Am 18.03.2017 um 10:54 schrieb Mark Thomas: > On 17/03/2017 20:21, Mike Wilson wrote: >> I also ran into [1]. >> >> Some Tomcat configuration with custom components (Valves, Managers etc) may >> be done from a webapp's META-INF/context.xml. But currently if those classes >> are your own custom implementations they will not be found if residing >> inside the webapp's war (but are f ex found if placed in <tomcat>/lib). >> >> Would it make sense for Tomcat to use the webapp classloader for components >> that are specified in META-INF/context.xml? > Potentially. It needs some thought when running under a SecurityManager. Mark, you probably know better than me - is there any kind of security assumption involved when referencing connection pools etc? The nice thing about JNDI resources (etc) is that the application has no knowledge of database credentials (unless tricking with reflection) - but if it can inject its own classes this way, I'd not be sure any more.
Sure, this would be a server side attack, of a rogue web application. Not sure if this thought is valid or not - I just wanted to raise the issue so that it can be defeated or taken into account. Maybe this is what you meant with "when running under a SecurityManager". Olaf > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org