> All, > > I admit my previous method for protecting Tomcat from conflicting system > extensions proved to be a bit flawed. However, I still would like to > add some protection against these conflicts since this tends to be a > difficult to diagnose problem for a lot of new Tomcat users. On the > other hand, I don't think we want to prevent knowledgable users from > using their installed extensions to support their installation. > > So, here is what I propose. Note that I am in favor of checking the > installed extensions so this proposal should be complimentary to any > checking that might be implemented in the Tomcat code: > > 1. Add the following to each Java execution line in the wrapper scripts: > > Unix: > -Djava.ext.dirs="$JAVA_EXT_DIRS" > Windows: > -Djava.ext.dirs="%JAVA_EXT_DIRS%" > > 2. Add the following lines in setclasspath.bat and setclasspath.sh: > > Unix: > if [ -z "$JAVA_EXT_DIRS" ]; then > echo "Disabling installed Java extensions. Set the" > echo "JAVA_EXT_DIRS environment variable to the following > value" > echo "to enable installed Java extensions:" > echo " $JAVA_HOME/jre/lib/ext" > fi > Windows: > if not "%JAVA_EXT_DIRS%" == "" goto gotJavaExtDirs > echo Disabling installed Java extensions. Set the > echo JAVA_EXT_DIRS environment variable to the following value > > echo to enable installed Java extensions: > echo %JAVA_HOME%\jre\lib\ext > :gotJavaExtDirs > > 3. If the user does not defined JAVA_EXT_DIRS (the default case), the > java.ext.dirs property is set to "" and the above status message is > printed. Then, if the user defines JAVA_EXT_DIRS, the existing > behavior is enabled. > > Since new Tomcat users primarily use the installed scripts, this is a > good way to protect Tomcat without preventing other custom scripts or > launchers from enforcing a different standard. > > Does this sound like a reasonable approach? It would be nice to have > this property setting in the Bootstrap.java class, but unfortunately, > you must set the java.endorsed.dirs property when the JVM is started as > it is immediately put in the JVM's bootstrap classpath.
As Costin mentioned, it's not necessarily a good idea because of the complexity issue; this is similar to what is done to ignore the classpath. Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
