Bug 48371

Summary:	addWebXmlMappings does not place servlet tags correctly
Product:	Tomcat 6	Reporter:	Lee Clemens <java>
Component:	Jasper	Assignee:	Tomcat Developers Mailing List <dev>
Status:	RESOLVED FIXED
Severity:	minor
Priority:	P2
Version:	6.0.20
Target Milestone:	default
Hardware:	PC
OS:	Windows XP

Description Lee Clemens 2009-12-10 18:16:34 UTC

If there is a commented-out <security-constraint> or commented-out <servlet> tag and addWebXmlMappings="true", the JSP's servlet and servlet-mapping tags are placed incorrectly and Tomcat will not start due to "--" being inside a comment.

Basically, it seems the web.xml is not parsed correctly when using addWebXmlMappings and you cannot have above tags commented out, or new servlet tags will be placed incorrectly and comment tags not respected.

Comment 1 Konstantin Kolinko 2009-12-22 19:23:15 UTC

Can you provide step-by-step instructions, how to reproduce it on a fresh instance of Tomcat?

Comment 2 Lee Clemens 2009-12-24 09:29:06 UTC

In the webapp's web.xml, have display-name and then description.  Before the listener, include the snippet below(commented out).

Run an ANT script to precompile JSPs:

<import file="${tomcat.home}/bin/catalina-tasks.xml"/>
<jasper validateXml="false"
                uriroot="${work.core}"
                webXmlFragment="${jsp.generated.web.xml}"
                addWebXmlMappings="true"
                outputDir="${work.src}"/>

The resulting web.xml ${jsp.generated.web.xml} is malformed.

Here is the snippet from the web.xml before instructing jasper to addWebXmlMappings.

  <!--
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Entire Application</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    -->

    <!--<security-constraint>
        <web-resource-collection>
            <web-resource-name>Deny Direct Access</web-resource-name>
            <description>Deny direct access to JSPs. All such requests should be
                handled by the Container in the protection domain
            </description>
            <url-pattern>*.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>NoOneCanAccess</role-name>
        </auth-constraint>
    </security-constraint>
    <security-role>
        <role-name>NoOneCanAccess</role-name>
    </security-role>-->


    <!-- modify in web.xml in tomcat/conf/
   <servlet>
       <servlet-name>jsp</servlet-name>
       <servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
       <init-param>
           <param-name>fork</param-name>
           <param-value>false</param-value>
       </init-param>
       <init-param>
           <param-name>xpoweredBy</param-name>
           <param-value>false</param-value>
       </init-param>
       <init-param>
           <param-name>compilerSourceVM</param-name>
           <param-value>1.5</param-value>
       </init-param>
       <init-param>
           <param-name>compilerTargetVM</param-name>
           <param-value>1.5</param-value>
       </init-param>
       <load-on-startup>3</load-on-startup>
   </servlet> -->

Comment 3 Mark Thomas 2010-02-13 19:24:11 UTC

This has been fixed in trunk and proposed for 6.0.x

Comment 4 Mark Thomas 2010-03-03 17:40:52 UTC

This has been fixed for 6.0.x and will be included in 6.0.26 onwards.