Bug 54745 - Tomcat JarScanning does not work when Tomcat started with Java Web Start
Summary: Tomcat JarScanning does not work when Tomcat started with Java Web Start
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.0.x-trunk
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2013-03-22 23:07 UTC by Nick Williams
Modified: 2013-06-20 15:14 UTC (History)
0 users

Patch to resolve issue (867 bytes, patch)
2013-03-22 23:07 UTC, Nick Williams
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Williams 2013-03-22 23:07:06 UTC
Created attachment 30097 [details]
Patch to resolve issue

As long as you correctly structure your JARs and call setParentClassLoader() with the current thread class loader on the Engine, Host, Server and Service, you can run Embedded Tomcat using Java Web Start. It's actually pretty neat.

The only problem is that JarScanning doesn't work. In Java Web Start, all JAR URLs obtained from the class loader are the full http(s) URLs from where they were downloaded. Java has them cached locally, so accessing them is just as efficient because they're really coming from the local file system. However, the StandardJarScanner ignores JAR URLs that don't start with "file:" or "jndi:".

This was an easy patch and everything else appears to still work normally. I propose that the patch be applied to trunk AND 7.0.
Comment 1 Nick Williams 2013-04-02 23:10:14 UTC
I disagree with categorizing this as an enhancement. I believe this is a major bug. The facts are very simple: In an environment in which Tomcat otherwise runs without issue, JAR scanning incorrectly excludes some JARs that are validly on the classpath and that do not match the excluded JARs patterns, and it does so without any errors, warnings, infos, etc. I fail to see how this isn't a bug.

Semantics aside, the patch is extraordinarily trivial. Does anyone see any downsides to it?
Comment 2 Mark Thomas 2013-04-08 13:45:05 UTC
Using Tomcat via web start is so far away from normal usage I view this as an enhancement.

The patch may be trivial but I think some time needs to be spent thinking about the security aspects of this change with respect to loading of JARs from remote locations. It may be a non-issue but it needs to be thought about first.
Comment 3 Mark Thomas 2013-06-20 15:11:00 UTC
Having looked at this more closely, the JARs must already be on the class path so I don;t see any issues.

The patch has been applied to trunk and 7.0.x and will be included in 7.0.42 onwards.
Comment 4 Nick Williams 2013-06-20 15:14:30 UTC
Excellent! Thanks!