tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jfarc...@apache.org>
Subject Re: tomcat security issue
Date Wed, 23 Oct 2002 15:02:49 GMT
Is alvolo.servlet.DispatcherServlet.initialiseSession try to get access 
to org.apache.catalina.core.ApplicationDispatcher ? That's the normal 
behaviour if your answer is yes. Tomcat internal classes are protected 
against package access/insertion. If you really want to use that class, 
add to your catalina.policy file the following under

// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
    [...]
     permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.catalina.core.*";

}

or do not use the SecurityManager.

*But* remember you are opening the Tomcat core classes to all web 
applications, and this is potentially a *security risk*. Also, your 
application is not portable across different Servlet Container when 
doing that.

-- Jeanfrancois

wsweetman@mac.com wrote:

> I have the following exception thrown when attempting to access 
> tomcat  app resources
>
> WarpEngine[Apache - Tomcat4]: Mapping request
> Security Violation, attempt to use Restricted Class:  
> org.apache.catalina.core.ApplicationDispatcher
> java.security.AccessControlException: access denied  
> (java.lang.RuntimePermission  
> accessClassInPackage.org.apache.catalina.core)
>         at  
> java.security.AccessControlContext.checkPermission(AccessControlContext. 
> java:270)
>         at  
> java.security.AccessController.checkPermission(AccessController.java:401 )
>         at  
> java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
>         at  
> java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1513)
>         at  
> org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo 
> ader.java:1056)
>         at  
> org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLo 
> ader.java:992)
>         at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322)
>         at  
> org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati 
> onContext.java:534)
>         at  
> org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App 
> licationContextFacade.java:179)
>         at  
> alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav 
> a:280)
>         at  
> alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>         at  
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica 
> tionFilterChain.java:247)
>         at  
> org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt 
> erChain.java:197)
>         at  
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC 
> hain.java:176)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at  
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt 
> erChain.java:172)
>         at  
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv 
> e.java:243)
>         at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:566)
>         at  
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 
> 72)
>         at  
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>         at  
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv 
> e.java:190)
>         at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:566)
>         at  
> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja 
> va:246)
>         at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:564)
>         at  
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 
> 72)
>         at  
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>         at  
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 
> 3)
>         at  
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java 
> :180)
>         at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:566)
>         at  
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa 
> lve.java:170)
>         at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:564)
>         at  
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java 
> :170)
>         at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:564)
>         at  
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 
> 72)
>         at  
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>         at  
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. 
> java:174)
>         at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:566)
>         at  
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 
> 72)
>         at  
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>         at  
> org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429)
>         at  
> org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495)
>         at java.lang.Thread.run(Thread.java:536)
> StandardClassLoader: Security Violation, attempt to use Restricted  
> Class: org.apache.catalina.core.ApplicationDispatcher
>
>
> Does anybody have any suggestions as to how to attack this issue
>
> Kind regards
>
> Warren
>
>
> --
> To unsubscribe, e-mail:   
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: 
> <mailto:tomcat-user-help@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message