tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jfarc...@apache.org>
Subject Re: tomcat security issue
Date Wed, 23 Oct 2002 15:19:42 GMT
If you run the same code without the SecurityManager, do you get the 
same exception? Is the "factoryLoaderServlet" defined in your web.xml?

-- Jeanfrancois

wsweetman@mac.com wrote:

> thanks for the reply
>
> my code that seems to cause the problem is as follows:
>
>         HttpSession session = request.getSession();
>         session.setAttribute( "customerProfile", new Profile() );
>         session.setAttribute( "loggedIn", new Boolean( false ) );
>         session.setAttribute( "customerOrder", new Order() );
>         RequestDispatcher dispatcher = null;
>         String destination = "factoryLoaderServlet";
>         try{
>             dispatcher = this.getServletContext().getNamedDispatcher(  
> destination );
>             this.log( "Including destination => " + destination );
>             dispatcher.include( request, response );
>         }
>         catch( ServletException exception ){
>             //The error needs to be logged may have to redirect to 
> page  that request the user to
>             //return at a later time
>             this.log( "Servlet threw an exception when attempting to  
> forward to " + destination, exception );
>             throw exception;
>         }
>         catch( IOException exception ){
>             //The error needs to be logged may have to redirect to 
> page  that request the user to
>             //return at a later time
>             this.log( "Servlet threw an exception when attempting to  
> forward to " + destination, exception );
>             throw exception;
>         }
>
>
> I am unwilling to get rid of the SecurityManager due to this being a  
> public site.  As can be seen by the stack trace the call to  
> getNamedDispatcher eventually causes the ApplicationDispatcher class 
> to  be called but it is not being called from my code explictly.  i 
> have  included the permission as you suggested but still get the 
> following  message in the browser (even thought the previous stack 
> trace is not  output to the catalina.out file any longer)
>
> <p><b>root cause</b> <pre>java.lang.NoClassDefFoundError:  
> org/apache/catalina/core/ApplicationDispatcher
>     at  
> org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati 
> onContext.java:534)
>     at  
> org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App 
> licationContextFacade.java:179)
>     at  
> alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav 
> a:280)
>     at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146)
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>     at  
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica 
> tionFilterChain.java:247)
>     at  
> org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt 
> erChain.java:197)
>     at  
> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC 
> hain.java:176)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at  
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt 
> erChain.java:172)
>     at  
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv 
> e.java:243)
>     at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:566)
>     at  
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 
> 72)
>     at  
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>     at  
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv 
> e.java:190)
>     at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:566)
>     at  
> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja 
> va:246)
>     at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:564)
>     at  
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 
> 72)
>     at  
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>     at  
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 
> 3)
>     at  
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java 
> :180)
>     at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:566)
>     at  
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa 
> lve.java:170)
>     at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:564)
>     at  
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java 
> :170)
>     at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:564)
>     at  
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 
> 72)
>     at  
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>     at  
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. 
> java:174)
>     at  
> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
> va:566)
>     at  
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 
> 72)
>     at  
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>     at  
> org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429)
>     at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495)
>     at java.lang.Thread.run(Thread.java:536)
> </pre></p>
>
>
> On Wednesday, October 23, 2002, at 04:02 PM, Jean-Francois Arcand wrote:
>
>> Is alvolo.servlet.DispatcherServlet.initialiseSession try to get  
>> access to org.apache.catalina.core.ApplicationDispatcher ? That's 
>> the  normal behaviour if your answer is yes. Tomcat internal classes 
>> are  protected against package access/insertion. If you really want 
>> to use  that class, add to your catalina.policy file the following under
>>
>> // These permissions are granted by default to all web applications
>> // In addition, a web application will be given a read FilePermission
>> // and JndiPermission for all files and directories in its document  
>> root.
>> grant {
>>    [...]
>>     permission java.lang.RuntimePermission  
>> "accessClassInPackage.org.apache.catalina.core.*";
>>
>> }
>>
>> or do not use the SecurityManager.
>>
>> *But* remember you are opening the Tomcat core classes to all web  
>> applications, and this is potentially a *security risk*. Also, your  
>> application is not portable across different Servlet Container when  
>> doing that.
>>
>> -- Jeanfrancois
>>
>> wsweetman@mac.com wrote:
>>
>>> I have the following exception thrown when attempting to access  
>>> tomcat  app resources
>>>
>>> WarpEngine[Apache - Tomcat4]: Mapping request
>>> Security Violation, attempt to use Restricted Class:   
>>> org.apache.catalina.core.ApplicationDispatcher
>>> java.security.AccessControlException: access denied   
>>> (java.lang.RuntimePermission   
>>> accessClassInPackage.org.apache.catalina.core)
>>>         at   
>>> java.security.AccessControlContext.checkPermission(AccessControlContex 
>>> t. java:270)
>>>         at   
>>> java.security.AccessController.checkPermission(AccessController.java:4 
>>> 01 )
>>>         at   
>>> java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
>>>         at   
>>> java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1513 )
>>>         at   
>>> org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClass 
>>> Lo ader.java:1056)
>>>         at   
>>> org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClass 
>>> Lo ader.java:992)
>>>         at  
>>> java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322)
>>>         at   
>>> org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applica 
>>> ti onContext.java:534)
>>>         at   
>>> org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(A 
>>> pp licationContextFacade.java:179)
>>>         at   
>>> alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.j 
>>> av a:280)
>>>         at   
>>> alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146)
>>>         at  
>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
>>>         at  
>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>>>         at   
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli 
>>> ca tionFilterChain.java:247)
>>>         at   
>>> org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFi 
>>> lt erChain.java:197)
>>>         at   
>>> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte 
>>> rC hain.java:176)
>>>         at java.security.AccessController.doPrivileged(Native Method)
>>>         at   
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi 
>>> lt erChain.java:172)
>>>         at   
>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa 
>>> lv e.java:243)
>>>         at   
>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>>> ja va:566)
>>>         at   
>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java 
>>> :4 72)
>>>         at   
>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>>>         at   
>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa 
>>> lv e.java:190)
>>>         at   
>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>>> ja va:566)
>>>         at   
>>> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve. 
>>> ja va:246)
>>>         at   
>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>>> ja va:564)
>>>         at   
>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java 
>>> :4 72)
>>>         at   
>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>>>         at   
>>> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2 
>>> 34 3)
>>>         at   
>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja 
>>> va :180)
>>>         at   
>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>>> ja va:566)
>>>         at   
>>> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcher 
>>> Va lve.java:170)
>>>         at   
>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>>> ja va:564)
>>>         at   
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja 
>>> va :170)
>>>         at   
>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>>> ja va:564)
>>>         at   
>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java 
>>> :4 72)
>>>         at   
>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>>>         at   
>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValv 
>>> e. java:174)
>>>         at   
>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>>> ja va:566)
>>>         at   
>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java 
>>> :4 72)
>>>         at   
>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>>>         at   
>>> org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429)
>>>         at   
>>> org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495)
>>>         at java.lang.Thread.run(Thread.java:536)
>>> StandardClassLoader: Security Violation, attempt to use Restricted   
>>> Class: org.apache.catalina.core.ApplicationDispatcher
>>>
>>>
>>> Does anybody have any suggestions as to how to attack this issue
>>>
>>> Kind regards
>>>
>>> Warren
>>>
>>>
>>> --
>>> To unsubscribe, e-mail:    
>>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>>> For additional commands, e-mail:  
>>> <mailto:tomcat-user-help@jakarta.apache.org>
>>>
>>>
>>
>>
>> --
>> To unsubscribe, e-mail:    
>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>> For additional commands, e-mail:  
>> <mailto:tomcat-user-help@jakarta.apache.org>
>>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message