tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wsweet...@mac.com
Subject Re: tomcat security issue
Date Wed, 23 Oct 2002 15:24:53 GMT
yes the factoryLoaderServlet is defined

too complex and issue currently to restart without SecurityManager.   
May be able to do overnight.  Other dependent apps need to be up during  
the day

Warren
On Wednesday, October 23, 2002, at 04:19 PM, Jean-Francois Arcand wrote:

> If you run the same code without the SecurityManager, do you get the  
> same exception? Is the "factoryLoaderServlet" defined in your web.xml?
>
> -- Jeanfrancois
>
> wsweetman@mac.com wrote:
>
>> thanks for the reply
>>
>> my code that seems to cause the problem is as follows:
>>
>>         HttpSession session = request.getSession();
>>         session.setAttribute( "customerProfile", new Profile() );
>>         session.setAttribute( "loggedIn", new Boolean( false ) );
>>         session.setAttribute( "customerOrder", new Order() );
>>         RequestDispatcher dispatcher = null;
>>         String destination = "factoryLoaderServlet";
>>         try{
>>             dispatcher = this.getServletContext().getNamedDispatcher(  
>>  destination );
>>             this.log( "Including destination => " + destination );
>>             dispatcher.include( request, response );
>>         }
>>         catch( ServletException exception ){
>>             //The error needs to be logged may have to redirect to  
>> page  that request the user to
>>             //return at a later time
>>             this.log( "Servlet threw an exception when attempting to   
>> forward to " + destination, exception );
>>             throw exception;
>>         }
>>         catch( IOException exception ){
>>             //The error needs to be logged may have to redirect to  
>> page  that request the user to
>>             //return at a later time
>>             this.log( "Servlet threw an exception when attempting to   
>> forward to " + destination, exception );
>>             throw exception;
>>         }
>>
>>
>> I am unwilling to get rid of the SecurityManager due to this being a   
>> public site.  As can be seen by the stack trace the call to   
>> getNamedDispatcher eventually causes the ApplicationDispatcher class  
>> to  be called but it is not being called from my code explictly.  i  
>> have  included the permission as you suggested but still get the  
>> following  message in the browser (even thought the previous stack  
>> trace is not  output to the catalina.out file any longer)
>>
>> <p><b>root cause</b> <pre>java.lang.NoClassDefFoundError:
  
>> org/apache/catalina/core/ApplicationDispatcher
>>     at   
>> org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Applica 
>> ti onContext.java:534)
>>     at   
>> org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher(A 
>> pp licationContextFacade.java:179)
>>     at   
>> alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet.j 
>> av a:280)
>>     at  
>> alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146)
>>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
>>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>>     at   
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli 
>> ca tionFilterChain.java:247)
>>     at   
>> org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFi 
>> lt erChain.java:197)
>>     at   
>> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilte 
>> rC hain.java:176)
>>     at java.security.AccessController.doPrivileged(Native Method)
>>     at   
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi 
>> lt erChain.java:172)
>>     at   
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa 
>> lv e.java:243)
>>     at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:566)
>>     at   
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java 
>> :4 72)
>>     at   
>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>>     at   
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa 
>> lv e.java:190)
>>     at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:566)
>>     at   
>> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve. 
>> ja va:246)
>>     at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:564)
>>     at   
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java 
>> :4 72)
>>     at   
>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>>     at   
>> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2 
>> 34 3)
>>     at   
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja 
>> va :180)
>>     at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:566)
>>     at   
>> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcher 
>> Va lve.java:170)
>>     at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:564)
>>     at   
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja 
>> va :170)
>>     at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:564)
>>     at   
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java 
>> :4 72)
>>     at   
>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>>     at   
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValv 
>> e. java:174)
>>     at   
>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline. 
>> ja va:566)
>>     at   
>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java 
>> :4 72)
>>     at   
>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
>>     at   
>> org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:429)
>>     at  
>> org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495)
>>     at java.lang.Thread.run(Thread.java:536)
>> </pre></p>
>>
>>
>> On Wednesday, October 23, 2002, at 04:02 PM, Jean-Francois Arcand  
>> wrote:
>>
>>> Is alvolo.servlet.DispatcherServlet.initialiseSession try to get   
>>> access to org.apache.catalina.core.ApplicationDispatcher ? That's  
>>> the  normal behaviour if your answer is yes. Tomcat internal classes  
>>> are  protected against package access/insertion. If you really want  
>>> to use  that class, add to your catalina.policy file the following  
>>> under
>>>
>>> // These permissions are granted by default to all web applications
>>> // In addition, a web application will be given a read FilePermission
>>> // and JndiPermission for all files and directories in its document   
>>> root.
>>> grant {
>>>    [...]
>>>     permission java.lang.RuntimePermission   
>>> "accessClassInPackage.org.apache.catalina.core.*";
>>>
>>> }
>>>
>>> or do not use the SecurityManager.
>>>
>>> *But* remember you are opening the Tomcat core classes to all web   
>>> applications, and this is potentially a *security risk*. Also, your   
>>> application is not portable across different Servlet Container when   
>>> doing that.
>>>
>>> -- Jeanfrancois
>>>
>>> wsweetman@mac.com wrote:
>>>
>>>> I have the following exception thrown when attempting to access   
>>>> tomcat  app resources
>>>>
>>>> WarpEngine[Apache - Tomcat4]: Mapping request
>>>> Security Violation, attempt to use Restricted Class:    
>>>> org.apache.catalina.core.ApplicationDispatcher
>>>> java.security.AccessControlException: access denied    
>>>> (java.lang.RuntimePermission    
>>>> accessClassInPackage.org.apache.catalina.core)
>>>>         at    
>>>> java.security.AccessControlContext.checkPermission(AccessControlCont 
>>>> ex t. java:270)
>>>>         at    
>>>> java.security.AccessController.checkPermission(AccessController.java 
>>>> :4 01 )
>>>>         at    
>>>> java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
>>>>         at    
>>>> java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:15 
>>>> 13 )
>>>>         at    
>>>> org.apache.catalina.loader.StandardClassLoader.loadClass(StandardCla 
>>>> ss Lo ader.java:1056)
>>>>         at    
>>>> org.apache.catalina.loader.StandardClassLoader.loadClass(StandardCla 
>>>> ss Lo ader.java:992)
>>>>         at   
>>>> java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322)
>>>>         at    
>>>> org.apache.catalina.core.ApplicationContext.getNamedDispatcher(Appli 
>>>> ca ti onContext.java:534)
>>>>         at    
>>>> org.apache.catalina.core.ApplicationContextFacade.getNamedDispatcher 
>>>> (A pp licationContextFacade.java:179)
>>>>         at    
>>>> alvolo.servlet.DispatcherServlet.initialiseSession(DispatcherServlet 
>>>> .j av a:280)
>>>>         at    
>>>> alvolo.servlet.DispatcherServlet.doGet(DispatcherServlet.java:146)
>>>>         at   
>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
>>>>         at   
>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>>>>         at    
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App 
>>>> li ca tionFilterChain.java:247)
>>>>         at    
>>>> org.apache.catalina.core.ApplicationFilterChain.access$0(Application 
>>>> Fi lt erChain.java:197)
>>>>         at    
>>>> org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFil 
>>>> te rC hain.java:176)
>>>>         at java.security.AccessController.doPrivileged(Native  
>>>> Method)
>>>>         at    
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Application 
>>>> Fi lt erChain.java:172)
>>>>         at    
>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper 
>>>> Va lv e.java:243)
>>>>         at    
>>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipelin 
>>>> e. ja va:566)
>>>>         at    
>>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.ja 
>>>> va :4 72)
>>>>         at    
>>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943 
>>>> )
>>>>         at    
>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContext 
>>>> Va lv e.java:190)
>>>>         at    
>>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipelin 
>>>> e. ja va:566)
>>>>         at    
>>>> org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValv 
>>>> e. ja va:246)
>>>>         at    
>>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipelin 
>>>> e. ja va:564)
>>>>         at    
>>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.ja 
>>>> va :4 72)
>>>>         at    
>>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943 
>>>> )
>>>>         at    
>>>> org.apache.catalina.core.StandardContext.invoke(StandardContext.java 
>>>> :2 34 3)
>>>>         at    
>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve. 
>>>> ja va :180)
>>>>         at    
>>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipelin 
>>>> e. ja va:566)
>>>>         at    
>>>> org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatch 
>>>> er Va lve.java:170)
>>>>         at    
>>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipelin 
>>>> e. ja va:564)
>>>>         at    
>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve. 
>>>> ja va :170)
>>>>         at    
>>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipelin 
>>>> e. ja va:564)
>>>>         at    
>>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.ja 
>>>> va :4 72)
>>>>         at    
>>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943 
>>>> )
>>>>         at    
>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa 
>>>> lv e. java:174)
>>>>         at    
>>>> org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipelin 
>>>> e. ja va:566)
>>>>         at    
>>>> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.ja 
>>>> va :4 72)
>>>>         at    
>>>> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943 
>>>> )
>>>>         at    
>>>> org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:42 
>>>> 9)
>>>>         at    
>>>> org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:495)
>>>>         at java.lang.Thread.run(Thread.java:536)
>>>> StandardClassLoader: Security Violation, attempt to use Restricted   
>>>>  Class: org.apache.catalina.core.ApplicationDispatcher
>>>>
>>>>
>>>> Does anybody have any suggestions as to how to attack this issue
>>>>
>>>> Kind regards
>>>>
>>>> Warren
>>>>
>>>>
>>>> --
>>>> To unsubscribe, e-mail:     
>>>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>>>> For additional commands, e-mail:   
>>>> <mailto:tomcat-user-help@jakarta.apache.org>
>>>>
>>>>
>>>
>>>
>>> --
>>> To unsubscribe, e-mail:     
>>> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>>> For additional commands, e-mail:   
>>> <mailto:tomcat-user-help@jakarta.apache.org>
>>>
>>
>
>
> --
> To unsubscribe, e-mail:    
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:  
> <mailto:tomcat-user-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message