Stefano,
No problem applying that patch, as it just makes sealing configurable.
But I'm curious as to why you are getting this problem? The servlet
classes should not be in the org.mortbay.jetty.jar file. They should
only be in javax.servlet.jar. If you have multiple sources of the servlet API, then perhaps it would be best to somehow only include
one of them. The Jetty servlet API files are taken directly from the
apache geronimo project.
Eitherway, we will commit this patch shortly.
cheers
Stefano Mazzocchi wrote:
Greg,
I'm writing you on behalf of Gump (http://gump.apache.org) the continous integration tool that the ASF runs to understand project dependencies issues.
As you might know, Jetty is required to build some of the ASF project and we recently found out (with not ease of pain!) that jetty is causing a little problem with the fact that it's 'sealing' the jars that it produces.
For example, if you take a look here:
http://brutus.apache.org/gump/test/project_todos.html
you'll see that the 20 projects are prevented from building because the cactus-framework depends on jetty *and* on the servlet API *and* the ant build file for cactus-framework checks for the availability of the servlet API 2.4, resulting in the servlet API classes to be loaded both from the jetty.jar and from the servlet-api.jar, but since jetty.jar is sealed, a security violation is thrown!
Now, Gump, as a practice, does *NOT* ask projects to change their descriptors for him, but we believe that it would be enough to apply the following patch
15:31:49.000000000 -0700
@@ -220,7 +220,7 @@
<jar jarfile="${servlet.jar}" basedir="${classes}" >
<include name="javax/servlet/**" />
<manifest>
- <attribute name="Sealed" value="true"/>
+ <attribute name="Sealed" value="${jar.sealed}"/>
<attribute name="Built-By" value="${user.name}"/>
<attribute name="Specification-Title" value="Java API for Servlets"/>
<attribute name="Specification-Version" value="2.4"/>
@@ -237,7 +237,7 @@
<target name="jetty.jar" depends="classes,servlet.jar" >
<jar jarfile="${jetty.jar}">
<manifest>
- <attribute name="Sealed" value="true"/>
+ <attribute name="Sealed" value="${jar.sealed}"/>
<attribute name="Built-By" value="${user.name}"/>
<attribute name="Specification-Version" value="${RELEASE.MAJOR}"/>
<attribute name="Implementation-Version" value="${RELEASE.MAJOR.MINOR}"/>
so that "jar sealing" could be turned on and off at need.
We deeply apologize for the incovenience and we realize it's none of your concern if gump builds or not, but this very simple patch would help up a great deal.
Thanks for your understanding.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
