[jboss-jira] [JBoss JIRA] (WFLY-84) Jasper using wrong ProtectionDomain for compiled JSP

David Lloyd (JIRA) issues at jboss.org
Fri Feb 7 14:34:28 EST 2014 

    [ https://issues.jboss.org/browse/WFLY-84?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12942733#comment-12942733 ] 

David Lloyd commented on WFLY-84:
---------------------------------

Spelling out the concrete requirements:

* The code source for JSPs in WildFly should be the VFS URL of the WAR deployment (or JAR therein, if that is allowed) from which it originates (which I assume would be the resource root from the parent (module) class loader that contains the JSP file being compiled)
* The protection domain should contain a permission set which is established using the deployment's permissions (though these permissions may be expanded upon) - these permissions are not stored in the Policy though as they're so-called "static permissions", so you have to get them either from the deployment context or the class loader of the WAR.

                
> Jasper using wrong ProtectionDomain for compiled JSP
> ----------------------------------------------------
>
>                 Key: WFLY-84
>                 URL: https://issues.jboss.org/browse/WFLY-84
>             Project: WildFly
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Web (JBoss Web)
>            Reporter: David Lloyd
>            Assignee: Remy Maucherat
>             Fix For: 8.0.0.Final
>
>
> Compiled JSPs loaded via JasperLoader appear to be using a different ProtectionDomain than the rest of the WAR deployment.  I think it should probably be using a PD which contains the permissions from the deployment's ClassLoader, and probably the CodeSource from the deployment unit from which the JSP file originated.  This will ensure that permissions set via deployment descriptor and/or the management model will take proper effect.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list