If you are concerned about security, allowing a web app to set the
default URLStreamHandler is not a very secure thing to do because
it gives the webapp the ability to see all URL streams globally in the JVM.
When using Tomcat with the Java SecurityManager, web apps are not normally
granted permission to set the URLStreamHandlerFactory.
Regards,
Glenn
"Kyle F. Downey" wrote:
>
> I'm working with the latest b4-dev from CVS.
>
> Is there a reason the StandardLoader establishes a URLStreamHandlerFactory
> (a precious resource, since you can set it only once) just for the "jndi:"
> protocol? If all it's used for is to find the protocol handler, that could
> be done less intrusively by using the built-in package-based mechanism.
>
> My reason for wanting to change this is that it makes using custom URL
> handlers just about impossible from within a webapp. The package-based
> mechanism fails for webapps because java.net.URL loads URLStreamHandlers
> only from the system classpath--so unless you put it in the very
> lowest-level CLASSPATH (edit catalina.sh or catalina.bat, add along with
> bootstrap.jar) it will not be able to instantiate the handler. Installing
> your own URLStreamHandlerFactory is a drastic solution, but in this case,
> the only (code-level) solution.
>
> I will submit a patch to replace the URLStreamHandlerFactory with the
> naming-pattern based mechanism, if you all consider this a bug rather
> than a feature.
>
> --kd
--
----------------------------------------------------------------------
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
