Nick Rothwell wrote:
> OK - let me just think this through out loud (Makefiles and EMACS at the
> ready):
>
> For my own development space, I'm putting "system" stuff (the JDK classes,
> the JSDK classes, JDBC) into wrapper.classpath, and everything else sits in
> a servlet zone with autoload turned on.
>
> An obvious question arises: for actual deployment, why not just turn off
> autoload and leave everything else as is (modulo path changes)?
>
Even with auto-reloading turned off, each zone has its own class loader.
Therefore, each zone will load its own copy of any required class that cannot
be found on the system class path.
>
> Reason 1: if the zones are private, classes cannot be shared. (But private
> zones are a different issue: one could argue for a single zone and just use
> CVS to control deployment by different developers.)
>
This reason is good enough for me. If I have two zones that each use a
particular JDBC driver, I'd rather have them share the same classes, instead of
being loaded separately into each zone. If the driver is on the system class
path, there will only be one copy of the classes themselves in memory.
>
> Reason 2: one could subvert the server by writing
> http://server/servlets/com.package.classname as a URL for classes which
> aren't servlets. (This is ugly but probably benign - it's an argument that a
> servlet zone should only contain non-abstract servlet subclasses.)
>
If "com.package.classname" is not a servlet, this will generate a
ClassCastException somewhere inside the servlet engine. For example, the
servlet engine has to cast the object to a Servlet or HttpServlet to be able to
execute the service() method.
However, the ability to execute "anonymous" classes that *do* implement Servlet
or HttpServlet, by asking for them in a URL like this, can still be a security
risk. Some servlet engines (such as JSWDK) let you turn this "invoker"
behavior off if you do not want it.
>
> Having said that, I'm having a hard time coming up with a reason for pushing
> stuff into the real classpath rather than just disabling autoloading in a
> servlet zone. I suspect I'm missing something...
>
Memory occupancy. If you've only got two zones, it's probably no big deal. If
you've got lots of them, it can be a very big deal.
Craig
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
