costin 01/03/21 13:13:56
Modified: src/share/org/apache/tomcat/facade Tag: tomcat_32
HttpServletRequestFacade.java
Log:
Disable creation of session facades. A better solution is implemented in 3.3,
where the same facade is returned during servlet execution.
The session facade was added for security - to prevent the servlet from
accessing public methods and to prevent the servlet to "keep" the reference
and use it later ( when the object may be associated with another session ).
Securing tomcat and support for untrusted apps is a long process, and 3.2
has other places where untrusted apps could hold references to recycled
objects - as long as the HttpServletRequest is recycled there is no
point in beeing paranoic about the session.
Revision Changes Path
No revision
No revision
1.6.2.2 +2 -1
jakarta-tomcat/src/share/org/apache/tomcat/facade/Attic/HttpServletRequestFacade.java
Index: HttpServletRequestFacade.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/facade/Attic/HttpServletRequestFacade.java,v
retrieving revision 1.6.2.1
retrieving revision 1.6.2.2
diff -u -r1.6.2.1 -r1.6.2.2
--- HttpServletRequestFacade.java 2001/03/06 01:13:05 1.6.2.1
+++ HttpServletRequestFacade.java 2001/03/21 21:13:54 1.6.2.2
@@ -89,7 +89,7 @@
HttpSessionFacade sessionFacade;
ServletInputStreamFacade isFacade=null;
BufferedReader reader;
-
+ static final NO_SESSION_FACADE=true;
private boolean usingStream = false;
private boolean usingReader = false;
@@ -385,6 +385,7 @@
*/
public HttpSession getSession(boolean create) {
HttpSession realSession = request.getSession( create );
+ if( NO_SESSION_FACADE ) return realSession;
// No real session, return null
if( realSession == null ) {
if( sessionFacade!= null) sessionFacade.recycle();
