Chris,
On 28/05/2021 23:16, Christopher Schultz wrote:
</snip>
Yeah, about that...
https://openjdk.java.net/jeps/411
IMO this is a Bad Thing for Java. If someone was looking for a reason to
abandon the whole Java ecosystem, this would be it. Well, we had a good
run.
Now we can all run node.js, Python, or Go where security is not a
problem because the languages are "safe" so nothing Bad can happen,
right? *facepalm*
Safe all the way down... including type safety :-p
</snip>
For now, Tomcat can rely on the SecurityManager doing its job. That
means we only need to rely on the encapsulation strategies the language
and the standard library provide, which are (currently) sufficient.
I will try to come up with a solution that uses defensive copying
whenever possible. That will include a couple of hard-coded special
cases as well as try to use Serializable if available. I will not
consider Cloneable due to the risk of shallow copies.
If none of the tried methods will work, getAttribute(String name) should
return the result of the object's toString() method. We'll likely
"loose" some of the requested attributes that way but, need not care
about preventing reflection with a (soon missing) SecurityManager.
Carsten
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org