[jboss-cvs] JBossAS SVN: r57828 - in branches/JBoss_4_0_2_CP/server/src: etc/conf/default main/org/jboss/web
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Oct 25 15:54:32 EDT 2006
Author: fnasser at redhat.com
Date: 2006-10-25 15:54:30 -0400 (Wed, 25 Oct 2006)
New Revision: 57828
Modified:
branches/JBoss_4_0_2_CP/server/src/etc/conf/default/jboss-service.xml
branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebServer.java
branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebService.java
Log:
ASPATCH-72: JBAS-1896: Disable full class and resource access by default in RMI dynamic class loading service
Modified: branches/JBoss_4_0_2_CP/server/src/etc/conf/default/jboss-service.xml
===================================================================
--- branches/JBoss_4_0_2_CP/server/src/etc/conf/default/jboss-service.xml 2006-10-25 18:05:17 UTC (rev 57827)
+++ branches/JBoss_4_0_2_CP/server/src/etc/conf/default/jboss-service.xml 2006-10-25 19:54:30 UTC (rev 57828)
@@ -164,6 +164,13 @@
<attribute name="Port">8083</attribute>
<!-- Should resources and non-EJB classes be downloadable -->
<attribute name="DownloadServerClasses">true</attribute>
+ <!-- Should resources other than .class files be downloadable. Both
+ DownloadServerClasses and DownloadResources must be true for resources
+ to be downloadable. This is false by default because its generally a
+ bad idea as server configuration files that container security
+ information can be accessed.
+ -->
+ <attribute name="DownloadResources">false</attribute>
<attribute name="Host">${jboss.bind.address}</attribute>
<attribute name="BindAddress">${jboss.bind.address}</attribute>
</mbean>
Modified: branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebServer.java
===================================================================
--- branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebServer.java 2006-10-25 18:05:17 UTC (rev 57827)
+++ branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebServer.java 2006-10-25 19:54:30 UTC (rev 57828)
@@ -81,6 +81,11 @@
*/
private boolean downloadServerClasses = true;
/**
+ * A flag indicating if the server should attempt to download resources,
+ * i.e. resource paths that don't end in .class
+ */
+ private boolean downloadResources = false;
+ /**
* The class wide mapping of type suffixes(class, txt) to their mime type
* string used as the Content-Type header for the vended classes/resources
*/
@@ -168,6 +173,16 @@
downloadServerClasses = flag;
}
+ public boolean getDownloadResources()
+ {
+ return downloadResources;
+ }
+
+ public void setDownloadResources(boolean flag)
+ {
+ downloadResources = flag;
+ }
+
public BasicThreadPoolMBean getThreadPool()
{
return threadPool;
@@ -364,7 +379,7 @@
}
else
{
- if (clazzUrl.getFile().endsWith(".jar"))
+ if (clazzUrl.getFile().endsWith("/") == false)
{
clazzUrl = new URL("jar:" + clazzUrl + "!/" + filePath);
}
@@ -379,7 +394,7 @@
bytes = getBytes(clazzUrl);
}
}
- else if (loader != null && filePath.length() > 0 && downloadServerClasses)
+ else if (loader != null && filePath.length() > 0 && downloadServerClasses && downloadResources)
{
// Try getting resource
log.trace("loading resource = " + filePath);
Modified: branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebService.java
===================================================================
--- branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebService.java 2006-10-25 18:05:17 UTC (rev 57827)
+++ branches/JBoss_4_0_2_CP/server/src/main/org/jboss/web/WebService.java 2006-10-25 19:54:30 UTC (rev 57828)
@@ -214,6 +214,25 @@
server.setDownloadServerClasses(flag);
}
+ /**
+ * A flag indicating if the server should attempt to download resources,
+ * i.e. resource paths that don't end in .class
+ *
+ * @jmx:managed-attribute
+ */
+ public boolean getDownloadResources()
+ {
+ return server.getDownloadResources();
+ }
+
+ /**
+ * @jmx:managed-attribute
+ */
+ public void setDownloadResources(boolean flag)
+ {
+ server.setDownloadResources(flag);
+ }
+
protected ObjectName getObjectName(MBeanServer server, ObjectName name)
throws javax.management.MalformedObjectNameException
{
More information about the jboss-cvs-commits
mailing list