[jboss-jira] [JBoss JIRA] (AS7-6684) Jasper using wrong ProtectionDomain for compiled JSP
David Lloyd (JIRA)
jira-events at lists.jboss.org
Fri Mar 8 09:02:42 EST 2013
[ https://issues.jboss.org/browse/AS7-6684?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12759759#comment-12759759 ]
David Lloyd commented on AS7-6684:
----------------------------------
Using {{Policy.getPermissions()}} is not the right thing to do in this case, because it will cause the JSP class to inherit the minimal set of JDK permissions; the Policy is not used to set the permissions of deployments (they are set by a deployment processor which uses data that will be populated from the {{permissions.xml}} descriptor). The CodeSource should match the one used to create the deployment module resource loader corresponding to the JSP file, and the permission set should come from the one specified in the ModuleSpecification in the deployment processing context.
> Jasper using wrong ProtectionDomain for compiled JSP
> ----------------------------------------------------
>
> Key: AS7-6684
> URL: https://issues.jboss.org/browse/AS7-6684
> Project: Application Server 7
> Issue Type: Bug
> Components: Web
> Reporter: David Lloyd
> Assignee: Remy Maucherat
> Fix For: 8.0.0.Alpha1
>
>
> Compiled JSPs loaded via JasperLoader appear to be using a different ProtectionDomain than the rest of the WAR deployment. I think it should probably be using a PD which contains the permissions from the deployment's ClassLoader, and probably the CodeSource from the deployment unit from which the JSP file originated. This will ensure that permissions set via deployment descriptor and/or the management model will take proper effect.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list