geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul McMahan (JIRA)" <j...@apache.org>
Subject [jira] Issue Comment Edited: (GERONIMO-3451) "Restricted listeners property file not found" error logged during Tomcat server startup
Date Mon, 22 Oct 2007 15:19:50 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-3451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12536355
] 

pmcmahan edited comment on GERONIMO-3451 at 10/22/07 8:18 AM:
------------------------------------------------------------------

It's not clear to me that this error message is actually harmless.  Tomcat uses RestrictedServlet.properties
and RestrictedFilters.properties files as a sort of internalized/proprietary security mechanism
to limit access to certain types of servlets and filters.  The instance manager patch that
is applied to Geronimo's build of tomcat (see GERONIMO-3010 and GERONIMO-3206) introduced
a new type of security check in DefaultInstanceManager for restricted Listeners :

{code:title=DefaultInstanceManager.java|borderStyle=solid}
    private void checkAccess(Class clazz)
    {
        if(privileged)
            return;
        if(clazz.isAssignableFrom(javax/servlet/Filter))
            checkAccess(clazz, restrictedFilters);
        else
        if(clazz.isAssignableFrom(javax/servlet/Servlet))
            checkAccess(clazz, restrictedServlets);
        else
            checkAccess(clazz, restrictedListeners);
    }
{code}

However, that class also has a bug in the place where the RestrictedListeners.properties is
read in,  adding its contents to the restrictedFilters list instead of the restrictedListeners
list :

{code:title=DefaultInstanceManager.java|borderStyle=solid}
            java.io.InputStream is = getClass().getClassLoader().getResourceAsStream("org/apache/catalina/core/RestrictedListeners.properties");
            if(is != null)
                *restrictedFilters.load(is);*     //   <---- should be restrictedListeners.load(is)
            else
                catalinaContext.getLogger().error(sm.getString("defaultInstanceManager.restrictedListenersResources"));
{code}

So addressing this issue will involve :
# determine if the DefaultInstanceManager really needs to check for restricted listeners
# if so, determine which listeners should be restricted (what to put in the RestrictedListeners.properties)
# add RestrictedListeners.properties to Geronimo's catalina.jar
# fix the bug in DefaultInstanceManager mentioned above

      was (Author: pmcmahan):
    It's not clear to me that this error message is actually harmless.  Tomcat uses RestrictedServlet.properties
and RestrictedFilters.properties files as a sort of internalized/proprietary security mechanism
to limit access to certain types of servlets and filters.  The instance manager patch that
is applied to Geronimo's build of tomcat (see GERONIMO-3010 and GERONIMO-3206) introduced
a new type of security check in DefaultInstanceManager for restricted Listeners :
{{
    private void checkAccess(Class clazz)
    {
        if(privileged)
            return;
        if(clazz.isAssignableFrom(javax/servlet/Filter))
            checkAccess(clazz, restrictedFilters);
        else
        if(clazz.isAssignableFrom(javax/servlet/Servlet))
            checkAccess(clazz, restrictedServlets);
        else
            checkAccess(clazz, restrictedListeners);
    }
}}

However, that class also has a bug in the place where the RestrictedListeners.properties is
read in,  adding its contents to the restrictedFilters list instead of the restrictedListeners
list.
{{
            java.io.InputStream is = getClass().getClassLoader().getResourceAsStream("org/apache/catalina/core/RestrictedListeners.properties");
            if(is != null)
                *restrictedFilters.load(is);*
            else
                catalinaContext.getLogger().error(sm.getString("defaultInstanceManager.restrictedListenersResources"));
}}

So addressing this issue will involve :
# determine if the DefaultInstanceManager really needs to check for restricted listeners
# if so, determine which listeners should be restricted (what to put in the RestrictedListeners.properties)
# add RestrictedListeners.properties to Geronimo's catalina.jar
# fix the bug in DefaultInstanceManager mentioned above
  
> "Restricted listeners property file not found" error logged during Tomcat server startup
> ----------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-3451
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3451
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Tomcat
>    Affects Versions: 2.0, 2.0.x
>            Reporter: Kevan Miller
>             Fix For: 2.0.x
>
>
> During Tomcat server startup, the following log error is displayed on the console:
> 12:57:32,559 ERROR [[/]] "Restricted listeners property file not found
> Althgough the log message can be ignored, users assume that something is broken...

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message