Dale Ogilvie <dale_ogil...@trimble.com> wrote:
>-----Original Message----- >From: Mark Thomas [mailto:ma...@apache.org] > >>Again, that class is not a Tomcat class. As far as I can tell, that is >party of Jetty's JSP/EL implementation. ><snip> >>Anyway, if you start adding JARs from one container into another then >all sorts of things can and will go wrong. I see no way to protect >Tomcat against this. > >>Mark > >So you are saying that Tomcat should not be responsible for preventing >app1 from unintentionally loading a class from >app2/WEB-INF/lib/[jetty-jsp-el].jar? No I am not saying that. The reason you see the exception is because Tomcat (well, with the help of the JVM) prevents a class loaded from one application being visible to another application. >I thought that this was a contravention of Tomcat classloading rules. >Is your point that the jetty jar is doing some "magic" to force its >class into another apps classloader tree, and this sort of thing is >actually allowable for an app using "container" jars? No. >If you could provide some more details on how one can intentionally >inject your own classes into other apps for their use, that would be >interesting, but it does sound like a bit of a security hole. You can't do that. >Note, I don't know very much about the technical details of >classloaders, I am just trying to understand how something occurred >which seems to be against how things are supposed to work. I am 95% certain of what is happenning but haven't tested this. It will help your understanding if you read the EL specification, specifically the section in the Javadoc regarding how implementations are discovered. Tomcat implements these rules. It is possible for an EL implementation to be loaded from an application. Everything will be fine EL-wise for the application that shipped with the EL implementation but things will fall apart for any other application that tries to use EL since the implementation classes will not be visible. It might be possible to protect against this particular problem - I'd need to do some testing to confirm that - but in the general case, adding Servlet, JSP or EL implementation classes into a web application is going to cause problems (or a buunch of errors/warnings for the cases that Tomcat does detect). >P.S. The jetty jar actually appeared in app2 due to maven dependencies, >it was not added as a direct dependency for app2. Why am I not surprised. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
