On 02/04/2023 13:44, Chew Kok Hoor wrote:
Hi,
As part of a way to prevent concurrent login, and to re-assign a
session back to a request based on JWT token (for clients that cannot pass
us cookies), we need to access to the 'findSession' and 'findSessions' in
org.apache.catalina.Manager.
Is it true the only way to get the manager using
ServletContext.getManager() is by using privileged="true" in the
context.xml?
There is no ServletContext.getManager() method.
privileged is use to control access to Servlets that implement
ContainerServlet.
The ContainerServlet interface is one way to access Tomcat's internals.
Another option is reflection.
Are there any implications in setting privileged="true" if we have full
control to restrict what servlets or jsp or codes are running in our webapp?
If the code is trusted then allowing setting privileged="true" does not
introduce additional risk. It just makes it a little easier to do some
things.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
