On 05/10/2016 12:21, Konstantin Kolinko wrote: > 2016-10-05 13:48 GMT+03:00 <ma...@apache.org>: >> Author: markt >> Date: Wed Oct 5 10:48:51 2016 >> New Revision: 1763403 >> >> URL: http://svn.apache.org/viewvc?rev=1763403&view=rev >> Log: >> Refactor the web resources handling to use the Tomcat specific >> 'war:file:...' URL protocol to refer to WAR files and their contents rather >> than the standard 'jar:file:...' form since some components of the JRE, such >> as JAR verification, give unexpected results when the standard form is used. >> A side-effect of the refactoring is that when using packed WARs, it is now >> possible to reference a WAR and/or specific JARs within a WAR in the >> security policy file used when running under a SecurityManager. >> >> Added: >> >> tomcat/tc8.5.x/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java >> - copied unchanged from r1763377, >> tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java >> >> tomcat/tc8.5.x/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java >> - copied unchanged from r1763377, >> tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java >> >> tomcat/tc8.5.x/trunk/java/org/apache/catalina/webresources/WarResource.java >> - copied unchanged from r1763377, >> tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java >> >> tomcat/tc8.5.x/trunk/java/org/apache/catalina/webresources/WarResourceSet.java >> - copied unchanged from r1763377, >> tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java >> Modified: >> tomcat/tc8.5.x/trunk/ (props changed) >> tomcat/tc8.5.x/trunk/bin/catalina.bat >> tomcat/tc8.5.x/trunk/bin/catalina.sh >> tomcat/tc8.5.x/trunk/build.xml >> tomcat/tc8.5.x/trunk/conf/catalina.policy >> >> tomcat/tc8.5.x/trunk/java/org/apache/catalina/webresources/JarResource.java >> >> tomcat/tc8.5.x/trunk/java/org/apache/catalina/webresources/JarResourceSet.java >> >> tomcat/tc8.5.x/trunk/java/org/apache/catalina/webresources/JarWarResource.java >> >> tomcat/tc8.5.x/trunk/java/org/apache/catalina/webresources/StandardRoot.java >> >> tomcat/tc8.5.x/trunk/java/org/apache/catalina/webresources/war/Handler.java >> >> tomcat/tc8.5.x/trunk/java/org/apache/catalina/webresources/war/WarURLConnection.java >> tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/buf/UriUtil.java >> tomcat/tc8.5.x/trunk/java/org/apache/tomcat/util/scan/JarFactory.java >> >> tomcat/tc8.5.x/trunk/test/org/apache/catalina/loader/TestWebappClassLoader.java >> tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml >> tomcat/tc8.5.x/trunk/webapps/docs/security-manager-howto.xml >> >> Propchange: tomcat/tc8.5.x/trunk/ >> ------------------------------------------------------------------------------ >> --- svn:mergeinfo (original) >> +++ svn:mergeinfo Wed Oct 5 10:48:51 2016 >> >> Modified: tomcat/tc8.5.x/trunk/bin/catalina.bat >> URL: >> http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/bin/catalina.bat?rev=1763403&r1=1763402&r2=1763403&view=diff >> ============================================================================== >> --- tomcat/tc8.5.x/trunk/bin/catalina.bat (original) >> +++ tomcat/tc8.5.x/trunk/bin/catalina.bat Wed Oct 5 10:48:51 2016 >> @@ -201,6 +201,10 @@ set JSSE_OPTS="-Djdk.tls.ephemeralDHKeyS >> :gotJsseOpts >> set "JAVA_OPTS=%JAVA_OPTS% %JSSE_OPTS%" >> >> +rem Register custom URL handlers >> +rem Do this here so they can be used in the security policy > > Maybe clarify "they"? s/they/war: URLs/
Will do. >> +set "JAVA_OPTS=%JAVA_OPTS% >> -Djava.protocol.handler.pkgs=org.apache.catalina.webresources" >> + >> if not "%LOGGING_CONFIG%" == "" goto noJuliConfig >> set LOGGING_CONFIG=-Dnop >> if not exist "%CATALINA_BASE%\conf\logging.properties" goto noJuliConfig >> > > Will Tomcat start without above change? (Is it only necessary when > running with a Security Manager, and policy file uses war: URLs)? Yes, Tomcat will start unless you are using a SecurityManager that uses "war:..." URLs. > 1. I am concerned about running Tomcat as service. (I do not see > changes to tomcat.nsi and to service.bat here). Fair point. I'll take a look. > 2. I am concerned about running Tomcat in Eclipse IDE. It runs as a > java application (with a set of options), and the question is whether > it can run with old configuration as long as war: URLs are not used in > policy file, or people have to add the above -D to theirs. As with the batch files, it will work unless a security manager is used with a policy that uses "war:..." URLs. Given that you need to add properties to enable the security manager, I'm not overly concerned about this use case. > 3. daemon.sh was not updated as well. I'll look at that as well. Thanks for the review. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org