glenn 01/04/24 21:16:07
Modified: jasper/src/share/org/apache/jasper/servlet JspServlet.java
Log:
Java SecurityManager implementation changes
-------------------------------------------
Changed the naming convention for JNDI DirContextURL to
"jndi:/hostname/webappname/" and "jar:jndi:/hostname/webappname/...".
This works better with java.io.FilePermission.
Modified how permissions are granted to the codeBase for a
web application so that different permissions can be granted.
Permissions assigned to the root of a web application apply
to JSP pages. Different permissions can be assigned to the
/WEB-INF/classes/ directory, the /WEB-INF/lib/ directory,
or even to individual jar files in /WEB-INF/lib/. This allows
much finer control of permissions granted within a web
application.
Fixed Jasper so that it uses the correct codeBase for a
web application, it had been using the work dir instead
of the context dir for getting permissions from the
policy file.
Added more default read FilePermissions for classes
loaded from within a web application so that getResources()
works. Added:
"jndi:/hostname/webappname/-"
"jar:jndi:/hostname/webappname/WEB-INF/lib/-"
"file:/realcontextpath/-"
Revision Changes Path
1.17 +27 -5
jakarta-tomcat-4.0/jasper/src/share/org/apache/jasper/servlet/JspServlet.java
Index: JspServlet.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/jasper/src/share/org/apache/jasper/servlet/JspServlet.java,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- JspServlet.java 2001/03/21 20:49:20 1.16
+++ JspServlet.java 2001/04/25 04:16:06 1.17
@@ -288,20 +288,42 @@
if( policy != null ) {
try {
// Get the permissions for the web app context
- URL url = options.getScratchDir().toURL();
+ String contextDir = context.getRealPath("/");
+ if( contextDir == null )
+ contextDir = options.getScratchDir().toString();
+ URL url = new URL("file:" + contextDir);
codeSource = new CodeSource(url,null);
permissionCollection = policy.getPermissions(codeSource);
// Create a file read permission for web app context directory
- String contextDir = url.getFile();
- if( contextDir.endsWith(File.separator) )
+ if (contextDir.endsWith(File.separator))
contextDir = contextDir + "-";
else
contextDir = contextDir + File.separator + "-";
permissionCollection.add( new FilePermission(contextDir,"read") );
// Allow the JSP to access org.apache.jasper.runtime.HttpJspBase
permissionCollection.add( new RuntimePermission(
- "accessClassInPackage.org.apache.jasper.runtime"
- ) );
+ "accessClassInPackage.org.apache.jasper.runtime") );
+ if (parentClassLoader instanceof URLClassLoader) {
+ URL [] urls = parentClassLoader.getURLs();
+ String jarUrl = null;
+ String jndiUrl = null;
+ for (int i=0; i<urls.length; i++) {
+ if (jndiUrl == null &&
urls[i].toString().startsWith("jndi:") ) {
+ jndiUrl = urls[i].toString() + "-";
+ }
+ if (jarUrl == null &&
urls[i].toString().startsWith("jar:jndi:") ) {
+ jarUrl = urls[i].toString();
+ jarUrl = jarUrl.substring(0,jarUrl.length() - 2);
+ jarUrl = jarUrl.substring(0,jarUrl.lastIndexOf('/')) +
"/-";
+ }
+ }
+ if (jarUrl != null) {
+ permissionCollection.add( new FilePermission(jarUrl,"read")
);
+ permissionCollection.add( new
FilePermission(jarUrl.substring(4),"read") );
+ }
+ if (jndiUrl != null)
+ permissionCollection.add( new
FilePermission(jndiUrl,"read") );
+ }
} catch(MalformedURLException mfe) {
}
}
