tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wsweet...@mac.com
Subject Re: tomcat security issue
Date Wed, 23 Oct 2002 15:09:06 GMT
thanks for the reply

my code that seems to cause the problem is as follows:

         HttpSession session = request.getSession();
         session.setAttribute( "customerProfile", new Profile() );
         session.setAttribute( "loggedIn", new Boolean( false ) );
         session.setAttribute( "customerOrder", new Order() );
         RequestDispatcher dispatcher = null;
         String destination = "factoryLoaderServlet";
         try{
             dispatcher = this.getServletContext().getNamedDispatcher(  
destination );
             this.log( "Including destination => " + destination );
             dispatcher.include( request, response );
         }
         catch( ServletException exception ){
             //The error needs to be logged may have to redirect to page  
that request the user to
             //return at a later time
             this.log( "Servlet threw an exception when attempting to  
forward to " + destination, exception );
             throw exception;
         }
         catch( IOException exception ){
             //The error needs to be logged may have to redirect to page  
that request the user to
             //return at a later time
             this.log( "Servlet threw an exception when attempting to  
forward to " + destination, exception );
             throw exception;
         }


I am unwilling to get rid of the SecurityManager due to this being a  
public site.  As can be seen by the stack trace the call to  
getNamedDispatcher eventually causes the ApplicationDispatcher class to  
be called but it is not being called from my code explictly.  i have  
included the permission as you suggested but still get the following  
message in the browser (even thought the previous stack trace is not  
output to the catalina.out file any longer)

<p><b>root cause</b> <pre>java.lang.NoClassDefFoundError:  
org/apache/catalina/core/ApplicationDispatcher
	at  
org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applicati 
onContext.java:534)
	at  
org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(App 
licationContextFacade.java:179)
	at  
alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.jav 
a:280)
	at alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
	at  
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica 
tionFilterChain.java:247)
	at  
org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilt 
erChain.java:197)
	at  
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterC 
hain.java:176)
	at java.security.AccessController.doPrivileged(Native Method)
	at  
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt 
erChain.java:172)
	at  
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv 
e.java:243)
	at  
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
va:566)
	at  
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 
72)
	at  
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
	at  
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv 
e.java:190)
	at  
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
va:566)
	at  
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja 
va:246)
	at  
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
va:564)
	at  
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 
72)
	at  
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
	at  
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234 
3)
	at  
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java 
:180)
	at  
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
va:566)
	at  
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa 
lve.java:170)
	at  
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
va:564)
	at  
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java 
:170)
	at  
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
va:564)
	at  
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 
72)
	at  
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
	at  
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. 
java:174)
	at  
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.ja 
va:566)
	at  
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4 
72)
	at  
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
	at  
org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429)
	at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495)
	at java.lang.Thread.run(Thread.java:536)
</pre></p>


On Wednesday, October 23, 2002, at 04:02 PM, Jean-Francois Arcand wrote:

> Is alvolo.servlet.DispatcherServlet.initialiseSession try to get  
> access to org.apache.catalina.core.ApplicationDispatcher ? That's the  
> normal behaviour if your answer is yes. Tomcat internal classes are  
> protected against package access/insertion. If you really want to use  
> that class, add to your catalina.policy file the following under
>
> // These permissions are granted by default to all web applications
> // In addition, a web application will be given a read FilePermission
> // and JndiPermission for all files and directories in its document  
> root.
> grant {
>    [...]
>     permission java.lang.RuntimePermission  
> "accessClassInPackage.org.apache.catalina.core.*";
>
> }
>
> or do not use the SecurityManager.
>
> *But* remember you are opening the Tomcat core classes to all web  
> applications, and this is potentially a *security risk*. Also, your  
> application is not portable across different Servlet Container when  
> doing that.
>
> -- Jeanfrancois
>
> wsweetman@mac.com wrote:
>
>> I have the following exception thrown when attempting to access  
>> tomcat  app resources
>>
>> WarpEngine[Apache - Tomcat4]: Mapping request
>> Security Violation, attempt to use Restricted Class:   
>> org.apache.catalina.core.ApplicationDispatcher
>> java.security.AccessControlException: access denied   
>> (java.lang.RuntimePermission   
>> accessClassInPackage.org.apache.catalina.core)
>>         at   
>> java.security.AccessControlContext.checkPermission(AccessControlContex 
>> t. java:270)
>>         at   
>> java.security.AccessController.checkPermission(AccessController.java:4 
>> 01 )
>>         at   
>> java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
>>         at   
>> java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1513 
>> )
>>         at   
>> org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClass 
>> Lo ader.java:1056)
>>         at   
>> org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClass 
>> Lo ader.java:992)
>>         at  
>> java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322)
>>         at   
>> org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applica 
>> ti onContext.java:534)
>>         at   
>> org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(A 
>> pp licationContextFacade.java:179)
>>         at   
>> alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.j 
>> av a:280)
>>         at   
>> alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146)
>>         at  
>> javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
>>         at  
>> javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>>         at   
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli 
>> ca tionFilterChain.java:247)
>>         at   
>> org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFi 
>> lt erChain.java:197)
>>         at   
>> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte 
>> rC hain.java:176)
>>         at java.security.AccessController.doPrivileged(Native Method)
>>         at   
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi 
>> lt erChain.java:172)
>>         at   
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa 
>> lv e.java:243)
>>         at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:566)
>>         at   
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java 
>> :4 72)
>>         at   
>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>>         at   
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa 
>> lv e.java:190)
>>         at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:566)
>>         at   
>> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve. 
>> ja va:246)
>>         at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:564)
>>         at   
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java 
>> :4 72)
>>         at   
>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>>         at   
>> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2 
>> 34 3)
>>         at   
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja 
>> va :180)
>>         at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:566)
>>         at   
>> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcher 
>> Va lve.java:170)
>>         at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:564)
>>         at   
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja 
>> va :170)
>>         at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:564)
>>         at   
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java 
>> :4 72)
>>         at   
>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>>         at   
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValv 
>> e. java:174)
>>         at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:566)
>>         at   
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java 
>> :4 72)
>>         at   
>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>>         at   
>> org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429)
>>         at   
>> org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495)
>>         at java.lang.Thread.run(Thread.java:536)
>> StandardClassLoader: Security Violation, attempt to use Restricted   
>> Class: org.apache.catalina.core.ApplicationDispatcher
>>
>>
>> Does anybody have any suggestions as to how to attack this issue
>>
>> Kind regards
>>
>> Warren
>>
>>
>> --
>> To unsubscribe, e-mail:    
>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>> For additional commands, e-mail:  
>> <mailto:tomcat-user-help@jakarta.apache.org>
>>
>>
>
>
> --
> To unsubscribe, e-mail:    
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:  
> <mailto:tomcat-user-help@jakarta.apache.org>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message