-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Konstantin,
On 8/28/12 5:28 PM, Konstantin Kolinko wrote: > 2012/8/29 Dale Ogilvie <dale_ogil...@trimble.com>: >> -----Original Message----- From: Mark Thomas >> [mailto:ma...@apache.org] >> >>> Not quite. My point was the loading of the EL implementation is >>> likely to be triggered by user code. If the webapp class loader >>> is the TCCL loader than classes from the web app will be loaded >>> before those from the >container. If the web app contains >>> container classes then it is possible that they get loaded from >>> the webapp rather than from Tomcat. (Enabling the security >>> manager enables additional class loading checks that would stop >>> this). Those classes from the webapp then have references held >>> to them. They will work right up unto the point Tomcat tries to >>> >access the class outside of the webapp they were loaded from. >>> >>> Mark >> >> I'm still not quite sure what you are saying matches exactly what >> I'm seeing Mark. > > > Have you ever tried to run with SecurityManager being enabled? > > >> So, it appears to me that the class *loading* is occurring "from" >> app1 in step 4. I'm only pushing this because it kind looks >> "buggy" to me. > > Class loading does not always use TCCL. Sometimes it uses > "otherclass.getClassLoader()". See e.g. javadoc of > java.lang.Class#forName(String). > > > So it is quite valid for it to load a class from app1 even if > current TCCL belongs to app2. ...and it's worth pointing out that Tomcat cannot protect against this kind of ClassLoading, since Tomcat can't wrap every ClassLoader that ever gets created in the JVM. The container can control lots of things, but this isn't one of them. The same is true for example with Threads: Tomcat can't prevent a webapp from spewing threads even though the container is ostensibly "in control". - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA+E94ACgkQ9CaO5/Lv0PDsbgCfRrQb0C7StOuGg/PTqYlMro2t uWwAoLRlLkSJY1ODrpmxte2GJiAbGnN0 =Dkxq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
