[cdi-dev] [JBoss JIRA] (CDI-702) Observers in CDI extensions can see classes they should not be able to
Emily Jiang (JIRA)
issues at jboss.org
Mon May 22 05:28:00 EDT 2017
[ https://issues.jboss.org/browse/CDI-702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13409781#comment-13409781 ]
Emily Jiang edited comment on CDI-702 at 5/22/17 5:27 AM:
----------------------------------------------------------
[~meetoblivion] The issue is that the CDI extension does something different from other classes in the ear. e.g.
{noformat}
myApp.ear
lib\myLib.jar (LibExtensionA.class, LibOne.class)
myWarA.war (WarAExtension.class, myWarAServlet.class)
myWarB.war (WarBExtension.class, myWarBServlet.class)
{noformat}
The myWarAServlet will not be able to see classes in myWarB.war. Why are the CDI extensions special? How come all extension classes can see everything in the ear. Basically, my argument is that CDI extensions should follow the same classloading criteria instead of defining itself visibility rules with even being documented.
was (Author: emilyj):
[~meetoblivion] The issue is that the CDI extension does something different from other classes in the ear. e.g. {{myApp.ear
lib\myLib.jar (LibExtensionA.class, LibOne.class)
myWarA.war (WarAExtension.class, myWarAServlet.class)
myWarB.war (WarBExtension.class, myWarBServlet.class)}}
The myWarAServlet will not be able to see classes in myWarB.war. Why are the CDI extensions special? How come all extension classes can see everything in the ear. Basically, my argument is that CDI extensions should follow the same classloading criteria instead of defining itself visibility rules with even being documented.
> Observers in CDI extensions can see classes they should not be able to
> ----------------------------------------------------------------------
>
> Key: CDI-702
> URL: https://issues.jboss.org/browse/CDI-702
> Project: CDI Specification Issues
> Issue Type: Clarification
> Components: Portable Extensions
> Affects Versions: 1.2.Final, 1.1.Final, 2.0 .Final
> Reporter: Emily Jiang
> Priority: Critical
>
> We observe a undesired behavior on Weld, which is during CDI bootstrap, all classes from both the EAR lib folder and all WAR lib folders are available to CDI extensions in the EAR lib folder as well as to CDI extensions in all WAR lib folders. Basically, the extension class can see everything in an .ear regardless where the extension class resides. It completely ignores classloading hierarchy.
> e.g.
> myApp.ear
> lib\myLib.jar (LibExtensionA.class, LibOne.class)
> myWarA.war (WarAExtension.class, myWarAServlet.class)
> myWarB.war (WarBExtension.class, myWarBServlet.class)
> In this example,LibExtensionA, WarAExtension and WarBExtension can observe the classes of
> LibOne, myWarAServlet and myWarBServlet.
> This kind of contradicts with the classloading rules, where separate .war archives packaged under the same .ear should not be able to see each other's class by default, unless they both use the same classloader.
> We discussed with Weld dev team (Martin, Thomas, Matej) and Anotine. The feedback is that CDI spec is unclear on the "observer resolution". I would like to relaunch the discussion to make this clarified and fixed. Please comment.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the cdi-dev
mailing list