DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17523>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17523 Servlet can't getSession ------- Additional Comments From [EMAIL PROTECTED] 2003-03-24 20:38 ------- This is definitely a security-related bug. I verified this to be a problem even on Tomcat 4.1.24. The key to this is that CoyoteRequest$PrivilegedGetSession likely needs to be preloaded by the Tomcat [non-webapp] classloader. At runtime, your servlet calls getSession, and CoyoteRequest attempts to load PrivilegedGetSession w/o enough permissions. The predecessor to CoyoteRequest had the same issue so its implementation of PrivilegedGetSession got preloaded during server initialization. This bug gets masked when you access the admin webapp (for example) before accessing your untrusted servlet since the admin webapp has more runtime security permissions than your untrusted servlet. java.lang.NoClassDefFoundError: org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession at org.apache.coyote.tomcat4.CoyoteRequest.getSession (CoyoteRequest.java:1728) at org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession (CoyoteRequestFacade.java:365) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]