Hi Jean-Frederic,
the current source have:
Right: +++ [EMAIL PROTECTED]:~/jakarta-tomcat-jasper > more CVS/Tag Ttomcat_4_branch +++ Should I port back the correction to the tomcat_4_branch?
Cheers
Jean-Frederic
int dot = name.lastIndexOf('.');
if (securityManager != null) {
if (dot >= 0) {
try {
// Do not call the security manager since by default, we grant that package.
if (!"org.apache.jasper.runtime".equalsIgnoreCase(name.substring(0,dot))){
securityManager.checkPackageAccess(name.substring(0,dot));
}
} catch (SecurityException se) {
which is the correct way, althrough
int dot = name.lastIndexOf('.');
should be moved to be inside the "if", because dot is not used outside of it.
Done :-)
Thanks,
-- Jeanfrancois
jean-frederic clere wrote:
Hi,
One of my colleague has problems in JasperLoader.java: The System.getSecurityManager() is null when creating the class but not null later on.
Why do we have the following code? (from jakarta-tomcat-jasper/jasper2/src/share/org/apache/jasper/servlet/JasperLoader.java):
+++
if (System.getSecurityManager() != null) {
if (dot >= 0) {
try {
securityManager.checkPackageAccess(name.substring(0,dot));
} catch (SecurityException se) {
String error = "Security Violation, attempt to use " +
"Restricted Class: " + name;
System.out.println(error);
throw new ClassNotFoundException(error);
}
}
}
+++
We test System.getSecurityManager() but use securityManager!
Cheers
Jean-Frederic
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
