Ensure that JNDI names used for <lookup-name> entries in web.xml and for lookup elements of @Resource annotations specify a name with an explicit java: namespace.
git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.0.x/trunk@1831258 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/java/org/apache/tomcat/util/descriptor/web/LocalStrings.properties b/java/org/apache/tomcat/util/descriptor/web/LocalStrings.properties
index 59ec693..ca0307c 100644
--- a/java/org/apache/tomcat/util/descriptor/web/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/descriptor/web/LocalStrings.properties
@@ -15,6 +15,7 @@
filterDef.invalidFilterName=Invalid <filter-name> [{0}] in filter definition.
+resourceBase.lookupNotJava=Lookup-name values must explicitly reference the java: namespace but [{0}] does not
securityConstraint.uncoveredHttpMethod=For security constraints with URL pattern [{0}] only the HTTP methods [{1}] are covered. All other methods are uncovered.
securityConstraint.uncoveredHttpMethodFix=Adding security constraints with URL pattern [{0}] to deny access with the uncovered HTTP methods that are not one of the following [{1}]
securityConstraint.uncoveredHttpOmittedMethod=For security constraints with URL pattern [{0}] the HTTP methods [{1}] are uncovered.
diff --git a/java/org/apache/tomcat/util/descriptor/web/ResourceBase.java b/java/org/apache/tomcat/util/descriptor/web/ResourceBase.java
index 81a2dc6..9c2506c 100644
--- a/java/org/apache/tomcat/util/descriptor/web/ResourceBase.java
+++ b/java/org/apache/tomcat/util/descriptor/web/ResourceBase.java
@@ -22,6 +22,7 @@
import java.util.Iterator;
import java.util.List;
+import org.apache.tomcat.util.res.StringManager;
/**
@@ -33,9 +34,11 @@
private static final long serialVersionUID = 1L;
- // ------------------------------------------------------------- Properties
+ private static final StringManager sm = StringManager.getManager(ResourceBase.class);
+ // ------------------------------------------------------------- Properties
+
/**
* The description of this resource.
*/
@@ -87,6 +90,15 @@
}
public void setLookupName(String lookupName) {
+ // EE.5.3.3: Must explicitly use java: namespace
+ if (lookupName == null || lookupName.length() == 0) {
+ this.lookupName = null;
+ return;
+ }
+ if (!lookupName.startsWith("java:")) {
+ throw new IllegalArgumentException(
+ sm.getString("resourceBase.lookupNotJava", lookupName));
+ }
this.lookupName = lookupName;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index d35d2ca..b17d18e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -71,6 +71,12 @@
JNDI resources that are defined with injection targets but no value are
now treated as if the resource is not defined. (markt)
</fix>
+ <fix>
+ Ensure that JNDI names used for <code><lookup-name></code> entries
+ in web.xml and for <code>lookup</code> elements of
+ <code>@Resource</code> annotations specify a name with an explicit
+ <code>java:</code> namespace. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Jasper">