remm 02/02/16 11:34:28 Modified: catalina/src/share/org/apache/catalina/loader WebappClassLoader.java Log: - Final (?) cleanup of the CL, which should now implement all the spec requirements, by first trying to load a class using the system classloader (so it's not possible anymore to override any of the classes from the JDK, regardless of whether or not they are public, or part of the javax. package). - Triggers for JNDI and JAXP are needed for JDK < 1.3 and 1.4 respectively (otherwise, classcasts would occur). - Adding a repository containing javax.servlet.* in the webapp is forbidden (the repository will be excluded). Revision Changes Path 1.35 +19 -24 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java Index: WebappClassLoader.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v retrieving revision 1.34 retrieving revision 1.35 diff -u -r1.34 -r1.35 --- WebappClassLoader.java 12 Feb 2002 17:59:57 -0000 1.34 +++ WebappClassLoader.java 16 Feb 2002 19:34:28 -0000 1.35 @@ -1,7 +1,7 @@ /* - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v 1.34 2002/02/12 17:59:57 remm Exp $ - * $Revision: 1.34 $ - * $Date: 2002/02/12 17:59:57 $ + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java,v 1.35 2002/02/16 19:34:28 remm Exp $ + * $Revision: 1.35 $ + * $Date: 2002/02/16 19:34:28 $ * * ==================================================================== * @@ -122,7 +122,7 @@ * * @author Remy Maucherat * @author Craig R. McClanahan - * @version $Revision: 1.34 $ $Date: 2002/02/12 17:59:57 $ + * @version $Revision: 1.35 $ $Date: 2002/02/16 19:34:28 $ */ public class WebappClassLoader extends URLClassLoader @@ -158,10 +158,7 @@ * earlier versions. */ private static final String[] triggers = { - "com.sun.jndi.ldap.LdapCtxFactory", // LDAP added in 1.3 - "com.sun.net.ssl.internal.ssl.Provider", // JSSE added in 1.4 - "javax.security.auth.Subject", // JAAS added in 1.4 - "javax.servlet.Servlet" // Servlet API + "javax.servlet.Servlet" // Servlet API }; @@ -170,16 +167,13 @@ * class loader. */ private static final String[] packageTriggers = { - "javax.net", // JSSE added in 1.4 - "javax.net.ssl", // JSSE added in 1.4 - "javax.security.cert", // JSSE added in 1.4 - "javax.naming", // JNDI added in 1.3 - "javax.naming.directory", // JNDI added in 1.3 - "javax.xml.parsers", // JAXP added in 1.4 - "org.xml.sax", - "org.xml.sax.ext", - "org.xml.sax.helpers", - "org.w3c.dom" + "javax.naming", // JNDI + "javax.naming.directory", // JNDI + "javax.xml.parsers", // JAXP + "org.xml.sax", // SAX 1 & 2 + "org.xml.sax.ext", // SAX 1 & 2 + "org.xml.sax.helpers", // SAX 1 & 2 + "org.w3c.dom" // DOM 1 & 2 }; @@ -1297,19 +1291,20 @@ return (clazz); } - // If a system class, use system class loader - if( name.startsWith("java.") ) { - ClassLoader loader = system; - clazz = loader.loadClass(name); + // (0.2) Try loading the class with the system class loader, to prevent + // the webapp from overriding J2SE classes + try { + clazz = system.loadClass(name); if (clazz != null) { if (resolve) resolveClass(clazz); return (clazz); } - throw new ClassNotFoundException(name); + } catch (ClassNotFoundException e) { + // Ignore } - // (.5) Permission to access this class when using a SecurityManager + // (0.5) Permission to access this class when using a SecurityManager if (securityManager != null) { int i = name.lastIndexOf('.'); if (i >= 0) {
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>