Nicholas DiPiazza [https://community.jboss.org/people/ndipiazza] created the discussion "Re: JAR blacklist for deployment" To view the discussion, visit: https://community.jboss.org/message/785239#785239 -------------------------------------------------------------- A subsystem is a nice way to go. Is there an API that JBoss provides for the subsystem code to trigger events for "onAppDeployed" for example? And then an API to scan the classpath for a module at deploy-time? Now that deployments are based on the JBoss Modules project, I'm lost as to how to add a validator during the deployment cycle. -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/785239#785239] Start a new discussion in JBoss AS 7 Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&...]

Nicholas DiPiazza [https://community.jboss.org/people/ndipiazza] created the discussion "Re: JAR blacklist for deployment" To view the discussion, visit: https://community.jboss.org/message/785269#785269 -------------------------------------------------------------- First of all, thanks for the feedback. I'm glad you think it's a good idea. So as a follow up: what do you I'm looking for your opinions on the best strategy for coming up with the best default list of blacklisted JARs. In other words, JARs that are NEVER ok to have in your deployment. I need to: a) how to check to see if a JAR has been blacklisted. b) getting a list of blacklisted JARs My ideas for (a): * Collect store a SHA1 checksum for all blacklisted JARs and store in text file *conf/blacklist.properties*. Load the checksum list as a dictionary during server startup. Validate SHA1 checksum for JARs deployed to verify none match a blacklisted JAR from the dictionary. * Just store the MANIFEST.MF for all blacklisted JARs in a special directory within *conf/blacklisted-jar-manifests*. During deployment, check all JAR manifests don't match a blacklisted one. * Instead of blacklisting JARs, blacklist certain Classes that if found in any JAR within your deployment will cause the warning. ----> This is the one I'm leaning towards. My ideas for (b): List of all JBoss system JARs: For AS4-6: Blacklist all JARs in client/jboss*.jar, server/default/lib/jboss*.jar, and server/all/lib/jboss*.jar That is a good default list for now. Any ideas on this?  -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/785269#785269] Start a new discussion in JBoss AS 7 Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&...]