Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 30543 invoked from network); 27 Nov 2007 11:59:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 27 Nov 2007 11:59:10 -0000 Received: (qmail 590 invoked by uid 500); 27 Nov 2007 11:58:45 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 571 invoked by uid 500); 27 Nov 2007 11:58:45 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 560 invoked by uid 99); 27 Nov 2007 11:58:45 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Nov 2007 03:58:45 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of tomcat@krustev.net designates 66.98.214.117 as permitted sender) Received: from [66.98.214.117] (HELO mx1.thunder.itahost.com) (66.98.214.117) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 27 Nov 2007 11:58:24 +0000 Received: (qmail 16413 invoked from network); 27 Nov 2007 11:58:26 -0000 Received: from storm.itahost.com (83.148.74.3) by thunder.itahost.com with SMTP; 27 Nov 2007 11:58:26 -0000 Received: (qmail 23285 invoked from network); 27 Nov 2007 11:58:25 -0000 Received: from storm.itahost.com (HELO ?0.0.0.0?) (83.148.74.3) by storm.itahost.com with SMTP; 27 Nov 2007 11:58:25 -0000 From: Delian Krustev To: users@tomcat.apache.org Subject: AccessControlException in Coyote Http11Processor (Tomcat 6.0.14). Bug in Coyote ? Date: Tue, 27 Nov 2007 13:58:19 +0200 User-Agent: KMail/1.9.7 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200711271358.20065.tomcat@krustev.net> X-Virus-Checked: Checked by ClamAV on apache.org Hi all, I'm running several similarly configured Tomcat containers all using security manager. On one of the instances I'm getting the following exception from the HTTP connector: Nov 26, 2007 7:42:19 PM org.apache.catalina.connector.CoyoteAdapter service SEVERE: An exception or error occurred in the container during the request processing java.security.AccessControlException: org/apache/coyote/Constants at org.apache.coyote.http11.Http11Processor.prepareResponse(Http11Processor.java:1557) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:934) at org.apache.coyote.Response.action(Response.java:183) at org.apache.coyote.Response.sendHeaders(Response.java:379) at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:305) at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:273) at org.apache.catalina.connector.Response.finishResponse(Response.java:486) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:287) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:619) Nov 26, 2007 7:42:19 PM org.apache.coyote.http11.Http11Processor process SEVERE: Error finishing response java.security.AccessControlException: org/apache/coyote/Constants at org.apache.coyote.http11.Http11Processor.prepareResponse(Http11Processor.java:1557) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:934) at org.apache.coyote.Response.action(Response.java:181) at org.apache.coyote.http11.InternalOutputBuffer.endRequest(InternalOutputBuffer.java:379) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:879) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:619) At the same time the AJP connector works fine. The security policy is a bit looser than the one distributed with tomcat 6.0.14: ############ start catalina.policy ############ grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/jre/lib/ext/-" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/../lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { permission java.security.AllPermission; }; grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.security.AllPermission; }; grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; grant { permission java.util.PropertyPermission "*", "read"; permission java.lang.RuntimePermission "getAttribute"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; permission java.net.SocketPermission "*:1-", "connect"; permission java.net.SocketPermission "localhost:1-", "connect"; permission java.io.FilePermission "${catalina.home}/lib/-", "read"; permission java.io.FilePermission "${java.home}/-", "read"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission ognl.OgnlInvokePermission "*"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.collections"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.pool.impl"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.dbcp"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.pool"; }; ############ end catalina.policy ############ catalina.properties is unmodified . The connectors are configured like this: My guess is that either this is a bug in the Coyote HTTP connector or the security policy is not strict enough and one of the installed applications (third party, I don't have access to the source) modifies the security manager somehow. My modifications to the policy do not appear to grant such permissions to the webapps, so if the assumption is right it's a bug in the distributed catalina.policy. Any ideas ? Thanks -- Delian --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org