Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 24897 invoked from network); 27 Aug 2002 19:52:25 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 27 Aug 2002 19:52:25 -0000 Received: (qmail 28613 invoked by uid 97); 27 Aug 2002 19:52:28 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 28528 invoked by uid 97); 27 Aug 2002 19:52:27 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 28478 invoked by uid 50); 27 Aug 2002 19:52:27 -0000 Date: 27 Aug 2002 19:52:27 -0000 Message-ID: <20020827195227.28468.qmail@nagoya.betaversion.org> From: bugzilla@apache.org To: tomcat-dev@jakarta.apache.org Cc: Subject: DO NOT REPLY [Bug 12101] New: - SecurityManager + removal of sample webapps = unprivileged getParameter()! X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT . ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12101 SecurityManager + removal of sample webapps = unprivileged getParameter()! Summary: SecurityManager + removal of sample webapps = unprivileged getParameter()! Product: Tomcat 4 Version: 4.0.4 Final Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: Other Component: Catalina AssignedTo: tomcat-dev@jakarta.apache.org ReportedBy: ruvinsky@yahoo.com When the sample webapps that come with Tomcat are removed from the "webapps/" directory (i.e., when they aren't auto installed on server startup), Catalina does not get initialized correctly -- as it "does" when the sample webapps do get auto installed on server startup. This is very reproducible: First, build a tester webapp ("tester.war") with a sample server that calls getParameter() for each request, and perhaps displays some output. Begin with the stock Tomcat 4.0.4 distribution, remove all the files in "webapps/" and remove the Context declarations for the sample webapps in "conf/server.xml". Next, copy "tester.war" into "webapps/" so that it is the only webapp. Launch the server instance with a SecurityManager, by executing "bin/catalina start -security". Note that the only webapp started automatically at server startup is the "tester.war" using the context path "/tester". Now, simply send a request the servlet in tester that calls getParameter(). You should get a stack trace similar to the following: StandardClassLoader: Security Violation, attempt to use Restricted Class: org.apache.catalina.util.LocalStrings Security Violation, attempt to use Restricted Class: org.apache.catalina.util.LocalStrings_en java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util) at java.security.AccessControlContext.checkPermission (AccessControlContext.java:267) at java.security.AccessController.checkPermission (AccessController.java:394) at java.lang.SecurityManager.checkPermission(SecurityManager.java:540) at java.lang.SecurityManager.checkPackageAccess (SecurityManager.java:1496) at org.apache.catalina.loader.StandardClassLoader.loadClass (StandardClassLoader.java:1056) at org.apache.catalina.loader.StandardClassLoader.loadClass (StandardClassLoader.java:992) at java.util.ResourceBundle.loadBundle(ResourceBundle.java:905) at java.util.ResourceBundle.findBundle(ResourceBundle.java:786) at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:635) at java.util.ResourceBundle.getBundle(ResourceBundle.java:541) at org.apache.catalina.util.StringManager.(StringManager.java:115) at org.apache.catalina.util.StringManager.getManager (StringManager.java:260) at org.apache.catalina.util.ParameterMap.(ParameterMap.java:174) at org.apache.catalina.connector.HttpRequestBase.parseParameters (HttpRequestBase.java:615) at org.apache.catalina.connector.HttpRequestBase.getParameter (HttpRequestBase.java:691) at org.apache.catalina.connector.RequestFacade.getParameter (RequestFacade.java:160) at com.akamai.edgejava.tests.SessionTest.doGet(SessionTest.java:35) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$0 (ApplicationFilterChain.java:197) at org.apache.catalina.core.ApplicationFilterChain$1.run (ApplicationFilterChain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter (ApplicationFilterChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke (StandardWrapperValve.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext (StandardPipeline.java:566) at org.apache.catalina.core.StandardPipeline.invoke (StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke (StandardContextValve.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext (StandardPipeline.java:566) at org.apache.catalina.core.StandardPipeline.invoke (StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke (StandardContext.java:2347) at org.apache.catalina.core.StandardHostValve.invoke (StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline.invokeNext (StandardPipeline.java:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke (ErrorDispatcherValve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext (StandardPipeline.java:564) at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext (StandardPipeline.java:564) at org.apache.catalina.valves.AccessLogValve.invoke (AccessLogValve.java:468) at org.apache.catalina.core.StandardPipeline.invokeNext (StandardPipeline.java:564) at org.apache.catalina.core.StandardPipeline.invoke (StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke (StandardEngineValve.java:174) at org.apache.catalina.core.StandardPipeline.invokeNext (StandardPipeline.java:566) at org.apache.catalina.core.StandardPipeline.invoke (StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.connector.http.HttpProcessor.process (HttpProcessor.java:1027) at org.apache.catalina.connector.http.HttpProcessor.run (HttpProcessor.java:1125) at java.lang.Thread.run(Thread.java:479) -- To unsubscribe, e-mail: For additional commands, e-mail: