In Tomcat (and probably most other web containers) JSPs are handled by a servlet that is mapped to *.jsp. During shutdown, this JSPServlet is just one more servlet to shut down - although it should be one of the last ones.
Here is a set of conditions that I suspect will reproduce this problem (keep in mind I'm just speculating): 1) A request is made to a maverick application. The hypothetical controller takes a long time to execute, doing lots of calculation or database queries or whatnot. 2) Sysadmin shuts down Tomcat. All servlets are unregistered (including the JSPServlet) but existing threads are allowed to complete. 3) The controller completes and then forwards to the JSP for rendering. 4) Since there is no JSPServlet, the JSP is handled as a simple static file. It may be that static content is also handled by a servlet - in which case the race condition is when the controller finishes its perform() after the JSPServlet is unregistered but before the static servlet is unregistered. I'm not familiar enough with Tomcat internals to know. I really don't think there is much you can do about the problem. It's a Tomcat issue, and there is nothing that Maverick can do to get around it. You will have the same problem with Struts or WebWork or even straight JSPs that perform forwards. If you're really worried about it, I suggest posting a bug report to the Tomcat lists. The "ideal" shutdown process would be: 1) Stop taking new requests 2) Wait for all processor threads to finish executing 3) Start destroying servlets I don't think this is what Tomcat currently does. Jeff Schnitzer [EMAIL PROTECTED] > -----Original Message----- > From: Taavi Tiirik [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 07, 2003 5:19 AM > To: [EMAIL PROTECTED] > Subject: [Mav-user] maverick and tomcat 4.1.18 combo, security issue > > Hello, > > I am running tomcat 4.1.18 on winxp system using "catalina run" > and I happened to stop tomcat (by pressing crtl-c) when there > was an request to maveric command that has not been finished > processing yet. As the result of this, tomcat serves source of my > decorator jsp page. > > I was not quite able to repeat this trick, but it seems like a > security issue. Well, it may be the case that stopping tomcat > using ctrl-c is the reason of this. What do you think? > > My maveric command is simple: > > <command name="index"> > <controller class="Index"/> > <view name="success" path="index.jsp"> > <transform path="decorator.jsp"/> > </view> > </command> > > > with best wishes, > Taavi > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! > http://www.vasoftware.com > [INVALID FOOTER] ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com [INVALID FOOTER]
