[jboss-cvs] JBossAS SVN: r57828 - in branches/JBoss_4_0_2_CP/server/src: etc/conf/default main/org/jboss/web

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Wed Oct 25 15:54:32 EDT 2006 

Author: fnasser at redhat.com
Date: 2006-10-25 15:54:30 -0400 (Wed, 25 Oct 2006)
New Revision: 57828

Modified:
   branches/JBoss_4_0_2_CP/server/src/etc/conf/default/jboss-service.xml
   branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebServer.java
   branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebService.java
Log:
ASPATCH-72: JBAS-1896: Disable full class and resource access by default in RMI dynamic class loading service

Modified: branches/JBoss_4_0_2_CP/server/src/etc/conf/default/jboss-service.xml
===================================================================
--- branches/JBoss_4_0_2_CP/server/src/etc/conf/default/jboss-service.xml	2006-10-25 18:05:17 UTC (rev 57827)
+++ branches/JBoss_4_0_2_CP/server/src/etc/conf/default/jboss-service.xml	2006-10-25 19:54:30 UTC (rev 57828)
@@ -164,6 +164,13 @@
       <attribute name="Port">8083</attribute>
       <!-- Should resources and non-EJB classes be downloadable -->
       <attribute name="DownloadServerClasses">true</attribute>
+      <!-- Should resources other than .class files be downloadable. Both
+         DownloadServerClasses and DownloadResources must be true for resources
+         to be downloadable. This is false by default because its generally a
+         bad idea as server configuration files that container security
+         information can be accessed.
+       -->
+      <attribute name="DownloadResources">false</attribute>
       <attribute name="Host">${jboss.bind.address}</attribute>
       <attribute name="BindAddress">${jboss.bind.address}</attribute>
    </mbean>

Modified: branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebServer.java
===================================================================
--- branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebServer.java	2006-10-25 18:05:17 UTC (rev 57827)
+++ branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebServer.java	2006-10-25 19:54:30 UTC (rev 57828)
@@ -81,6 +81,11 @@
     */
    private boolean downloadServerClasses = true;
    /**
+    * A flag indicating if the server should attempt to download resources,
+    * i.e. resource paths that don't end in .class
+    */
+   private boolean downloadResources = false;
+   /**
     * The class wide mapping of type suffixes(class, txt) to their mime type
     * string used as the Content-Type header for the vended classes/resources
     */
@@ -168,6 +173,16 @@
       downloadServerClasses = flag;
    }
 
+   public boolean getDownloadResources()
+   {
+      return downloadResources;
+   }
+
+   public void setDownloadResources(boolean flag)
+   {
+      downloadResources = flag;
+   }
+
    public BasicThreadPoolMBean getThreadPool()
    {
       return threadPool;
@@ -364,7 +379,7 @@
                }
                else
                {
-                  if (clazzUrl.getFile().endsWith(".jar"))
+                  if (clazzUrl.getFile().endsWith("/") == false)
                   {
                      clazzUrl = new URL("jar:" + clazzUrl + "!/" + filePath);
                   }
@@ -379,7 +394,7 @@
                   bytes = getBytes(clazzUrl);
                }
             }
-            else if (loader != null && filePath.length() > 0 && downloadServerClasses)
+            else if (loader != null && filePath.length() > 0 && downloadServerClasses && downloadResources)
             {
                // Try getting resource
                log.trace("loading resource = " + filePath);

Modified: branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebService.java
===================================================================
--- branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebService.java	2006-10-25 18:05:17 UTC (rev 57827)
+++ branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebService.java	2006-10-25 19:54:30 UTC (rev 57828)
@@ -214,6 +214,25 @@
       server.setDownloadServerClasses(flag);
    }
 
+   /**
+    * A flag indicating if the server should attempt to download resources,
+    * i.e. resource paths that don't end in .class
+    *
+    * @jmx:managed-attribute
+    */
+   public boolean getDownloadResources()
+   {
+      return server.getDownloadResources();
+   }
+
+   /**
+    * @jmx:managed-attribute
+    */
+   public void setDownloadResources(boolean flag)
+   {
+      server.setDownloadResources(flag);
+   }
+
    protected ObjectName getObjectName(MBeanServer server, ObjectName name)
       throws javax.management.MalformedObjectNameException
    {

More information about the jboss-cvs-commits mailing list