On Wed, Jul 1, 2020 at 7:46 AM Mark Thomas <ma...@apache.org> wrote:

> On 30/06/2020 14:19, Vitor Medina Cruz wrote:
> >  Hello,
> >
> > I am trying to configure Tomcat in a way that it makes SCI scan only in
> > jars I explicitly specify to. I followed instructions from
> > https://tomcat.apache.org/tomcat-8.5-doc/config/jar-scan-filter.htm, in
> > both Tomcat 8 and 9, but with no success. I posted a question on
> > stackoverflow that explains more in detail what I did:
> >
> https://stackoverflow.com/questions/62602550/how-to-specify-which-classes-and-jars-gets-scanned-for-servlet-annotations-in-to
> >
> > And I also found other unanswered questions pointing to the same problem,
> > here is one example:
> >
> https://stackoverflow.com/questions/52876216/tomcat-too-slow-scanning-for-annotations
> > .
> >
> > The thing is that it is looking like an error to me because logs tells
> that
> > scanning is done as configured — if I add a jar for scanning in
> > JarScanFilter, the log show it is scanned, if I remove it, the log stop
> > reporting it's scanning — but after that, no matter what configuration I
> > made with JarScanFilter, the WebappServiceLoader loads servlet annotated
> > classes, such as @WebListener.
>
> The JarScanner machinery handles annotation and TLD scanning.
>
> WebappServiceLoader handles SCIs which are handled under the standard
> service loader mechanism. SCIs can load classes.
>
> > Any leads? Ideas? Anyone can confirm if that is an error or if I am using
> > the functionality wrongly or if I understand it wrongly.
>
> It looks like you aren't preventing the SCIs from being loaded.
>
> The specification isn't as clear as it could be here and there are still
> a few gaps. That is being worked on at Eclipse. A useful summary of the
> current position can be found at:
>
>
> https://github.com/apache/tomcat/blob/8.5.x/java/org/apache/catalina/startup/ContextConfig.java#L1092
>
> The simplest way to block the Servlet 3 pluggability features is:
>
> 1. Add metadata-complete="true" to the web-app element in web.xml
>    (disables annotation scanning for deploy time annotations -
>     Servlet 3.1, 8.1)
>
> 2. Add <absolute-ordering></absolute-ordering> to web.xml
>    (disables any SCIs - Servlet 3.1, 8.2.2.d)
>
> Mark
>
>
Thanks. I, however, don't want to block all Servlet 3 pluggability as there
are frameworks already being made with no way of configuring it other than
that.... I would like to selectively choose which jars to be scanned in
order to avoid performance issues and rogue classes to be loaded. As is
seems, nor Servlet specification nor Tomcat in specific provides a way of
doing that, is that correct?



> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to