Mark,
On 11/7/22 11:24, Mark Thomas wrote:
Hi,
BZ 66294 [1] highlights the performance impact in Tomcat of some
additional SecurityManager checks that were added to avoid
AccessControlException when using the EL API JAR outside of Tomcat.
Details of the performance impact are in the bug report.
I think we have a few options here.
1. Assume Tomcat 11 will remove the SecurityManager. No nothing for now
and advise the reporter to move to Tomcat 11 when available.
2. Do nothing.
3. Disable this check by default and an option (it will have to be a
system property) to enable it.
4. Something else.
Thoughts?
I am currently leaning towards 3 given that the performance impact is
noticeable and that the check isn't required in normal usage.
I thought we only wrapped stuff in doPrivileged() when a SecurityManager
was installed. Re-re-reading the bug report, it's clear that the
reporter IS running under SM.
If the reporter is running under SM and the code does not fail, doesn't
that mean that the check isn't actually providing any benefit? The
thread must already be running in a privileged context if making that
call does not throw an exception at runtime.
Can we just remove it entirely?
Maybe I'm missing something...
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
