Bug 44282

Summary: WebappClassLoader.findClass calls getClassLoader without privileges
Product: Tomcat 5 Reporter: Eddy Chan <ecapachedev>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: minor    
Priority: P4    
Version: 5.5.25   
Target Milestone: ---   
Hardware: Other   
OS: Linux   

Description Eddy Chan 2008-01-22 23:50:47 UTC
When logging is in TRACE mode or lower,
org.apache.catalina.loader.WebappClassLoader.findClass(String) calls
getClassLoader() without a privileged block.  With security enabled, this will
cause a SecurityException if the RuntimePermission to getClassLoader is not granted.
Comment 1 Mark Thomas 2008-01-30 15:27:43 UTC
I have committed a patch to trunk and proposed the fix for 5.5.x and 6.0.x
Comment 2 Mark Thomas 2008-05-20 00:45:52 UTC
This has been fixed in 6.0.x and will be included in 6.0.17 onwards.
Comment 3 Mark Thomas 2008-08-27 13:35:52 UTC
This has been fixed in 5.5.x and will be included in 5.5.27 onwards.