and was often different from the one used in the
 loadClass() method for checking if there was a securityManager. More
 specifically, the private attribute securityManager was often null, while
 System.getSecurityManager() returned a non-null value in loadClass() method.
 This in turn caused the loadClass() to throw a NullPointerException.
 
 Mr Matti Haro
 
 --- JasperLoader.java   2004-03-04 08:57:52.0 +0200
 +++
 ./tomcat-5-0-19-src/jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet/JasperLoader.java
2004-03-04 08:59:43.0 +0200
 @@ -75,6 +75,7 @@
   * @author Anil K. Vijendran
   * @author Harish Prabandham
   * @author Jean-Francois Arcand
 + * @author Matti Haro
   */
  public class JasperLoader extends URLClassLoader {
 
 @@ -82,7 +83,6 @@
  private CodeSource codeSource;
  private String className;
  private ClassLoader parent;
 -private SecurityManager securityManager;
  private PrivilegedLoadClass privLoadClass;
 
  public JasperLoader(URL[] urls, ClassLoader parent,
 @@ -93,7 +93,6 @@
 this.codeSource = codeSource;
 this.parent = parent;
  this.privLoadClass = new PrivilegedLoadClass();
 -   this.securityManager = System.getSecurityManager();
  }
 
  /**
 @@ -147,8 +146,9 @@
  resolveClass(clazz);
  return (clazz);
  }
 -
 +
  // (.5) Permission to access this class when using a SecurityManager
 +SecurityManager securityManager = System.getSecurityManager();
  if (securityManager != null) {
  int dot = name.lastIndexOf('.');
  if (dot = 0) {
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
--
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder|
MOREnet System Programming   |  * if iz ina coment.  |
Missouri Research and Education Network  |  */   |
--

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]