On 22/03/2016 11:11, Rémy Maucherat wrote: > 2016-03-22 11:57 GMT+01:00 Konstantin Kolinko <knst.koli...@gmail.com>: > >> This API is unusable when running with a SecurityManager. >> >> I mean, classes in "org.apache.catalina.connector.", >> "org.apache.catalina.core." normally aren't accessible to web >> applications. >> >> It can be solved by introducing a separate package and granting >> permission to access it, like it was done for comet >> >> http://svn.apache.org/viewvc?view=revision&revision=833510 >> >> // Applications using Comet need to be able to access this package >> permission java.lang.RuntimePermission >> "accessClassInPackage.org.apache.catalina.comet"; >> >> It can be o.a.c.push package, in analogy to Comet one. Alternatively, >> there were some thoughts of moving facades to a separate package. >> > Yes, but the API is unstable (and is marked as such), so I don't think > it's a good idea to do that.
We might want to think about some form of public API that can work with a security manager for all of the Servlet 4.0 stuff that has been back-ported to 8.5.x. One issue is I wouldn't want to see any of that API in 9.0.x which means that whatever we put in 8.5.x will be deprecated as soon as it is written. It will also be unstable for a quite a while given the likely timeframe for Servlet 4.0. I did think about o.a.catalina.servlet4 but I wasn't sure that was the right solution. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
