tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aditya <adi...@grot.org>
Subject Re: DO NOT REPLY [Bug 13907] - security manager does not give read permission on a context by default
Date Sat, 26 Oct 2002 06:40:35 GMT
Glenn,

On Fri, Oct 25, 2002 at 08:40:28AM -0500, Glenn Nielsen wrote:
> I suspect that for some reason the Context does not have a context 
> directory.  Add

FWIW, I'm not running the context from a WAR file -- it's just the examples
context that comes with the default install.

> String docBase = context.getRealPath("/"); to your test jsp and see if it 
> returns null.

could you fully qualify the "context" Class -- if it's the same as:

  pageContext.getServletContext().getRealPath("/");

then docBase returns /usr/local/tomcat/webapps/examples/ correctly. ie. if I
have just the following in the JSP:

  String fullPath = pageContext.getServletContext().getRealPath("/test2.new");
  out.println("<br>fullPath: " + fullPath);

  String docBase = pageContext.getServletContext().getRealPath("/");
  out.println("<br>docBase: " + docBase);

I correctly get:

  fullPath: /usr/local/tomcat/webapps/examples/test2.new
  docBase: /usr/local/tomcat/webapps/examples/

however when I add:

  java.io.File foo = new java.io.File(fullPath);
  if (foo.exists())
        out.println("Exists: " + fullPath);
        else {
                out.println("does not exist");
        }

to the JSP I get the old:

  java.io.FilePermission /usr/local/tomcat/webapps/examples/test2.new read

the debug output is appended below (let me know if you want more) -- I set all
the debug flats in server.xml to 9.

> Also try setting the debug attributes in your server.xml to 9 and capture 
> the debug output.

from localhost_examples_log:

2002-10-25 14:25:19 Authenticator[/examples]: Security checking request GET
/examples/jsp/test.jsp
2002-10-25 14:25:19 Authenticator[/examples]:  Checking constraint
'SecurityConstraint[Protected Area]' against GET /jsp/test.jsp --> false
2002-10-25 14:25:19 Authenticator[/examples]:  No applicable constraint
located
2002-10-25 14:25:19 Authenticator[/examples]:  Not subject to any constraint
2002-10-25 14:25:19 StandardContext[/examples]: Mapping
contextPath='/examples' with requestURI='/examples/jsp/test.jsp' and
relativeURI='/jsp/test.jsp'
2002-10-25 14:25:19 StandardContext[/examples]:   Trying exact match
2002-10-25 14:25:19 StandardContext[/examples]:   Trying prefix match
2002-10-25 14:25:19 StandardContext[/examples]:   Trying extension match
2002-10-25 14:25:19 StandardContext[/examples]:  Mapped to servlet 'jsp' with
servlet path '/jsp/test.jsp' and path info 'null' and update=true
2002-10-25 14:25:27 StandardWrapperValve[jsp]: Servlet.service() for servlet
jsp threw exception
org.apache.jasper.JasperException: access denied (java.io.FilePermission
/usr/local/tomcat/webapps/examples/test2.new read)
        at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:248)
        at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
        at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98)
        at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:172)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:471)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
        at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
        at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:256)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:361)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:563)
        at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:535)
        at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:638)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
        at java.lang.Thread.run(Thread.java:536)
----- Root Cause -----
java.security.AccessControlException: access denied (java.io.FilePermission
/usr/local/tomcat/webapps/examples/test2.new read)
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
        at
java.security.AccessController.checkPermission(AccessController.java:401)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:887)
        at java.io.File.exists(File.java:677)
        at org.apache.jsp.test_jsp._jspService(test_jsp.java:64)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:136)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:204)
        at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
        at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98)
        at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:172)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:471)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
        at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
        at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:256)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:361)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:563)
        at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:535)
        at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:638)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
        at java.lang.Thread.run(Thread.java:536)


and catalina.out:

access: access allowed (java.lang.RuntimePermission
accessClassInPackage.org.apache.jasper.runtime)
access: access allowed (java.lang.RuntimePermission
accessClassInPackage.org.apache.jasper.runtime)
access: access allowed (java.lang.RuntimePermission
accessClassInPackage.org.apache.jasper.runtime)
access: access allowed (java.lang.RuntimePermission
defineClassInPackage.org.apache.jasper.runtime)
access: access allowed (java.io.FilePermission
/usr/local/tomcat/webapps/examples/WEB-INF/classes/o
rg/apache/jasper/runtime/HttpJspBase.class read)
access: access allowed (java.io.FilePermission
/usr/local/tomcat/webapps/examples/WEB-INF/classes/o
rg/apache/jasper/runtime/HttpJspBase.class read)
access: access allowed (java.lang.RuntimePermission
accessClassInPackage.org.apache.jasper.runtime)
access: access allowed (java.lang.RuntimePermission
accessClassInPackage.org.apache.jasper.runtime)
access: access allowed (java.lang.reflect.ReflectPermission
suppressAccessChecks)
access: access denied (java.io.FilePermission
/usr/local/tomcat/webapps/examples/test2.new read)
java.lang.Exception: Stack trace
        at java.lang.Thread.dumpStack(Thread.java:1071)
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:259)
        at
java.security.AccessController.checkPermission(AccessController.java:401)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:887)
        at java.io.File.exists(File.java:677)
        at org.apache.jsp.test_jsp._jspService(test_jsp.java:64)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:136)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:204)
        at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.
java:247)
        at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:9
8)
        at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:172
)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
rdPipeline.java:643)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
rdPipeline.java:643)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:471)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
rdPipeline.java:641)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
rdPipeline.java:643)
        at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
rdPipeline.java:641)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
rdPipeline.java:641)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
        at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
rdPipeline.java:643)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
        at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
        at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:256)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:361)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:563)
        at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:535)
        at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:638)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
        at java.lang.Thread.run(Thread.java:536)
access: access allowed (java.util.PropertyPermission java.security.debug read)
access: domain that failed ProtectionDomain
(file:/usr/local/tomcat/webapps/examples/ <no certific
ates>)
 null
 <no principals>
 java.security.Permissions@425743 (
 (java.io.FilePermission
/usr/local/tomcat/work/Standalone/localhost/examples/- read)
 (java.util.PropertyPermission java.specification.vendor read)
 (java.util.PropertyPermission java.vm.specification.vendor read)
 (java.util.PropertyPermission path.separator read)
 (java.util.PropertyPermission java.vm.name read)
 (java.util.PropertyPermission java.class.version read)
 (java.util.PropertyPermission java.vendor.url read)
 (java.util.PropertyPermission os.name read)
 (java.util.PropertyPermission jaxp.debug read)
 (java.util.PropertyPermission java.vendor read)
 (java.util.PropertyPermission java.vm.vendor read)
 (java.util.PropertyPermission file.separator read)
 (java.util.PropertyPermission javax.sql.* read)
 (java.util.PropertyPermission java.naming.* read)
 (java.util.PropertyPermission os.version read)
 (java.util.PropertyPermission java.vm.version read)
 (java.util.PropertyPermission java.version read)
 (java.util.PropertyPermission line.separator read)
 (java.util.PropertyPermission java.home read)
 (java.util.PropertyPermission java.vm.specification.version read)
 (java.util.PropertyPermission java.specification.name read)
 (java.util.PropertyPermission java.vm.specification.name read)
 (java.util.PropertyPermission java.specification.version read)
 (java.util.PropertyPermission os.arch read)
 (java.lang.RuntimePermission accessClassInPackage.sun.beans.*)
 (java.lang.RuntimePermission accessClassInPackage.sun.beans)
 (java.lang.RuntimePermission getAttribute)
 (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util.*)
 (java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime)
 (java.lang.RuntimePermission
accessClassInPackage.org.apache.jasper.runtime.*)
 (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util)
)

Thanks,
Adi

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message