Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

System Server Classes 

Renaming to Hidden/Protected
This commit is contained in:
gregw 2024-03-25 13:26:47 +01:00
parent 3866b7527e
commit 01f2903cde
31 changed files with 474 additions and 313 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
jetty-core/jetty-ee/src/main/config/etc/jetty-ee-webapp.xml
View File

@ -2,20 +2,20 @@
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call class="org.eclipse.jetty.ee.WebappProtectedClasses" name="addSystemClasses">
<Call class="org.eclipse.jetty.ee.WebappClassLoading" name="addProtectedClasses">
<Arg><Ref refid="Server"/></Arg>
<Arg>
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
<Arg><Property name="jetty.server.addSystemClasses"/></Arg>
<Arg><Property name="jetty.server.addProtectedClasses"/></Arg>
</Call>
</Arg>
</Call>
<Call class="org.eclipse.jetty.ee.WebappProtectedClasses" name="addServerClasses">
<Call class="org.eclipse.jetty.ee.WebappClassLoading" name="addHiddenClasses">
<Arg><Ref refid="Server"/></Arg>
<Arg>
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
<Arg><Property name="jetty.server.addServerClasses"/></Arg>
<Arg><Property name="jetty.server.addHiddenClasses"/></Arg>
</Call>
</Arg>
</Call>

8
jetty-core/jetty-ee/src/main/config/modules/ee-webapp.mod
View File

@ -14,8 +14,8 @@ lib/jetty-ee-webapp-${jetty.version}.jar
[ini-template]
# tag::ini-template[]
## Add to the server wide default jars and packages protected or hidden from webapps.
## System classes are protected and cannot be overridden by a webapp.
## Server classes are hidden and cannot be seen by a webapp
## Protected (aka System) classes cannot be overridden by a webapp.
## Hidden (aka Server) classes cannot be seen by a webapp
## Lists of patterns are comma separated and may be either:
## + a qualified classname e.g. 'com.acme.Foo'
## + a package name e.g. 'net.example.'
@ -25,7 +25,7 @@ lib/jetty-ee-webapp-${jetty.version}.jar
##
## The +=, operator appends to a CSV list with a comma as needed.
##
#jetty.server.addSystemClasses+=,org.example.
#jetty.server.addServerClasses+=,org.example.
#jetty.server.addProtectedClasses+=,org.example.
#jetty.server.addHiddenClasses+=,org.example.
# end::ini-template[]

181
jetty-core/jetty-ee/src/main/java/org/eclipse/jetty/ee/WebappClassLoading.java Normal file
View File

@ -0,0 +1,181 @@
package org.eclipse.jetty.ee;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.util.Attributes;
import org.eclipse.jetty.util.ClassMatcher;
import org.eclipse.jetty.util.component.Environment;
/**
* Common attributes and methods for configuring the {@link ClassLoader Class loading} of web application:
* <ul>
* <li>Protected (a.k.a. System) classes are classes typically provided by the JVM, that cannot be replaced by the
* web application, and they are always loaded via the environment or system classloader. They are visible but
* protected.</li>
* <li>Hidden (a.k.a. Server) classes are those used to implement the Server and are not made available to the
* web application. They are hidden from the web application {@link ClassLoader}.</li>
* </ul>
* <p>These protections are set to reasonable defaults {@link #DEFAULT_PROTECTED_CLASSES} and {@link #DEFAULT_HIDDEN_CLASSES},
* which may be programmatically configured and will affect the defaults applied to all web applications in the same JVM.
*
* <p>
* The defaults applied by a specific {@link Server} can be configured using {@link #addProtectedClasses(Server, String...)} and
* {@link #addHiddenClasses(Server, String...)}. Alternately the {@link Server} attributes {@link #PROTECTED_CLASSES_ATTRIBUTE}
* and {@link #HIDDEN_CLASSES_ATTRIBUTE} may be used to direct set a {@link ClassMatcher} to use for all web applications
* within the server instance.
* </p>
* <p>
* The defaults applied by a specific {@link Environment} can be configured using {@link #addProtectedClasses(Environment, String...)} and
* {@link #addHiddenClasses(Environment, String...)}. Alternately the {@link Environment} attributes {@link #PROTECTED_CLASSES_ATTRIBUTE}
* and {@link #HIDDEN_CLASSES_ATTRIBUTE} may be used to direct set a {@link ClassMatcher} to use for all web applications
* within the server instance.
* </p>
* <p>
* Ultimately, the configurations set by this class only affects the defaults applied to each web application
* {@link org.eclipse.jetty.server.handler.ContextHandler Context} and the {@link ClassMatcher} fields of the web applications
* can be directly access to configure a specific context.
* </p>
*/
public class WebappClassLoading
{
public static final String PROTECTED_CLASSES_ATTRIBUTE = "org.eclipse.jetty.webapp.systemClasses";
public static final String HIDDEN_CLASSES_ATTRIBUTE = "org.eclipse.jetty.webapp.serverClasses";
/**
* The default protected (system) classes used by a web application, which can be overridden by {@link Server},
* {@link Environment} or {@link org.eclipse.jetty.server.handler.ContextHandler Context} configuration.
*/
public static final ClassMatcher DEFAULT_PROTECTED_CLASSES = new ClassMatcher(
"java.", // Java SE classes (per servlet spec v2.5 / SRV.9.7.2)
"javax.", // Java SE classes (per servlet spec v2.5 / SRV.9.7.2)
"jakarta.", // Jakarta classes (per servlet spec v5.0 / Section 15.2.1)
"org.xml.", // javax.xml
"org.w3c." // javax.xml
);
/**
* The default hidden (server) classes used by a web application, which can be overridden by {@link Server},
* {@link Environment} or {@link org.eclipse.jetty.server.handler.ContextHandler Context} configuration.
*/
public static final ClassMatcher DEFAULT_HIDDEN_CLASSES = new ClassMatcher(
"org.eclipse.jetty." // hide jetty classes
);
/**
* Get the default protected (system) classes for a {@link Server}
* @param server The {@link Server} for the defaults
* @return The default protected (system) classes for the {@link Server}, which will be the {@link #DEFAULT_PROTECTED_CLASSES} if not previously configured.
*/
public static ClassMatcher getProtectedClasses(Server server)
{
return getClassMatcher(server, PROTECTED_CLASSES_ATTRIBUTE, null);
}
/**
* Get the default protected (system) classes for an {@link Environment}
* @param environment The {@link Server} for the defaults
* @return The default protected (system) classes for the {@link Environment}, which will be empty if not previously configured.
*/
public static ClassMatcher getProtectedClasses(Environment environment)
{
return getClassMatcher(environment, PROTECTED_CLASSES_ATTRIBUTE, null);
}
/**
* Add a protected (system) Class pattern to use for all WebAppContexts.
* @param patterns the patterns to use
*/
public static void addProtectedClasses(String... patterns)
{
DEFAULT_PROTECTED_CLASSES.add(patterns);
}
/**
* Add a protected (system) Class pattern to use for all WebAppContexts of a given {@link Server}.
* @param server The {@link Server} instance to add classes to
* @param patterns the patterns to use
*/
public static void addProtectedClasses(Server server, String... patterns)
{
addClasses(server, PROTECTED_CLASSES_ATTRIBUTE, DEFAULT_PROTECTED_CLASSES, patterns);
}
/**
* Add a protected (system) Class pattern to use for WebAppContexts of a given environment.
* @param environment The {@link Environment} instance to add classes to
* @param patterns the patterns to use
*/
public static void addProtectedClasses(Environment environment, String... patterns)
{
addClasses(environment, PROTECTED_CLASSES_ATTRIBUTE, DEFAULT_PROTECTED_CLASSES, patterns);
}
/**
* Get the default hidden (server) classes for a {@link Server}
* @param server The {@link Server} for the defaults
* @return The default hidden (server) classes for the {@link Server}, which will be the
* {@link #DEFAULT_PROTECTED_CLASSES} if not previously configured.
*/
public static ClassMatcher getHiddenClasses(Server server)
{
return getClassMatcher(server, HIDDEN_CLASSES_ATTRIBUTE, DEFAULT_HIDDEN_CLASSES);
}
/**
* Get the default hidden (server) classes for an {@link Environment}
* @param environment The {@link Server} for the defaults
* @return The default hidden (server) classes for the {@link Environment}, which will be empty if not previously configured.
*/
public static ClassMatcher getHiddenClasses(Environment environment)
{
return getClassMatcher(environment, HIDDEN_CLASSES_ATTRIBUTE, DEFAULT_HIDDEN_CLASSES);
}
/**
* Add a hidden (server) Class pattern to use for all WebAppContexts of a given {@link Server}.
* @param patterns the patterns to use
*/
public static void addHiddenClasses(String... patterns)
{
DEFAULT_HIDDEN_CLASSES.add(patterns);
}
/**
* Add a hidden (server) Class pattern to use for all WebAppContexts of a given {@link Server}.
* @param server The {@link Server} instance to add classes to
* @param patterns the patterns to use
*/
public static void addHiddenClasses(Server server, String... patterns)
{
addClasses(server, HIDDEN_CLASSES_ATTRIBUTE, DEFAULT_HIDDEN_CLASSES, patterns);
}
/**
* Add a hidden (server) Class pattern to use for all ee9 WebAppContexts.
* @param environment The {@link Environment} instance to add classes to
* @param patterns the patterns to use
*/
public static void addHiddenClasses(Environment environment, String... patterns)
{
addClasses(environment, HIDDEN_CLASSES_ATTRIBUTE, DEFAULT_HIDDEN_CLASSES, patterns);
}
private static void addClasses(Attributes attributes, String attribute, ClassMatcher defaultPatterns, String... patterns)
{
ClassMatcher classMatcher = getClassMatcher(attributes, attribute, defaultPatterns);
if (patterns != null && patterns.length > 0)
classMatcher.add(patterns);
}
private static ClassMatcher getClassMatcher(Attributes attributes, String attribute, ClassMatcher defaultPatterns)
{
Object existing = attributes.getAttribute(attribute);
if (existing instanceof ClassMatcher cm)
return cm;
ClassMatcher classMatcher = (existing instanceof String[] stringArray)
? new ClassMatcher(stringArray) : new ClassMatcher(defaultPatterns);
attributes.setAttribute(attribute, classMatcher);
return classMatcher;
}
}

129
jetty-core/jetty-ee/src/main/java/org/eclipse/jetty/ee/WebappProtectedClasses.java
View File

@ -1,129 +0,0 @@
package org.eclipse.jetty.ee;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.util.Attributes;
import org.eclipse.jetty.util.ClassMatcher;
import org.eclipse.jetty.util.component.Environment;
public class WebappProtectedClasses
{
public static final String SYSTEM_CLASSES_ATTRIBUTE = "org.eclipse.jetty.webapp.systemClasses";
public static final String SERVER_CLASSES_ATTRIBUTE = "org.eclipse.jetty.webapp.serverClasses";
// System classes are classes that cannot be replaced by
// the web application, and they are *always* loaded via
// system classloader.
public static final ClassMatcher DEFAULT_SYSTEM_CLASSES = new ClassMatcher(
"java.", // Java SE classes (per servlet spec v2.5 / SRV.9.7.2)
"javax.", // Java SE classes (per servlet spec v2.5 / SRV.9.7.2)
"jakarta.", // Jakarta classes (per servlet spec v5.0 / Section 15.2.1)
"org.xml.", // javax.xml
"org.w3c." // javax.xml
);
// Server classes are classes that are hidden from being
// loaded by the web application using system classloader,
// so if web application needs to load any of such classes,
// it has to include them in its distribution.
public static final ClassMatcher DEFAULT_SERVER_CLASSES = new ClassMatcher(
"org.eclipse.jetty." // hide jetty classes
);
public static ClassMatcher getSystemClasses(Server server)
{
return getClassMatcher(server, SYSTEM_CLASSES_ATTRIBUTE, null);
}
public static ClassMatcher getSystemClasses(Environment environment)
{
return getClassMatcher(environment, SYSTEM_CLASSES_ATTRIBUTE, null);
}
/**
* Add a System Class pattern to use for all WebAppContexts.
* @param patterns the patterns to use
*/
public static void addSystemClasses(String... patterns)
{
DEFAULT_SYSTEM_CLASSES.add(patterns);
}
/**
* Add a System Class pattern to use for all WebAppContexts of a given {@link Server}.
* @param server The {@link Server} instance to add classes to
* @param patterns the patterns to use
*/
public static void addSystemClasses(Server server, String... patterns)
{
addClasses(server, SYSTEM_CLASSES_ATTRIBUTE, DEFAULT_SYSTEM_CLASSES, patterns);
}
/**
* Add a System Class pattern to use for WebAppContexts of a given environment.
* @param environment The {@link Environment} instance to add classes to
* @param patterns the patterns to use
*/
public static void addSystemClasses(Environment environment, String... patterns)
{
addClasses(environment, SYSTEM_CLASSES_ATTRIBUTE, DEFAULT_SYSTEM_CLASSES, patterns);
}
public static ClassMatcher getServerClasses(Server server)
{
return getClassMatcher(server, SERVER_CLASSES_ATTRIBUTE, DEFAULT_SERVER_CLASSES);
}
public static ClassMatcher getServerClasses(Environment environment)
{
return getClassMatcher(environment, SERVER_CLASSES_ATTRIBUTE, DEFAULT_SERVER_CLASSES);
}
/**
* Add a Server Class pattern to use for all WebAppContexts of a given {@link Server}.
* @param patterns the patterns to use
*/
public static void addServerClasses(String... patterns)
{
DEFAULT_SERVER_CLASSES.add(patterns);
}
/**
* Add a Server Class pattern to use for all WebAppContexts of a given {@link Server}.
* @param server The {@link Server} instance to add classes to
* @param patterns the patterns to use
*/
public static void addServerClasses(Server server, String... patterns)
{
addClasses(server, SERVER_CLASSES_ATTRIBUTE, DEFAULT_SERVER_CLASSES, patterns);
}
/**
* Add a Server Class pattern to use for all ee9 WebAppContexts.
* @param environment The {@link Environment} instance to add classes to
* @param patterns the patterns to use
*/
public static void addServerClasses(Environment environment, String... patterns)
{
addClasses(environment, SERVER_CLASSES_ATTRIBUTE, DEFAULT_SERVER_CLASSES, patterns);
}
private static void addClasses(Attributes attributes, String attribute, ClassMatcher defaultPatterns, String... patterns)
{
ClassMatcher classMatcher = getClassMatcher(attributes, attribute, defaultPatterns);
if (patterns != null && patterns.length > 0)
classMatcher.add(patterns);
}
private static ClassMatcher getClassMatcher(Attributes attributes, String attribute, ClassMatcher defaultPatterns)
{
Object existing = attributes.getAttribute(attribute);
if (existing instanceof ClassMatcher cm)
return cm;
ClassMatcher classMatcher = (existing instanceof String[] stringArray)
? new ClassMatcher(stringArray) : new ClassMatcher(defaultPatterns);
attributes.setAttribute(attribute, classMatcher);
return classMatcher;
}
}

2
jetty-core/jetty-keystore/src/main/config/modules/test-keystore.mod
View File

@ -25,7 +25,7 @@ etc/jetty-test-keystore.xml
[ini]
bouncycastle.version?=@bouncycastle.version@
jetty.webapp.addServerClasses+=,${jetty.base.uri}/lib/bouncycastle/
jetty.webapp.addHiddenClasses+=,${jetty.base.uri}/lib/bouncycastle/
jetty.sslContext.keyStorePath?=etc/test-keystore.p12
jetty.sslContext.keyStoreType?=PKCS12
jetty.sslContext.keyStorePassword?=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4

2
jetty-core/jetty-session/src/main/java/org/eclipse/jetty/session/SessionData.java
View File

@ -89,7 +89,7 @@ public class SessionData implements Serializable
//Clazz not loaded by context classloader, but ask if loadable by context classloader,
//because preferable to use context classloader if possible (eg for deep structures).
ClassVisibilityChecker checker = (ClassVisibilityChecker)(contextLoader);
isContextLoader = (checker.isSystemClass(clazz) && !(checker.isServerClass(clazz)));
isContextLoader = (checker.isProtectedClass(clazz) && !(checker.isHiddenClass(clazz)));
}
else
{

4
jetty-core/jetty-util/src/main/java/org/eclipse/jetty/util/ClassVisibilityChecker.java
View File

@ -31,7 +31,7 @@ public interface ClassVisibilityChecker
* @param clazz The fully qualified name of the class.
* @return True if the class is a system class.
*/
boolean isSystemClass(Class<?> clazz);
boolean isProtectedClass(Class<?> clazz);
/**
* Is the class a Server Class.
@ -43,5 +43,5 @@ public interface ClassVisibilityChecker
* @param clazz The fully qualified name of the class.
* @return True if the class is a server class.
*/
boolean isServerClass(Class<?> clazz);
boolean isHiddenClass(Class<?> clazz);
}

2
jetty-ee10/jetty-ee10-demos/jetty-ee10-demo-proxy-webapp/src/test/java/org/eclipse/jetty/ee10/demos/ProxyWebAppTest.java
View File

@ -54,7 +54,7 @@ public class ProxyWebAppTest
// This is a pieced together WebApp.
// We don't have a valid WEB-INF/lib to rely on at this point.
// So, open up server classes here, for purposes of this testcase.
webapp.getServerClassMatcher().add("-org.eclipse.jetty.ee10.proxy.");
webapp.getHiddenClassMatcher().add("-org.eclipse.jetty.ee10.proxy.");
webapp.setWar(MavenTestingUtils.getProjectDirPath("src/main/webapp").toString());
webapp.setExtraClasspath(MavenTestingUtils.getTargetPath().resolve("test-classes").toString());
server.setHandler(webapp);

2
jetty-ee10/jetty-ee10-plus/src/test/java/org/eclipse/jetty/ee10/plus/webapp/PlusDescriptorProcessorTest.java
View File

@ -129,7 +129,7 @@ public class PlusDescriptorProcessorTest
context.setConfigurations(new Configuration[]{new PlusConfiguration(), new EnvConfiguration()});
context.preConfigure();
context.setClassLoader(new WebAppClassLoader(Thread.currentThread().getContextClassLoader(), context));
context.getServerClassMatcher().exclude("org.eclipse.jetty.ee10.plus.webapp."); //need visbility of the TestInjections class
context.getHiddenClassMatcher().exclude("org.eclipse.jetty.ee10.plus.webapp."); //need visbility of the TestInjections class
ClassLoader oldLoader = Thread.currentThread().getContextClassLoader();
Thread.currentThread().setContextClassLoader(context.getClassLoader());
Context icontext = new InitialContext();

8
jetty-ee10/jetty-ee10-quickstart/src/test/java/org/eclipse/jetty/ee10/quickstart/TestQuickStart.java
View File

@ -89,7 +89,7 @@ public class TestQuickStart
WebAppContext webapp = new WebAppContext();
webapp.setBaseResourceAsPath(testDir.toPath());
webapp.addConfiguration(new QuickStartConfiguration());
webapp.getServerClassMatcher().exclude("org.eclipse.jetty.ee10.quickstart.");
webapp.getHiddenClassMatcher().exclude("org.eclipse.jetty.ee10.quickstart.");
webapp.setAttribute(QuickStartConfiguration.MODE, QuickStartConfiguration.Mode.QUICKSTART);
//add in the servlet
webapp.getServletHandler().addServlet(fooHolder);
@ -139,7 +139,7 @@ public class TestQuickStart
webapp.addConfiguration(new QuickStartConfiguration());
webapp.setAttribute(QuickStartConfiguration.MODE, QuickStartConfiguration.Mode.QUICKSTART);
webapp.setBaseResourceAsPath(testDir.toPath());
webapp.getServerClassMatcher().exclude("org.eclipse.jetty.ee10.quickstart.");
webapp.getHiddenClassMatcher().exclude("org.eclipse.jetty.ee10.quickstart.");
server.setHandler(webapp);
server.setDryRun(false);
@ -180,7 +180,7 @@ public class TestQuickStart
webapp.addConfiguration(new QuickStartConfiguration());
webapp.setAttribute(QuickStartConfiguration.MODE, QuickStartConfiguration.Mode.QUICKSTART);
webapp.setBaseResourceAsPath(testDir.toPath());
webapp.getServerClassMatcher().exclude("org.eclipse.jetty.ee10.quickstart.");
webapp.getHiddenClassMatcher().exclude("org.eclipse.jetty.ee10.quickstart.");
server.setHandler(webapp);
server.setDryRun(false);
@ -255,7 +255,7 @@ public class TestQuickStart
//a freshly applied context xml
quickstart = new WebAppContext();
//need visibility of FooServlet, FooFilter, FooContextListener when we quickstart
quickstart.getServerClassMatcher().exclude("org.eclipse.jetty.ee10.quickstart.");
quickstart.getHiddenClassMatcher().exclude("org.eclipse.jetty.ee10.quickstart.");
quickstart.addConfiguration(new QuickStartConfiguration());
quickstart.setWar(testDir.toURI().toURL().toExternalForm());
quickstart.setDescriptor(MavenTestingUtils.getTestResourceFile("web.xml").getAbsolutePath());

9
jetty-ee10/jetty-ee10-tests/jetty-ee10-test-cdi/src/test/java/org/eclipse/jetty/ee10/cdi/tests/EmbeddedWeldTest.java
View File

@ -29,7 +29,6 @@ import org.eclipse.jetty.ee10.webapp.WebAppContext;
import org.eclipse.jetty.server.LocalConnector;
import org.eclipse.jetty.server.Server;
import org.junit.jupiter.api.Assumptions;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.ValueSource;
@ -204,8 +203,8 @@ public class EmbeddedWeldTest
webapp.addServletContainerInitializer(new org.jboss.weld.environment.servlet.EnhancedListener());
String pkg = EmbeddedWeldTest.class.getPackage().getName();
webapp.getServerClassMatcher().add("-" + pkg + ".");
webapp.getSystemClassMatcher().add(pkg + ".");
webapp.getHiddenClassMatcher().add("-" + pkg + ".");
webapp.getProtectedClassMatcher().add(pkg + ".");
webapp.addServlet(GreetingsServlet.class, "/greet");
webapp.addFilter(MyFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST));
@ -240,8 +239,8 @@ public class EmbeddedWeldTest
// This is ugly but needed for maven for testing in a overlaid war pom
String pkg = EmbeddedWeldTest.class.getPackage().getName();
webapp.getServerClassMatcher().add("-" + pkg + ".");
webapp.getSystemClassMatcher().add(pkg + ".");
webapp.getHiddenClassMatcher().add("-" + pkg + ".");
webapp.getProtectedClassMatcher().add(pkg + ".");
webapp.getServletHandler().addListener(new ListenerHolder(MyContextListener.class));
webapp.addFilter(MyFilter.class, "/*", EnumSet.of(DispatcherType.REQUEST));

8
jetty-ee10/jetty-ee10-webapp/src/main/config/etc/jetty-ee10-webapp.xml
View File

@ -2,20 +2,20 @@
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call class="org.eclipse.jetty.ee.WebappProtectedClasses" name="addSystemClasses">
<Call class="org.eclipse.jetty.ee.WebappClassLoading" name="addProtectedClasses">
<Arg><Ref refid="Environment"/></Arg>
<Arg>
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
<Arg><Property name="jetty.webapp.addSystemClasses"/></Arg>
<Arg><Property name="jetty.webapp.addProtectedClasses" deprecated="jetty.webapp.addSystemClasses"/></Arg>
</Call>
</Arg>
</Call>
<Call class="org.eclipse.jetty.ee.WebappProtectedClasses" name="addServerClasses">
<Call class="org.eclipse.jetty.ee.WebappClassLoading" name="addHiddenClasses">
<Arg><Ref refid="Environment"/></Arg>
<Arg>
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
<Arg><Property name="jetty.webapp.addServerClasses"/></Arg>
<Arg><Property name="jetty.webapp.addHiddenClasses" deprecated="jetty.webapp.addServerClasses"/></Arg>
</Call>
</Arg>
</Call>

8
jetty-ee10/jetty-ee10-webapp/src/main/config/modules/ee10-webapp.mod
View File

@ -22,8 +22,8 @@ lib/jetty-ee10-webapp-${jetty.version}.jar
[ini-template]
# tag::ini-template[]
## Add to the environment wide default jars and packages protected or hidden from webapps.
## System classes are protected and cannot be overridden by a webapp.
## Server classes are hidden and cannot be seen by a webapp
## Protected (aka System) classes cannot be overridden by a webapp.
## Hidden (aka Server) classes cannot be seen by a webapp
## Lists of patterns are comma separated and may be either:
## + a qualified classname e.g. 'com.acme.Foo'
## + a package name e.g. 'net.example.'
@ -33,8 +33,8 @@ lib/jetty-ee10-webapp-${jetty.version}.jar
##
## The +=, operator appends to a CSV list with a comma as needed.
##
#jetty.webapp.addSystemClasses+=,org.example.
#jetty.webapp.addServerClasses+=,org.example.
#jetty.webapp.addProtectedClasses+=,org.example.
#jetty.webapp.addHiddenClasses+=,org.example.
# end::ini-template[]
[ini]

32
jetty-ee10/jetty-ee10-webapp/src/main/java/org/eclipse/jetty/ee10/webapp/WebAppClassLoader.java
View File

@ -59,8 +59,8 @@ import org.slf4j.LoggerFactory;
* parent loader. Java2 compliant loading, where the parent loader
* always has priority, can be selected with the
* {@link WebAppContext#setParentLoaderPriority(boolean)}
* method and influenced with {@link WebAppContext#isServerClass(Class)} and
* {@link WebAppContext#isSystemClass(Class)}.
* method and influenced with {@link WebAppContext#isHiddenClass(Class)} and
* {@link WebAppContext#isProtectedClass(Class)}.
* <p>
* If no parent class loader is provided, then the current thread
* context classloader will be used. If that is null then the
@ -114,9 +114,9 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
List<Resource> getExtraClasspath();
boolean isServerResource(String name, URL parentUrl);
boolean isHiddenResource(String name, URL parentUrl);
boolean isSystemResource(String name, URL webappUrl);
boolean isProtectedResource(String name, URL webappUrl);
}
/**
@ -324,7 +324,7 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
while (urls != null && urls.hasMoreElements())
{
URL url = urls.nextElement();
if (Boolean.TRUE.equals(__loadServerClasses.get()) || !_context.isServerResource(name, url))
if (Boolean.TRUE.equals(__loadServerClasses.get()) || !_context.isHiddenResource(name, url))
fromParent.add(url);
}
@ -332,7 +332,7 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
while (urls != null && urls.hasMoreElements())
{
URL url = urls.nextElement();
if (!_context.isSystemResource(name, url) || fromParent.isEmpty())
if (!_context.isProtectedResource(name, url) || fromParent.isEmpty())
fromWebapp.add(url);
}
@ -373,7 +373,7 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
// return if we have a url the webapp is allowed to see
if (parentUrl != null &&
(Boolean.TRUE.equals(__loadServerClasses.get()) ||
!_context.isServerResource(name, parentUrl)))
!_context.isHiddenResource(name, parentUrl)))
resource = parentUrl;
else
{
@ -392,7 +392,7 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
{
URL webappUrl = this.findResource(name);
if (webappUrl != null && !_context.isSystemResource(name, webappUrl))
if (webappUrl != null && !_context.isProtectedResource(name, webappUrl))
resource = webappUrl;
else
{
@ -401,7 +401,7 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
URL parentUrl = _parent.getResource(name);
if (parentUrl != null &&
(Boolean.TRUE.equals(__loadServerClasses.get()) ||
!_context.isServerResource(name, parentUrl)))
!_context.isHiddenResource(name, parentUrl)))
resource = parentUrl;
// We couldn't find a parent resource, so OK to return a webapp one if it exists
// and we just couldn't see it before
@ -447,7 +447,7 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
throw new ClassNotFoundException("Bad ClassLoader: returned null for loadClass(" + name + ")");
// If the webapp is allowed to see this class
if (Boolean.TRUE.equals(__loadServerClasses.get()) || !_context.isServerClass(parentClass))
if (Boolean.TRUE.equals(__loadServerClasses.get()) || !_context.isHiddenClass(parentClass))
{
return parentClass;
}
@ -495,7 +495,7 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
{
parentClass = _parent.loadClass(name);
// If the webapp is allowed to see this class
if (Boolean.TRUE.equals(__loadServerClasses.get()) || !_context.isServerClass(parentClass))
if (Boolean.TRUE.equals(__loadServerClasses.get()) || !_context.isHiddenClass(parentClass))
{
return parentClass;
}
@ -546,7 +546,7 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
String path = TypeUtil.toClassReference(name);
URL webappUrl = findResource(path);
if (webappUrl != null && (!checkSystemResource || !_context.isSystemResource(name, webappUrl)))
if (webappUrl != null && (!checkSystemResource || !_context.isProtectedResource(name, webappUrl)))
{
webappClass = this.foundClass(name, webappUrl);
@ -627,14 +627,14 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
}
@Override
public boolean isSystemClass(Class<?> clazz)
public boolean isProtectedClass(Class<?> clazz)
{
return _context.isSystemClass(clazz);
return _context.isProtectedClass(clazz);
}
@Override
public boolean isServerClass(Class<?> clazz)
public boolean isHiddenClass(Class<?> clazz)
{
return _context.isServerClass(clazz);
return _context.isHiddenClass(clazz);
}
}

234
jetty-ee10/jetty-ee10-webapp/src/main/java/org/eclipse/jetty/ee10/webapp/WebAppContext.java
View File

@ -38,7 +38,7 @@ import jakarta.servlet.http.HttpSessionAttributeListener;
import jakarta.servlet.http.HttpSessionBindingListener;
import jakarta.servlet.http.HttpSessionIdListener;
import jakarta.servlet.http.HttpSessionListener;
import org.eclipse.jetty.ee.WebappProtectedClasses;
import org.eclipse.jetty.ee.WebappClassLoading;
import org.eclipse.jetty.ee10.servlet.ErrorHandler;
import org.eclipse.jetty.ee10.servlet.ErrorPageErrorHandler;
import org.eclipse.jetty.ee10.servlet.ServletContextHandler;
@ -84,25 +84,25 @@ public class WebAppContext extends ServletContextHandler implements WebAppClassL
static final Logger LOG = LoggerFactory.getLogger(WebAppContext.class);
public static final String WEB_DEFAULTS_XML = "org/eclipse/jetty/ee10/webapp/webdefault-ee10.xml";
public static final String SERVER_SYS_CLASSES = WebappProtectedClasses.SYSTEM_CLASSES_ATTRIBUTE;
public static final String SERVER_SRV_CLASSES = WebappProtectedClasses.SERVER_CLASSES_ATTRIBUTE;
public static final String SERVER_SYS_CLASSES = WebappClassLoading.PROTECTED_CLASSES_ATTRIBUTE;
public static final String SERVER_SRV_CLASSES = WebappClassLoading.HIDDEN_CLASSES_ATTRIBUTE;
private static final String[] __dftProtectedTargets = {"/WEB-INF", "/META-INF"};
/**
* @deprecated use {@link WebappProtectedClasses#DEFAULT_SYSTEM_CLASSES}
* @deprecated use {@link WebappClassLoading#DEFAULT_PROTECTED_CLASSES}
*/
@Deprecated
public static final ClassMatcher __dftSystemClasses = WebappProtectedClasses.DEFAULT_SYSTEM_CLASSES;
public static final ClassMatcher __dftSystemClasses = WebappClassLoading.DEFAULT_PROTECTED_CLASSES;
/**
* @deprecated use {@link WebappProtectedClasses#DEFAULT_SERVER_CLASSES}
* @deprecated use {@link WebappClassLoading#DEFAULT_HIDDEN_CLASSES}
*/
@Deprecated
public static final ClassMatcher __dftServerClasses = WebappProtectedClasses.DEFAULT_SERVER_CLASSES;
public static final ClassMatcher __dftServerClasses = WebappClassLoading.DEFAULT_HIDDEN_CLASSES;
private final ClassMatcher _systemClasses = new ClassMatcher(WebappProtectedClasses.getSystemClasses(ServletContextHandler.ENVIRONMENT));
private final ClassMatcher _serverClasses = new ClassMatcher(WebappProtectedClasses.getServerClasses(ServletContextHandler.ENVIRONMENT));
private final ClassMatcher _protectedClasses = new ClassMatcher(WebappClassLoading.getProtectedClasses(ServletContextHandler.ENVIRONMENT));
private final ClassMatcher _hiddenClasses = new ClassMatcher(WebappClassLoading.getHiddenClasses(ServletContextHandler.ENVIRONMENT));
private Configurations _configurations;
private String _defaultsDescriptor = WEB_DEFAULTS_XML;
@ -417,7 +417,7 @@ public class WebAppContext extends ServletContextHandler implements WebAppClassL
// Add the known server class inclusions for all known configurations
for (Configuration configuration : Configurations.getKnown())
{
_serverClasses.include(configuration.getServerClasses().getInclusions());
_hiddenClasses.include(configuration.getServerClasses().getInclusions());
}
// Setup Configuration classes for this webapp!
@ -425,8 +425,8 @@ public class WebAppContext extends ServletContextHandler implements WebAppClassL
_configurations.sort();
for (Configuration configuration : _configurations)
{
_systemClasses.add(configuration.getSystemClasses().getPatterns());
_serverClasses.exclude(configuration.getServerClasses().getExclusions());
_protectedClasses.add(configuration.getSystemClasses().getPatterns());
_hiddenClasses.exclude(configuration.getServerClasses().getExclusions());
}
// Configure classloader
@ -612,107 +612,217 @@ public class WebAppContext extends ServletContextHandler implements WebAppClassL
}
/**
* Set the server classes patterns.
* Set the hidden (aka server) classes patterns.
* <p>
* Server classes/packages are classes used to implement the server and are hidden
* These classes/packages are used to implement the server and are hiddenClasses
* from the context. If the context needs to load these classes, it must have its
* own copy of them in WEB-INF/lib or WEB-INF/classes.
*
* @param serverClasses the server classes pattern
* @param hiddenClasses the server classes pattern
*/
public void setServerClassMatcher(ClassMatcher serverClasses)
public void setHiddenClassMatcher(ClassMatcher hiddenClasses)
{
_serverClasses.clear();
_serverClasses.add(serverClasses.getPatterns());
_hiddenClasses.clear();
_hiddenClasses.add(hiddenClasses.getPatterns());
}
/**
* Set the system classes patterns.
* Set the protected (aka system) classes patterns.
* <p>
* System classes/packages are classes provided by the JVM and that
* These classes/packages are provided by the JVM and
* cannot be replaced by classes of the same name from WEB-INF,
* regardless of the value of {@link #setParentLoaderPriority(boolean)}.
*
* @param systemClasses the system classes pattern
* @param protectedClasses the system classes pattern
*/
public void setSystemClassMatcher(ClassMatcher systemClasses)
public void setProtectedClassMatcher(ClassMatcher protectedClasses)
{
_systemClasses.clear();
_systemClasses.add(systemClasses.getPatterns());
_protectedClasses.clear();
_protectedClasses.add(protectedClasses.getPatterns());
}
/**
* Add a ClassMatcher for server classes by combining with
* Add a ClassMatcher for hidden (server) classes by combining with
* any existing matcher.
*
* @param serverClasses The class matcher of patterns to add to the server ClassMatcher
* @param hiddenClasses The class matcher of patterns to add to the server ClassMatcher
*/
public void addServerClassMatcher(ClassMatcher serverClasses)
public void addHiddenClassMatcher(ClassMatcher hiddenClasses)
{
_serverClasses.add(serverClasses.getPatterns());
_hiddenClasses.add(hiddenClasses.getPatterns());
}
/**
* Add a ClassMatcher for system classes by combining with
* Add a ClassMatcher for protected (system) classes by combining with
* any existing matcher.
*
* @param systemClasses The class matcher of patterns to add to the system ClassMatcher
* @param protectedClasses The class matcher of patterns to add to the system ClassMatcher
*/
public void addSystemClassMatcher(ClassMatcher systemClasses)
public void addProtectedClassMatcher(ClassMatcher protectedClasses)
{
_systemClasses.add(systemClasses.getPatterns());
_protectedClasses.add(protectedClasses.getPatterns());
}
/**
* @return The ClassMatcher used to match System (protected) classes
*/
public ClassMatcher getSystemClassMatcher()
public ClassMatcher getProtectedClassMatcher()
{
return _systemClasses;
return _protectedClasses;
}
/**
* @return The ClassMatcher used to match Server (hidden) classes
* @return The ClassMatcher used to match Server (hiddenClasses) classes
*/
public ClassMatcher getServerClassMatcher()
public ClassMatcher getHiddenClassMatcher()
{
return _serverClasses;
return _hiddenClasses;
}
@ManagedAttribute(value = "classes and packages protected by context classloader", readonly = true)
public String[] getProtectedClasses()
{
return _protectedClasses.getPatterns();
}
@ManagedAttribute(value = "classes and packages hiddenClasses by the context classloader", readonly = true)
public String[] getHiddenClasses()
{
return _hiddenClasses.getPatterns();
}
@Override
public boolean isHiddenClass(Class<?> clazz)
{
return _hiddenClasses.match(clazz);
}
@Override
public boolean isProtectedClass(Class<?> clazz)
{
return _protectedClasses.match(clazz);
}
@Override
public boolean isHiddenResource(String name, URL url)
{
return _hiddenClasses.match(name, url);
}
@Override
public boolean isProtectedResource(String name, URL url)
{
return _protectedClasses.match(name, url);
}
/**
* @deprecated use {@link #setHiddenClassMatcher(ClassMatcher)}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public void setServerClassMatcher(ClassMatcher serverClasses)
{
_hiddenClasses.clear();
_hiddenClasses.add(serverClasses.getPatterns());
}
/**
* @deprecated use {@link #setProtectedClassMatcher(ClassMatcher)}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public void setSystemClassMatcher(ClassMatcher systemClasses)
{
_protectedClasses.clear();
_protectedClasses.add(systemClasses.getPatterns());
}
/**
* @deprecated use {@link #addHiddenClassMatcher(ClassMatcher)}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public void addServerClassMatcher(ClassMatcher serverClasses)
{
_hiddenClasses.add(serverClasses.getPatterns());
}
/**
* @deprecated use {@link #addProtectedClassMatcher(ClassMatcher)}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public void addSystemClassMatcher(ClassMatcher systemClasses)
{
_protectedClasses.add(systemClasses.getPatterns());
}
/**
* @deprecated use {@link #getProtectedClassMatcher()}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public ClassMatcher getSystemClassMatcher()
{
return _protectedClasses;
}
/**
* @deprecated use {@link #getHiddenClassMatcher()}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public ClassMatcher getServerClassMatcher()
{
return _hiddenClasses;
}
/**
* @deprecated use {@link #getProtectedClasses()}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public String[] getSystemClasses()
{
return _systemClasses.getPatterns();
return _protectedClasses.getPatterns();
}
@ManagedAttribute(value = "classes and packages hidden by the context classloader", readonly = true)
/**
* @deprecated use {@link #getHiddenClasses()}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public String[] getServerClasses()
{
return _serverClasses.getPatterns();
return _hiddenClasses.getPatterns();
}
@Override
/**
* @deprecated use {@link #isHiddenClass(Class)}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public boolean isServerClass(Class<?> clazz)
{
return _serverClasses.match(clazz);
return _hiddenClasses.match(clazz);
}
@Override
/**
* @deprecated use {@link #isProtectedClass(Class)}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public boolean isSystemClass(Class<?> clazz)
{
return _systemClasses.match(clazz);
return _protectedClasses.match(clazz);
}
@Override
/**
* @deprecated use {@link #isHiddenResource(String, URL)}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public boolean isServerResource(String name, URL url)
{
return _serverClasses.match(name, url);
return _hiddenClasses.match(name, url);
}
@Override
/**
* @deprecated use {@link #isProtectedResource(String, URL)}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public boolean isSystemResource(String name, URL url)
{
return _systemClasses.match(name, url);
return _protectedClasses.match(name, url);
}
@Override
@ -721,8 +831,8 @@ public class WebAppContext extends ServletContextHandler implements WebAppClassL
super.setServer(server);
if (server != null)
{
_systemClasses.add(WebappProtectedClasses.getSystemClasses(server).getPatterns());
_serverClasses.add(WebappProtectedClasses.getServerClasses(server).getPatterns());
_protectedClasses.add(WebappClassLoading.getProtectedClasses(server).getPatterns());
_hiddenClasses.add(WebappClassLoading.getHiddenClasses(server).getPatterns());
}
}
@ -845,16 +955,16 @@ public class WebAppContext extends ServletContextHandler implements WebAppClassL
public void dump(Appendable out, String indent) throws IOException
{
List<String> systemClasses = null;
if (_systemClasses != null)
if (_protectedClasses != null)
{
systemClasses = new ArrayList<>(_systemClasses);
systemClasses = new ArrayList<>(_protectedClasses);
Collections.sort(systemClasses);
}
List<String> serverClasses = null;
if (_serverClasses != null)
if (_hiddenClasses != null)
{
serverClasses = new ArrayList<>(_serverClasses);
serverClasses = new ArrayList<>(_hiddenClasses);
Collections.sort(serverClasses);
}
@ -1385,27 +1495,27 @@ public class WebAppContext extends ServletContextHandler implements WebAppClassL
* Add a Server Class pattern to use for all ee9 WebAppContexts.
* @param server The {@link Server} instance to add classes to
* @param patterns the patterns to use
* @see #getServerClassMatcher()
* @see #getServerClasses()
* @deprecated use {@link WebappProtectedClasses#addSystemClasses(Server, String...)}
* @see #getHiddenClassMatcher()
* @see #getHiddenClasses()
* @deprecated use {@link WebappClassLoading#addProtectedClasses(Server, String...)}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public static void addServerClasses(Server server, String... patterns)
{
WebappProtectedClasses.addServerClasses(server, patterns);
WebappClassLoading.addHiddenClasses(server, patterns);
}
/**
* Add a System Class pattern to use for all ee9 WebAppContexts.
* @param server The {@link Server} instance to add classes to
* @param patterns the patterns to use
* @see #getSystemClassMatcher()
* @see #getSystemClasses()
* @deprecated use {@link WebappProtectedClasses#addServerClasses(Server, String...)}
* @see #getProtectedClassMatcher()
* @see #getProtectedClasses()
* @deprecated use {@link WebappClassLoading#addHiddenClasses(Server, String...)}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public static void addSystemClasses(Server server, String... patterns)
{
WebappProtectedClasses.addSystemClasses(server, patterns);
WebappClassLoading.addProtectedClasses(server, patterns);
}
}

44
jetty-ee10/jetty-ee10-webapp/src/test/java/org/eclipse/jetty/ee10/webapp/WebAppClassLoaderTest.java
View File

@ -210,11 +210,11 @@ public class WebAppClassLoaderTest
@Test
public void testExposedClassDeprecated() throws Exception
{
String[] oldSC = _context.getServerClasses();
String[] oldSC = _context.getHiddenClasses();
String[] newSC = new String[oldSC.length + 1];
newSC[0] = "-org.eclipse.jetty.ee10.webapp.Configuration";
System.arraycopy(oldSC, 0, newSC, 1, oldSC.length);
_context.setServerClassMatcher(new ClassMatcher(newSC));
_context.setHiddenClassMatcher(new ClassMatcher(newSC));
assertCanLoadClass("org.acme.webapp.ClassInJarA");
assertCanLoadClass("org.acme.webapp.ClassInJarB");
@ -227,7 +227,7 @@ public class WebAppClassLoaderTest
@Test
public void testExposedClass() throws Exception
{
_context.getServerClassMatcher().exclude("org.eclipse.jetty.ee10.webapp.Configuration");
_context.getHiddenClassMatcher().exclude("org.eclipse.jetty.ee10.webapp.Configuration");
assertCanLoadClass("org.acme.webapp.ClassInJarA");
assertCanLoadClass("org.acme.webapp.ClassInJarB");
@ -240,18 +240,18 @@ public class WebAppClassLoaderTest
@Test
public void testSystemServerClassDeprecated() throws Exception
{
String[] oldServC = _context.getServerClasses();
String[] oldServC = _context.getHiddenClasses();
String[] newServC = new String[oldServC.length + 1];
newServC[0] = "org.eclipse.jetty.ee10.webapp.Configuration";
System.arraycopy(oldServC, 0, newServC, 1, oldServC.length);
_context.setServerClassMatcher(new ClassMatcher(newServC));
_context.setHiddenClassMatcher(new ClassMatcher(newServC));
String[] oldSysC = _context.getSystemClasses();
String[] oldSysC = _context.getProtectedClasses();
String[] newSysC = new String[oldSysC.length + 1];
newSysC[0] = "org.eclipse.jetty.ee10.webapp.";
System.arraycopy(oldSysC, 0, newSysC, 1, oldSysC.length);
_context.setSystemClassMatcher(new ClassMatcher(newSysC));
_context.setProtectedClassMatcher(new ClassMatcher(newSysC));
assertCanLoadClass("org.acme.webapp.ClassInJarA");
assertCanLoadClass("org.acme.webapp.ClassInJarB");
@ -259,28 +259,28 @@ public class WebAppClassLoaderTest
assertCantLoadClass("org.eclipse.jetty.ee10.webapp.Configuration");
assertCantLoadClass("org.eclipse.jetty.ee10.webapp.JarScanner");
oldSysC = _context.getSystemClasses();
oldSysC = _context.getProtectedClasses();
newSysC = new String[oldSysC.length + 1];
newSysC[0] = "org.acme.webapp.ClassInJarA";
System.arraycopy(oldSysC, 0, newSysC, 1, oldSysC.length);
_context.setSystemClassMatcher(new ClassMatcher(newSysC));
_context.setProtectedClassMatcher(new ClassMatcher(newSysC));
assertCanLoadResource("org/acme/webapp/ClassInJarA.class");
_context.setSystemClassMatcher(new ClassMatcher(oldSysC));
_context.setProtectedClassMatcher(new ClassMatcher(oldSysC));
oldServC = _context.getServerClasses();
oldServC = _context.getHiddenClasses();
newServC = new String[oldServC.length + 1];
newServC[0] = "org.acme.webapp.ClassInJarA";
System.arraycopy(oldServC, 0, newServC, 1, oldServC.length);
_context.setServerClassMatcher(new ClassMatcher(newServC));
_context.setHiddenClassMatcher(new ClassMatcher(newServC));
assertCanLoadResource("org/acme/webapp/ClassInJarA.class");
}
@Test
public void testSystemServerClass() throws Exception
{
_context.getServerClassMatcher().add("org.eclipse.jetty.ee10.webapp.Configuration");
_context.getSystemClassMatcher().add("org.eclipse.jetty.ee10.webapp.");
_context.getHiddenClassMatcher().add("org.eclipse.jetty.ee10.webapp.Configuration");
_context.getProtectedClassMatcher().add("org.eclipse.jetty.ee10.webapp.");
assertCanLoadClass("org.acme.webapp.ClassInJarA");
assertCanLoadClass("org.acme.webapp.ClassInJarB");
@ -288,11 +288,11 @@ public class WebAppClassLoaderTest
assertCantLoadClass("org.eclipse.jetty.ee10.webapp.Configuration");
assertCantLoadClass("org.eclipse.jetty.ee10.webapp.JarScanner");
_context.getSystemClassMatcher().add("org.acme.webapp.ClassInJarA");
_context.getProtectedClassMatcher().add("org.acme.webapp.ClassInJarA");
assertCanLoadResource("org/acme/webapp/ClassInJarA.class");
_context.getSystemClassMatcher().remove("org.acme.webapp.ClassInJarA");
_context.getProtectedClassMatcher().remove("org.acme.webapp.ClassInJarA");
_context.getServerClassMatcher().add("org.acme.webapp.ClassInJarA");
_context.getHiddenClassMatcher().add("org.acme.webapp.ClassInJarA");
assertCanLoadResource("org/acme/webapp/ClassInJarA.class");
}
@ -339,11 +339,11 @@ public class WebAppClassLoaderTest
// assertEquals(0,resources.get(1).toString().indexOf("jar:file:"));
// assertEquals(-1,resources.get(2).toString().indexOf("test-classes"));
String[] oldServC = _context.getServerClasses();
String[] oldServC = _context.getHiddenClasses();
String[] newServC = new String[oldServC.length + 1];
newServC[0] = "org.acme.";
System.arraycopy(oldServC, 0, newServC, 1, oldServC.length);
_context.setServerClassMatcher(new ClassMatcher(newServC));
_context.setHiddenClassMatcher(new ClassMatcher(newServC));
_context.setParentLoaderPriority(true);
// dump(_context);
@ -360,12 +360,12 @@ public class WebAppClassLoaderTest
// assertEquals(0,resources.get(0).toString().indexOf("jar:file:"));
// assertEquals(0,resources.get(1).toString().indexOf("file:"));
_context.setServerClassMatcher(new ClassMatcher(oldServC));
String[] oldSysC = _context.getSystemClasses();
_context.setHiddenClassMatcher(new ClassMatcher(oldServC));
String[] oldSysC = _context.getProtectedClasses();
String[] newSysC = new String[oldSysC.length + 1];
newSysC[0] = "org.acme.";
System.arraycopy(oldSysC, 0, newSysC, 1, oldSysC.length);
_context.setSystemClassMatcher(new ClassMatcher(newSysC));
_context.setProtectedClassMatcher(new ClassMatcher(newSysC));
_context.setParentLoaderPriority(true);
// dump(_context);

10
jetty-ee10/jetty-ee10-webapp/src/test/java/org/eclipse/jetty/ee10/webapp/WebAppContextTest.java
View File

@ -30,7 +30,7 @@ import jakarta.servlet.GenericServlet;
import jakarta.servlet.ServletContext;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import org.eclipse.jetty.ee.WebappProtectedClasses;
import org.eclipse.jetty.ee.WebappClassLoading;
import org.eclipse.jetty.ee10.servlet.ErrorPageErrorHandler;
import org.eclipse.jetty.ee10.servlet.ServletContextHandler;
import org.eclipse.jetty.http.HttpStatus;
@ -823,10 +823,10 @@ public class WebAppContextTest
server.setHandler(context);
server.start();
List<String> serverClasses = List.of(context.getServerClasses());
List<String> serverClasses = List.of(context.getHiddenClasses());
assertThat("Should have environment specific test pattern", serverClasses, hasItem(testPattern));
assertThat("Should have pattern from JaasConfiguration", serverClasses, hasItem("-org.eclipse.jetty.security.jaas."));
for (String defaultServerClass: WebappProtectedClasses.DEFAULT_SERVER_CLASSES)
for (String defaultServerClass: WebappClassLoading.DEFAULT_HIDDEN_CLASSES)
assertThat("Should have default patterns", serverClasses, hasItem(defaultServerClass));
}
@ -847,10 +847,10 @@ public class WebAppContextTest
server.setHandler(context);
server.start();
List<String> systemClasses = List.of(context.getSystemClasses());
List<String> systemClasses = List.of(context.getProtectedClasses());
assertThat("Should have environment specific test pattern", systemClasses, hasItem(testPattern));
assertThat("Should have pattern from JaasConfiguration", systemClasses, hasItem("org.eclipse.jetty.security.jaas."));
for (String defaultSystemClass: WebappProtectedClasses.DEFAULT_SYSTEM_CLASSES)
for (String defaultSystemClass: WebappClassLoading.DEFAULT_PROTECTED_CLASSES)
assertThat("Should have default patterns", systemClasses, hasItem(defaultSystemClass));
}
}

4
jetty-ee8/jetty-ee8-webapp/src/main/config/etc/jetty-ee8-webapp.xml
View File

@ -6,7 +6,7 @@
<Arg><Ref refid="Server"/></Arg>
<Arg>
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
<Arg><Property name="jetty.webapp.addSystemClasses"/></Arg>
<Arg><Property name="jetty.webapp.addProtectedClasses" deprecated="jetty.webapp.addSystemClasses"/></Arg>
</Call>
</Arg>
</Call>
@ -15,7 +15,7 @@
<Arg><Ref refid="Server"/></Arg>
<Arg>
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
<Arg><Property name="jetty.webapp.addServerClasses"/></Arg>
<Arg><Property name="jetty.webapp.addHiddenClasses" deprecated="jetty.webapp.addServerClasses"/></Arg>
</Call>
</Arg>
</Call>

8
jetty-ee8/jetty-ee8-webapp/src/main/config/modules/ee8-webapp.mod
View File

@ -20,8 +20,8 @@ lib/jetty-ee8-webapp-${jetty.version}.jar
[ini-template]
## Add to the environment wide default jars and packages protected or hidden from webapps.
## System classes are protected and cannot be overridden by a webapp.
## Server classes are hidden and cannot be seen by a webapp
## Protected (aka System) classes cannot be overridden by a webapp.
## Hidden (aka Server) classes cannot be seen by a webapp
## Lists of patterns are comma separated and may be either:
## + a qualified classname e.g. 'com.acme.Foo'
## + a package name e.g. 'net.example.'
@ -31,8 +31,8 @@ lib/jetty-ee8-webapp-${jetty.version}.jar
##
## The +=, operator appends to a CSV list with a comma as needed.
##
#jetty.webapp.addSystemClasses+=,org.example.
#jetty.webapp.addServerClasses+=,org.example.
#jetty.webapp.addProtectedClasses+=,org.example.
#jetty.webapp.addHiddenClasses+=,org.example.
[ini]
contextHandlerClass=org.eclipse.jetty.ee8.webapp.WebAppContext

8
jetty-ee9/jetty-ee9-webapp/src/main/config/etc/jetty-ee9-webapp.xml
View File

@ -2,20 +2,20 @@
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<Call class="org.eclipse.jetty.ee.WebappProtectedClasses" name="addSystemClasses">
<Call class="org.eclipse.jetty.ee.WebappClassLoading" name="addProtectedClasses">
<Arg><Ref refid="Environment"/></Arg>
<Arg>
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
<Arg><Property name="jetty.webapp.addSystemClasses"/></Arg>
<Arg><Property name="jetty.webapp.addProtectedClasses" deprecated="jetty.webapp.addSystemClasses"/></Arg>
</Call>
</Arg>
</Call>
<Call class="org.eclipse.jetty.ee.WebappProtectedClasses" name="addServerClasses">
<Call class="org.eclipse.jetty.ee.WebappClassLoading" name="addHiddenClasses">
<Arg><Ref refid="Environment"/></Arg>
<Arg>
<Call class="org.eclipse.jetty.util.StringUtil" name="csvSplit">
<Arg><Property name="jetty.webapp.addServerClasses"/></Arg>
<Arg><Property name="jetty.webapp.addHiddenClasses" deprecated="jetty.webapp.addServerClasses"/></Arg>
</Call>
</Arg>
</Call>

8
jetty-ee9/jetty-ee9-webapp/src/main/config/modules/ee9-webapp.mod
View File

@ -20,8 +20,8 @@ lib/jetty-ee9-webapp-${jetty.version}.jar
[ini-template]
## Add to the environment wide default jars and packages protected or hidden from webapps.
## System classes are protected and cannot be overridden by a webapp.
## Server classes are hidden and cannot be seen by a webapp
## Protected (aka System) classes cannot be overridden by a webapp.
## Hidden (aka Server) classes cannot be seen by a webapp
## Lists of patterns are comma separated and may be either:
## + a qualified classname e.g. 'com.acme.Foo'
## + a package name e.g. 'net.example.'
@ -31,8 +31,8 @@ lib/jetty-ee9-webapp-${jetty.version}.jar
##
## The +=, operator appends to a CSV list with a comma as needed.
##
#jetty.webapp.addSystemClasses+=,org.example.
#jetty.webapp.addServerClasses+=,org.example.
#jetty.webapp.addProtectedClasses+=,org.example.
#jetty.webapp.addHiddenClasses+=,org.example.
[ini]
contextHandlerClass?=org.eclipse.jetty.ee9.webapp.WebAppContext

16
jetty-ee9/jetty-ee9-webapp/src/main/java/org/eclipse/jetty/ee9/webapp/WebAppClassLoader.java
View File

@ -59,8 +59,8 @@ import org.slf4j.LoggerFactory;
* parent loader. Java2 compliant loading, where the parent loader
* always has priority, can be selected with the
* {@link WebAppContext#setParentLoaderPriority(boolean)}
* method and influenced with {@link WebAppContext#isServerClass(Class)} and
* {@link WebAppContext#isSystemClass(Class)}.
* method and influenced with {@link WebAppContext#isHiddenClass(Class)} and
* {@link WebAppContext#isProtectedClass(Class)}.
* <p>
* If no parent class loader is provided, then the current thread
* context classloader will be used. If that is null then the
@ -449,7 +449,7 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
throw new ClassNotFoundException("Bad ClassLoader: returned null for loadClass(" + name + ")");
// If the webapp is allowed to see this class
if (Boolean.TRUE.equals(__loadServerClasses.get()) || !_context.isServerClass(parentClass))
if (Boolean.TRUE.equals(__loadServerClasses.get()) || !_context.isHiddenClass(parentClass))
{
return parentClass;
}
@ -497,7 +497,7 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
{
parentClass = _parent.loadClass(name);
// If the webapp is allowed to see this class
if (Boolean.TRUE.equals(__loadServerClasses.get()) || !_context.isServerClass(parentClass))
if (Boolean.TRUE.equals(__loadServerClasses.get()) || !_context.isHiddenClass(parentClass))
{
return parentClass;
}
@ -629,14 +629,14 @@ public class WebAppClassLoader extends URLClassLoader implements ClassVisibility
}
@Override
public boolean isSystemClass(Class<?> clazz)
public boolean isProtectedClass(Class<?> clazz)
{
return _context.isSystemClass(clazz);
return _context.isProtectedClass(clazz);
}
@Override
public boolean isServerClass(Class<?> clazz)
public boolean isHiddenClass(Class<?> clazz)
{
return _context.isServerClass(clazz);
return _context.isHiddenClass(clazz);
}
}

34
jetty-ee9/jetty-ee9-webapp/src/main/java/org/eclipse/jetty/ee9/webapp/WebAppContext.java
View File

@ -40,7 +40,7 @@ import jakarta.servlet.http.HttpSessionAttributeListener;
import jakarta.servlet.http.HttpSessionBindingListener;
import jakarta.servlet.http.HttpSessionIdListener;
import jakarta.servlet.http.HttpSessionListener;
import org.eclipse.jetty.ee.WebappProtectedClasses;
import org.eclipse.jetty.ee.WebappClassLoading;
import org.eclipse.jetty.ee9.nested.ContextHandler;
import org.eclipse.jetty.ee9.nested.ErrorHandler;
import org.eclipse.jetty.ee9.nested.HandlerWrapper;
@ -91,25 +91,25 @@ public class WebAppContext extends ServletContextHandler implements WebAppClassL
public static final String WEB_DEFAULTS_XML = "org/eclipse/jetty/ee9/webapp/webdefault-ee9.xml";
public static final String ERROR_PAGE = "org.eclipse.jetty.server.error_page";
public static final String SERVER_SYS_CLASSES = WebappProtectedClasses.SYSTEM_CLASSES_ATTRIBUTE;
public static final String SERVER_SRV_CLASSES = WebappProtectedClasses.SERVER_CLASSES_ATTRIBUTE;
public static final String SERVER_SYS_CLASSES = WebappClassLoading.PROTECTED_CLASSES_ATTRIBUTE;
public static final String SERVER_SRV_CLASSES = WebappClassLoading.HIDDEN_CLASSES_ATTRIBUTE;
private static final String[] __dftProtectedTargets = {"/WEB-INF", "/META-INF"};
/**
* @deprecated use {@link WebappProtectedClasses#DEFAULT_SYSTEM_CLASSES}
* @deprecated use {@link WebappClassLoading#DEFAULT_PROTECTED_CLASSES}
*/
@Deprecated
public static final ClassMatcher __dftSystemClasses = WebappProtectedClasses.DEFAULT_SYSTEM_CLASSES;
public static final ClassMatcher __dftSystemClasses = WebappClassLoading.DEFAULT_PROTECTED_CLASSES;
/**
* @deprecated use {@link WebappProtectedClasses#DEFAULT_SERVER_CLASSES}
* @deprecated use {@link WebappClassLoading#DEFAULT_HIDDEN_CLASSES}
*/
@Deprecated
public static final ClassMatcher __dftServerClasses = WebappProtectedClasses.DEFAULT_SERVER_CLASSES;
public static final ClassMatcher __dftServerClasses = WebappClassLoading.DEFAULT_HIDDEN_CLASSES;
private final ClassMatcher _systemClasses = new ClassMatcher(WebappProtectedClasses.getSystemClasses(ServletContextHandler.ENVIRONMENT));
private final ClassMatcher _serverClasses = new ClassMatcher(WebappProtectedClasses.getServerClasses(ServletContextHandler.ENVIRONMENT));
private final ClassMatcher _systemClasses = new ClassMatcher(WebappClassLoading.getProtectedClasses(ServletContextHandler.ENVIRONMENT));
private final ClassMatcher _serverClasses = new ClassMatcher(WebappClassLoading.getHiddenClasses(ServletContextHandler.ENVIRONMENT));
private Configurations _configurations;
private String _defaultsDescriptor = WEB_DEFAULTS_XML;
@ -743,13 +743,13 @@ public class WebAppContext extends ServletContextHandler implements WebAppClassL
}
@Override
public boolean isServerClass(Class<?> clazz)
public boolean isHiddenClass(Class<?> clazz)
{
return _serverClasses.match(clazz);
}
@Override
public boolean isSystemClass(Class<?> clazz)
public boolean isProtectedClass(Class<?> clazz)
{
return _systemClasses.match(clazz);
}
@ -772,8 +772,8 @@ public class WebAppContext extends ServletContextHandler implements WebAppClassL
super.setServer(server);
if (server != null)
{
_systemClasses.add(WebappProtectedClasses.getSystemClasses(server).getPatterns());
_serverClasses.add(WebappProtectedClasses.getServerClasses(server).getPatterns());
_systemClasses.add(WebappClassLoading.getProtectedClasses(server).getPatterns());
_serverClasses.add(WebappClassLoading.getHiddenClasses(server).getPatterns());
}
}
@ -1475,12 +1475,12 @@ public class WebAppContext extends ServletContextHandler implements WebAppClassL
* @param patterns the patterns to use
* @see #getServerClassMatcher()
* @see #getServerClasses()
* @deprecated use {@link WebappProtectedClasses#addSystemClasses(Server, String...)}
* @deprecated use {@link WebappClassLoading#addProtectedClasses(Server, String...)}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public static void addServerClasses(Server server, String... patterns)
{
WebappProtectedClasses.addServerClasses(server, patterns);
WebappClassLoading.addHiddenClasses(server, patterns);
}
/**
@ -1489,11 +1489,11 @@ public class WebAppContext extends ServletContextHandler implements WebAppClassL
* @param patterns the patterns to use
* @see #getSystemClassMatcher()
* @see #getSystemClasses()
* @deprecated use {@link WebappProtectedClasses#addServerClasses(Server, String...)}
* @deprecated use {@link WebappClassLoading#addHiddenClasses(Server, String...)}
*/
@Deprecated(since = "12.0.8", forRemoval = true)
public static void addSystemClasses(Server server, String... patterns)
{
WebappProtectedClasses.addSystemClasses(server, patterns);
WebappClassLoading.addProtectedClasses(server, patterns);
}
}

4
jetty-home/src/main/resources/modules/logging-jetty.mod
View File

@ -21,5 +21,5 @@ basehome:modules/logging/jetty
lib/logging/jetty-slf4j-impl-${jetty.version}.jar
[ini]
jetty.webapp.addServerClasses+=,org.eclipse.jetty.logging.
jetty.webapp.addServerClasses+=,${jetty.home.uri}/lib/logging/
jetty.webapp.addHiddenClasses+=,org.eclipse.jetty.logging.
jetty.webapp.addHiddenClasses+=,${jetty.home.uri}/lib/logging/

2
jetty-home/src/main/resources/modules/logging-log4j1.mod
View File

@ -31,7 +31,7 @@ lib/logging/log4j-${log4j.version}.jar
[ini]
log4j.version?=1.2.17
jetty.webapp.addServerClasses+=,org.apache.log4j.
jetty.webapp.addHiddenClasses+=,org.apache.log4j.
[license]

2
jetty-home/src/main/resources/modules/logging-log4j2.mod
View File

@ -28,7 +28,7 @@ lib/logging/log4j-core-${log4j2.version}.jar
[ini]
log4j2.version?=@log4j2.version@
jetty.webapp.addServerClasses+=,org.apache.logging.log4j.
jetty.webapp.addHiddenClasses+=,org.apache.logging.log4j.
[license]
Log4j is released under the Apache 2.0 license.

2
jetty-home/src/main/resources/modules/logging-logback.mod
View File

@ -25,7 +25,7 @@ lib/logging/logback-core-${logback.version}.jar
[ini]
logback.version?=@logback.version@
jetty.webapp.addServerClasses+=,ch.qos.logback.
jetty.webapp.addHiddenClasses+=,ch.qos.logback.
[license]
Logback: the reliable, generic, fast and flexible logging framework.

2
jetty-home/src/main/resources/modules/logging/slf4j.mod
View File

@ -16,4 +16,4 @@ lib/logging/slf4j-api-${slf4j.version}.jar
[ini]
slf4j.version?=@slf4j.version@
jetty.webapp.addServerClasses+=,org.slf4j.
jetty.webapp.addHiddenClasses+=,org.slf4j.

2
jetty-integrations/jetty-gcloud/jetty-gcloud-session-manager/src/main/config-template/modules/gcloud.mod
View File

@ -17,4 +17,4 @@ http://www.apache.org/licenses/LICENSE-2.0.html
[ini]
## Hide the gcloud libraries from deployed webapps
jetty.webapp.addServerClasses+=,${jetty.base.uri}/lib/gcloud/
jetty.webapp.addHiddenClasses+=,${jetty.base.uri}/lib/gcloud/

2
jetty-integrations/jetty-infinispan/jetty-infinispan-embedded/src/main/config-template/modules/sessions/infinispan/embedded/infinispan-embedded-serverclasses.mod
View File

@ -10,4 +10,4 @@ internal
[ini]
## Hide the infinispan libraries from deployed webapps
jetty.webapp.addServerClasses+=,${jetty.base.uri}/lib/infinispan/
jetty.webapp.addHiddenClasses+=,${jetty.base.uri}/lib/infinispan/

2
jetty-integrations/jetty-infinispan/jetty-infinispan-remote/src/main/config-template/modules/sessions/infinispan/remote/infinispan-remote-serverclasses.mod
View File

@ -9,4 +9,4 @@ infinispan
[ini]
## Hide the infinispan libraries from deployed webapps
jetty.webapp.addServerClasses+=,${jetty.base.uri}/lib/infinispan/
jetty.webapp.addHiddenClasses+=,${jetty.base.uri}/lib/infinispan/