tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Delian Krustev <tom...@krustev.net>
Subject AccessControlException in Coyote Http11Processor (Tomcat 6.0.14). Bug in Coyote ?
Date Tue, 27 Nov 2007 11:58:19 GMT

	Hi all,

I'm running several similarly configured Tomcat containers all using
security manager. 

On one of the instances I'm getting the following exception from the HTTP connector:

Nov 26, 2007 7:42:19 PM org.apache.catalina.connector.CoyoteAdapter service
SEVERE: An exception or error occurred in the container during the request processing
java.security.AccessControlException: org/apache/coyote/Constants
  at org.apache.coyote.http11.Http11Processor.prepareResponse(Http11Processor.java:1557)
  at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:934)
  at org.apache.coyote.Response.action(Response.java:183)
  at org.apache.coyote.Response.sendHeaders(Response.java:379)
  at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:305)
  at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:273)
  at org.apache.catalina.connector.Response.finishResponse(Response.java:486)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:287)
  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
  at java.lang.Thread.run(Thread.java:619)
Nov 26, 2007 7:42:19 PM org.apache.coyote.http11.Http11Processor process
SEVERE: Error finishing response
java.security.AccessControlException: org/apache/coyote/Constants
  at org.apache.coyote.http11.Http11Processor.prepareResponse(Http11Processor.java:1557)
  at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:934)
  at org.apache.coyote.Response.action(Response.java:181)
  at org.apache.coyote.http11.InternalOutputBuffer.endRequest(InternalOutputBuffer.java:379)
  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:879)
  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
  at java.lang.Thread.run(Thread.java:619)

At the same time the AJP connector works fine.

The security policy is a bit looser than the one distributed with tomcat 6.0.14:

############ start catalina.policy ############
grant codeBase "file:${java.home}/lib/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/jre/lib/ext/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/../lib/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/ext/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
  permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
  permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
  permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/lib/-" {
  permission java.security.AllPermission;
};
grant {
  permission java.util.PropertyPermission "*", "read";
  permission java.lang.RuntimePermission "getAttribute";
  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
  permission java.net.SocketPermission "*:1-", "connect";
  permission java.net.SocketPermission "localhost:1-", "connect";
  permission java.io.FilePermission "${catalina.home}/lib/-", "read";
  permission java.io.FilePermission "${java.home}/-", "read";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.lang.RuntimePermission "getProtectionDomain";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission ognl.OgnlInvokePermission "*";
  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.collections";
  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.pool.impl";
  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.dbcp";
  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.pool";
};
############ end catalina.policy ############

catalina.properties is unmodified .

The connectors are configured like this:

                <Connector
                        port="8080"
                        protocol="HTTP/1.1"
                        maxThreads="150"
                        connectionTimeout="20000"
                        redirectPort="443" />

                <Connector port="8009"
                        enableLookups="false"
                        redirectPort="443"
                        protocol="AJP/1.3"
                        backlog="100"
                        connectionTimeout="5000"
                        maxThreads="300" />


My guess is that either this is a bug in the Coyote HTTP connector or
the security policy is not strict enough and one of the 
installed applications (third party, I don't have access to the source)
modifies the security manager somehow. My modifications
to the policy do not appear to grant such permissions to the webapps, so if
the assumption is right it's a bug in the distributed catalina.policy.

Any ideas ?


Thanks
--
Delian

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message