[jboss-user] [Security & JAAS/JBoss] - Re: Dynamic login config broken in JBoss 5 Beta4

PeterJ do-not-reply at jboss.com
Wed Sep 3 16:56:40 EDT 2008

I think that this behavior reflects the closing of a hole in the classloading architecture. Essentially, classes within a war should be isolated and not accessible from outside the war. This includes resources. Therefore, the behavior for beta4 was incorrect, while the behavior for CR1 is correct. And the "workaround" Jaikarin posted is in fact the correct way of doing this. 

So I guess I disagree with Anil's earlier statement of what is on the classpath - the xxx.war/web-inf/classes path should not be on the classpath of an ear.

I did notice in the betas that the class isolation rules were relaxed. For a while, it appeared as if there was a single classloader repository and thus all classes, including those in WAR files, were visible everywhere. I noticed that this hole was plugged in CR1.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4174107#4174107

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4174107

More information about the jboss-user mailing list