From 9eb4311f0d95c86b67dcb58c717c83f38efa9b90 Mon Sep 17 00:00:00 2001 From: Mark Thomas Date: Wed, 11 Jan 2023 11:57:14 +0000 Subject: [PATCH] Fix #443 Remove references to the SecurityManager and associated APIs --- .../main/java/jakarta/servlet/ServletContext.java | 4 +--- api/src/main/java/jakarta/servlet/http/Cookie.java | 12 +++--------- spec/src/main/asciidoc/servlet-spec-body.adoc | 13 ++++++------- 3 files changed, 10 insertions(+), 19 deletions(-) diff --git a/api/src/main/java/jakarta/servlet/ServletContext.java b/api/src/main/java/jakarta/servlet/ServletContext.java index dac831268..97278f043 100644 --- a/api/src/main/java/jakarta/servlet/ServletContext.java +++ b/api/src/main/java/jakarta/servlet/ServletContext.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2022 Oracle and/or its affiliates and others. + * Copyright (c) 1997, 2023 Oracle and/or its affiliates and others. * All rights reserved. * Copyright 2004 The Apache Software Foundation * @@ -1246,8 +1246,6 @@ public interface ServletContext { * * @return the class loader of the web application represented by this ServletContext * - * @throws SecurityException if a security manager denies access to the requested class loader - * * @since Servlet 3.0 */ public ClassLoader getClassLoader(); diff --git a/api/src/main/java/jakarta/servlet/http/Cookie.java b/api/src/main/java/jakarta/servlet/http/Cookie.java index b8dc013e0..18185c47c 100644 --- a/api/src/main/java/jakarta/servlet/http/Cookie.java +++ b/api/src/main/java/jakarta/servlet/http/Cookie.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2021 Oracle and/or its affiliates and others. + * Copyright (c) 1997, 2023 Oracle and/or its affiliates and others. * All rights reserved. * Copyright 2004 The Apache Software Foundation * @@ -19,8 +19,6 @@ package jakarta.servlet.http; import java.io.Serializable; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.text.MessageFormat; import java.util.Collections; import java.util.Locale; @@ -76,12 +74,8 @@ public class Cookie implements Cloneable, Serializable { private static final ResourceBundle lStrings = ResourceBundle.getBundle(LSTRING_FILE); static { - boolean enforced = AccessController.doPrivileged(new PrivilegedAction() { - @Override - public Boolean run() { - return Boolean.valueOf(System.getProperty("org.glassfish.web.rfc2109_cookie_names_enforced", "true")); - } - }); + boolean enforced = Boolean.valueOf(System.getProperty("org.glassfish.web.rfc2109_cookie_names_enforced", "true")); + if (enforced) { TSPECIALS = "/()<>@,;:\\\"[]?={} \t"; } else { diff --git a/spec/src/main/asciidoc/servlet-spec-body.adoc b/spec/src/main/asciidoc/servlet-spec-body.adoc index e05df188f..d9d866786 100644 --- a/spec/src/main/asciidoc/servlet-spec-body.adoc +++ b/spec/src/main/asciidoc/servlet-spec-body.adoc @@ -5,7 +5,7 @@ :sectnums!: == Jakarta Servlet Specification, Version {spec-version} -Copyright (c) 2022 Contributors to the Eclipse Foundation. +Copyright (c) 2023 Contributors to the Eclipse Foundation. Eclipse is a registered trademark of the Eclipse Foundation. Jakarta is a trademark of the Eclipse Foundation. Oracle and Java are @@ -221,12 +221,8 @@ servlet, may modify responses produced by servlets before sending them to the clients, or may respond to requests without delivering them to the servlet under the compliance with RFC 7234. -A servlet container may place security -restrictions on the environment in which a servlet executes. These -restrictions may be placed using the permission architecture defined -by the Java platform. For example some application servers may limit the -creation of a `Thread` object to insure that other components of the -container are not negatively impacted. +A servlet container may place security restrictions on the environment in which +a servlet executes. Java SE 11 is the minimum version of the underlying Java platform with which servlet containers must be built. @@ -8572,6 +8568,9 @@ behaviour is aligned with `getHeader()`. link:https://github.com/eclipse-ee4j/servlet-api/issues/415[Issue 415]:: Add overloaded `setCharacterEncoding()` methods that support `Charset`. +link:https://github.com/eclipse-ee4j/servlet-api/issues/443[Issue 443]:: +Remove references to the SecurityManager and associated APIs. + link:https://github.com/eclipse-ee4j/servlet-api/issues/453[Issue 453]:: Add a security warning and a clarification of canonicalization requirements to all `ServletContext` methods that accept a path parameter.