tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@mail.more.net>
Subject Re: DO NOT REPLY [Bug 13907] - security manager does not give read permission on a context by default
Date Sat, 26 Oct 2002 10:14:27 GMT
Hmmm...

I did some reviews of CVS for the code which sets the context dir
FilePermission.  I had made a cut n paste mistake when changing code related
to this which would have prevented the context dir FilePermission
from being created.  This bug only existed for 6 hours in CVS before
I fixed it.  This also the same day that the Tomcat 4.1.12
version was tagged in CVS.  4.1.12 may have been released with this bug.

Please try Tomcat 4.1.13 and see if the problem still exists.

Regards,

Glenn

Aditya wrote:
> Glenn,
> 
> On Fri, Oct 25, 2002 at 08:40:28AM -0500, Glenn Nielsen wrote:
> 
>>I suspect that for some reason the Context does not have a context 
>>directory.  Add
> 
> 
> FWIW, I'm not running the context from a WAR file -- it's just the examples
> context that comes with the default install.
> 
> 
>>String docBase = context.getRealPath("/"); to your test jsp and see if it 
>>returns null.
> 
> 
> could you fully qualify the "context" Class -- if it's the same as:
> 
>   pageContext.getServletContext().getRealPath("/");
> 
> then docBase returns /usr/local/tomcat/webapps/examples/ correctly. ie. if I
> have just the following in the JSP:
> 
>   String fullPath = pageContext.getServletContext().getRealPath("/test2.new");
>   out.println("<br>fullPath: " + fullPath);
> 
>   String docBase = pageContext.getServletContext().getRealPath("/");
>   out.println("<br>docBase: " + docBase);
> 
> I correctly get:
> 
>   fullPath: /usr/local/tomcat/webapps/examples/test2.new
>   docBase: /usr/local/tomcat/webapps/examples/
> 
> however when I add:
> 
>   java.io.File foo = new java.io.File(fullPath);
>   if (foo.exists())
>         out.println("Exists: " + fullPath);
>         else {
>                 out.println("does not exist");
>         }
> 
> to the JSP I get the old:
> 
>   java.io.FilePermission /usr/local/tomcat/webapps/examples/test2.new read
> 
> the debug output is appended below (let me know if you want more) -- I set all
> the debug flats in server.xml to 9.
> 
> 
>>Also try setting the debug attributes in your server.xml to 9 and capture 
>>the debug output.
> 
> 
> from localhost_examples_log:
> 
> 2002-10-25 14:25:19 Authenticator[/examples]: Security checking request GET
> /examples/jsp/test.jsp
> 2002-10-25 14:25:19 Authenticator[/examples]:  Checking constraint
> 'SecurityConstraint[Protected Area]' against GET /jsp/test.jsp --> false
> 2002-10-25 14:25:19 Authenticator[/examples]:  No applicable constraint
> located
> 2002-10-25 14:25:19 Authenticator[/examples]:  Not subject to any constraint
> 2002-10-25 14:25:19 StandardContext[/examples]: Mapping
> contextPath='/examples' with requestURI='/examples/jsp/test.jsp' and
> relativeURI='/jsp/test.jsp'
> 2002-10-25 14:25:19 StandardContext[/examples]:   Trying exact match
> 2002-10-25 14:25:19 StandardContext[/examples]:   Trying prefix match
> 2002-10-25 14:25:19 StandardContext[/examples]:   Trying extension match
> 2002-10-25 14:25:19 StandardContext[/examples]:  Mapped to servlet 'jsp' with
> servlet path '/jsp/test.jsp' and path info 'null' and update=true
> 2002-10-25 14:25:27 StandardWrapperValve[jsp]: Servlet.service() for servlet
> jsp threw exception
> org.apache.jasper.JasperException: access denied (java.io.FilePermission
> /usr/local/tomcat/webapps/examples/test2.new read)
>         at
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:248)
>         at
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289)
>         at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
>         at
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98)
>         at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:172)
>         at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:471)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
>         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
>         at
> org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:256)
>         at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:361)
>         at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:563)
>         at
> org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:535)
>         at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:638)
>         at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
>         at java.lang.Thread.run(Thread.java:536)
> ----- Root Cause -----
> java.security.AccessControlException: access denied (java.io.FilePermission
> /usr/local/tomcat/webapps/examples/test2.new read)
>         at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
>         at
> java.security.AccessController.checkPermission(AccessController.java:401)
>         at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
>         at java.lang.SecurityManager.checkRead(SecurityManager.java:887)
>         at java.io.File.exists(File.java:677)
>         at org.apache.jsp.test_jsp._jspService(test_jsp.java:64)
>         at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:136)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>         at
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:204)
>         at
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289)
>         at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
>         at
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98)
>         at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:172)
>         at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:471)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
>         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
>         at
> org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:256)
>         at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:361)
>         at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:563)
>         at
> org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:535)
>         at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:638)
>         at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
>         at java.lang.Thread.run(Thread.java:536)
> 
> 
> and catalina.out:
> 
> access: access allowed (java.lang.RuntimePermission
> accessClassInPackage.org.apache.jasper.runtime)
> access: access allowed (java.lang.RuntimePermission
> accessClassInPackage.org.apache.jasper.runtime)
> access: access allowed (java.lang.RuntimePermission
> accessClassInPackage.org.apache.jasper.runtime)
> access: access allowed (java.lang.RuntimePermission
> defineClassInPackage.org.apache.jasper.runtime)
> access: access allowed (java.io.FilePermission
> /usr/local/tomcat/webapps/examples/WEB-INF/classes/o
> rg/apache/jasper/runtime/HttpJspBase.class read)
> access: access allowed (java.io.FilePermission
> /usr/local/tomcat/webapps/examples/WEB-INF/classes/o
> rg/apache/jasper/runtime/HttpJspBase.class read)
> access: access allowed (java.lang.RuntimePermission
> accessClassInPackage.org.apache.jasper.runtime)
> access: access allowed (java.lang.RuntimePermission
> accessClassInPackage.org.apache.jasper.runtime)
> access: access allowed (java.lang.reflect.ReflectPermission
> suppressAccessChecks)
> access: access denied (java.io.FilePermission
> /usr/local/tomcat/webapps/examples/test2.new read)
> java.lang.Exception: Stack trace
>         at java.lang.Thread.dumpStack(Thread.java:1071)
>         at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:259)
>         at
> java.security.AccessController.checkPermission(AccessController.java:401)
>         at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
>         at java.lang.SecurityManager.checkRead(SecurityManager.java:887)
>         at java.io.File.exists(File.java:677)
>         at org.apache.jsp.test_jsp._jspService(test_jsp.java:64)
>         at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:136)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>         at
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:204)
>         at
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289)
>         at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.
> java:247)
>         at
> org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:9
> 8)
>         at
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:172
> )
>         at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
> rdPipeline.java:643)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
> rdPipeline.java:643)
>         at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:471)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
> rdPipeline.java:641)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
>         at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
> rdPipeline.java:643)
>         at
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
> rdPipeline.java:641)
>         at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
> rdPipeline.java:641)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
>         at
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Standa
> rdPipeline.java:643)
>         at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
>         at
> org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:256)
>         at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:361)
>         at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:563)
>         at
> org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:535)
>         at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:638)
>         at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
>         at java.lang.Thread.run(Thread.java:536)
> access: access allowed (java.util.PropertyPermission java.security.debug read)
> access: domain that failed ProtectionDomain
> (file:/usr/local/tomcat/webapps/examples/ <no certific
> ates>)
>  null
>  <no principals>
>  java.security.Permissions@425743 (
>  (java.io.FilePermission
> /usr/local/tomcat/work/Standalone/localhost/examples/- read)
>  (java.util.PropertyPermission java.specification.vendor read)
>  (java.util.PropertyPermission java.vm.specification.vendor read)
>  (java.util.PropertyPermission path.separator read)
>  (java.util.PropertyPermission java.vm.name read)
>  (java.util.PropertyPermission java.class.version read)
>  (java.util.PropertyPermission java.vendor.url read)
>  (java.util.PropertyPermission os.name read)
>  (java.util.PropertyPermission jaxp.debug read)
>  (java.util.PropertyPermission java.vendor read)
>  (java.util.PropertyPermission java.vm.vendor read)
>  (java.util.PropertyPermission file.separator read)
>  (java.util.PropertyPermission javax.sql.* read)
>  (java.util.PropertyPermission java.naming.* read)
>  (java.util.PropertyPermission os.version read)
>  (java.util.PropertyPermission java.vm.version read)
>  (java.util.PropertyPermission java.version read)
>  (java.util.PropertyPermission line.separator read)
>  (java.util.PropertyPermission java.home read)
>  (java.util.PropertyPermission java.vm.specification.version read)
>  (java.util.PropertyPermission java.specification.name read)
>  (java.util.PropertyPermission java.vm.specification.name read)
>  (java.util.PropertyPermission java.specification.version read)
>  (java.util.PropertyPermission os.arch read)
>  (java.lang.RuntimePermission accessClassInPackage.sun.beans.*)
>  (java.lang.RuntimePermission accessClassInPackage.sun.beans)
>  (java.lang.RuntimePermission getAttribute)
>  (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util.*)
>  (java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime)
>  (java.lang.RuntimePermission
> accessClassInPackage.org.apache.jasper.runtime.*)
>  (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util)
> )
> 
> Thanks,
> Adi
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>




--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message