dev@glassfish.java.net

Re: Webtier classes visibility to web apps.

From: Jeanfrancois Arcand <Jeanfrancois.Arcand_at_Sun.COM>
Date: Wed, 27 Feb 2008 13:38:56 -0500

Hi,

Jerome Dochez wrote:
> JF, Jan, Amy and Shing Wai
>
> Some of you may have seen the email I sent few minutes back on grails
> deployment in V3 which took 9 minutes rather than 9 seconds. I traced
> down the problem to a combination of factors :
>
> - the webapp class loader likes to delegate up the requests for
> loading classes which is right in most cases.
> - the parent of the web app class loader has the webtier module in
> its list of imported modules, the webtier module itself has a pretty
> healthy list of imports.

Hum..security wise, it's not good as it means people can snif
org.apache.catalina code. It's hard for me to recall, but did we have
those classes in the parent as well in v2? I think we had them because
back in 2003 in Tomcat 5, we added a security mechanism to prevent a web
app to load org.apache classes directly. We never enabled the mechanism
in GlassFish, but I know it is quite easy to hack the container :-)

>
> So each time a class need to be loaded, the modular subsystem is looking
> through a rather big network of module's class loaders to not find the
> requested classes (which happens to be bundled in the war file).
>
> To fix this, we need to stop having the entire webtier classes visibile
> to the web applications (my current hack is based on that, where
> basically, the web app can only load the
> org.apache.jasper.servlet.JspServlet class, through a punching
> mechanism) That's enough to load simple web apps and grails app. Of
> course we need to come up with the exact list of classes that a web
> application should be able to see.
>
> Do you see another solution ?

For sure you need org.apache.jasper.* and some of the
org.apache.catalina/tomcat (need to look at the generated JSP). I think
Kin-Man is the best person to list the classes, but this is quite
dangerous IMO to block the load of those classes.

Why the WEB-INF/lib/*.jar no longer added to the WebappClassloader?
Because if added, we wouldn't have to invoke the parent classloader and
those classes would be loaded much faster...like it was in v2 (against,
I might me wrong ... long time I've broken something there :-))

A+

-- Jeanfrancois


>
> if not, what is the exact list of classes that a web application class
> loader should directly have access to ?




>