[jboss-jira] [JBoss JIRA] (AS7-6684) Jasper using wrong ProtectionDomain for compiled JSP

Remy Maucherat (JIRA) jira-events at lists.jboss.org
Fri Mar 8 08:50:42 EST 2013 

    [ https://issues.jboss.org/browse/AS7-6684?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12759752#comment-12759752 ] 

Remy Maucherat commented on AS7-6684:
-------------------------------------

The relevant code is in o.a.jasper.compiler.JspRuntimeContext.initSecurity and is very readable about what it does. What would be the concrete suggestions to overhaul it ?

- It uses Policy.getPermissions(CodeSource) to add permissions. An alternative is to use Policy.getPermissions(new ProtectionDomain(CodeSource, etc)) to do the same thing.
- The CodeSource used is the work folder URL if the webapp is not exploded (if it is, it should be using the deployment folder URL), because the code thinks it is a good idea to use a path that is actually usable, rather than some arbitrary path. If I understand, you would prefer to use the (absolute canonical) deployment path URL instead ?
                
> Jasper using wrong ProtectionDomain for compiled JSP
> ----------------------------------------------------
>
>                 Key: AS7-6684
>                 URL: https://issues.jboss.org/browse/AS7-6684
>             Project: Application Server 7
>          Issue Type: Bug
>          Components: Web
>            Reporter: David Lloyd
>            Assignee: Remy Maucherat
>             Fix For: 8.0.0.Alpha1
>
>
> Compiled JSPs loaded via JasperLoader appear to be using a different ProtectionDomain than the rest of the WAR deployment.  I think it should probably be using a PD which contains the permissions from the deployment's ClassLoader, and probably the CodeSource from the deployment unit from which the JSP file originated.  This will ensure that permissions set via deployment descriptor and/or the management model will take proper effect.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list