Its not just a main / Jetty 12 issue. This should be backported to 9.x as
well where security manager isn't going away.

Kevin Risden


On Thu, May 22, 2025 at 11:22 AM Rahul Goswami <rahul196...@gmail.com>
wrote:

> Great find Kevin! That makes sense. Can confirm that  starting with
> --jvm-opts "-Djava.io.tmpdir=$(cd $TMPDIR; pwd -P)" works too. Also, thanks
> for the PR!
>
> I'd say that fixing this by passing "pwd -P" in the start opts in bin/solr
> _seems_ like the right way to go. But I am also conflicted on whether
> disabling security manager altogether is the solution that could be
> considered here (?). Especially since it's going away in Java 24 anyway.
>
> Rahul
>
> On Wed, May 21, 2025 at 10:07 PM Kevin Risden <kris...@apache.org> wrote:
>
> > The underlying issue is that /tmp is a symlink on Mac. Java security
> > manager permissions need the ability to read the symlink AND the
> underlying
> > directory. Since we only have
> >
> > permission java.io.FilePermission "${java.io.tmpdir}", "read,write";
> > permission java.io.FilePermission "${java.io.tmpdir}${/}-",
> > "read,write,delete";
> >
> > in security.policy it by default is just the symlink.
> >
> > We actually do similar fixes in our bin/solr script already using `pwd
> -P`
> > to ensure that we don't have symlinks in the path. See SOLR-16457 /
> > https://github.com/apache/solr/pull/1282
> >
> > an example that works:
> >
> > ./bin/solr start -f --jvm-opts "-Djava.io.tmpdir=$(cd $TMPDIR; pwd -P)"
> >
> > This takes the existing TMPDIR environment variable and forces
> > `java.io.tmpdir` to not be a symlink anymore using the `pwd -P`
> expansion.
> >
> > This can be done in bin/solr as well if we want and set tmpdir in say
> > SOLR_START_OPTS. Here is a PR to show how this could be done
> > https://github.com/apache/solr/pull/3359
> >
> > As you already found out you can also just disable the security manager -
> > here is a one liner that doesn't require changing any files either.
> >
> > SOLR_SECURITY_MANAGER_ENABLED=false ./bin/solr start -f
> >
> > As a final note this is not new to Jetty 12 but has been an issue in the
> > past - see https://issues.apache.org/jira/browse/SOLR-17542. It might be
> > new how its popping up now with Jetty 12 doing something with the temp
> > directory but there are other ways to hit it.
> >
> > Kevin Risden
> >
> >
> > On Wed, May 21, 2025 at 5:52 PM Rahul Goswami <rahul196...@gmail.com>
> > wrote:
> >
> > > That worked. Thanks Christos!
> > >
> > > On Wed, May 21, 2025 at 5:30 PM Christos Malliaridis <
> > > malliari...@apache.org>
> > > wrote:
> > >
> > > > I have faced the same issue recently.
> > > >
> > > > There is a configuration option in bin/solr.in.sh <http://sole.in.sh
> >
> > > for
> > > > the security manager:
> > > >
> > > > #SOLR_SECURITY_MANAGER_ENABLED=true
> > > >
> > > > Removing the comment and setting it to false worked for me.
> > > >
> > > > On Wed, 21 May 2025, 23:19 Rahul Goswami, <rahul196...@gmail.com>
> > wrote:
> > > >
> > > > > Sanjay,
> > > > > Thanks for looking into this. I also tried disabling the security
> > > manager
> > > > > on MacOS by running "solr start -e techproducts
> > > > > -Djdk.security.manager=disallow" and still see the same behavior
> with
> > > the
> > > > > same stacktrace in log.
> > > > >
> > > > > -Rahul
> > > > >
> > > > > On Tue, May 20, 2025 at 11:55 PM sanjay dutt <
> > > > > sanjaydutt.unoffic...@gmail.com> wrote:
> > > > >
> > > > > > Recently I merged changes related to jetty upgrade. I will look
> > into
> > > > it.
> > > > > > https://github.com/apache/solr/pull/2876
> > > > > >
> > > > > > On Wed, May 21, 2025 at 5:44 AM Rahul Goswami <
> > rahul196...@gmail.com
> > > >
> > > > > > wrote:
> > > > > >
> > > > > > > For additional context, this is working fine on Windows.
> Failing
> > > > > > > consistently on MacOS.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Rahul
> > > > > > >
> > > > > > >
> > > > > > > On Tue, May 20, 2025 at 5:32 PM Rahul Goswami <
> > > rahul196...@gmail.com
> > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > I checked out main, and then "gradlew dev". Tried running the
> > > > > > > techproducts
> > > > > > > > example, but it seems to get into some exception with
> > > initializing
> > > > > the
> > > > > > > > context (hitting 503 error).
> > > > > > > >
> > > > > > > >
> > > > > > > > Logs are complaining about AccessControlException while
> trying
> > to
> > > > > > access
> > > > > > > a
> > > > > > > > temp location. I have tried the example flow in the past and
> > > never
> > > > > hit
> > > > > > > this
> > > > > > > > permission issue. Needless to say, bats tests are failing
> too.
> > > > > > > >
> > > > > > > >
> > > > > > > > Is anybody else seeing this too? Bad commit or an
> environmental
> > > > > issue?
> > > > > > > > Thanks for any insights.
> > > > > > > >
> > > > > > > >
> > > > > > > > rahulgoswami@MacBookPro bin % ./solr start -e techproducts
> > > > > > > >
> > > > > > > > *** [WARN] ***  Your Max Processes Limit is currently 2784.
> > > > > > > >
> > > > > > > >  It should be set to 65000 to avoid operational disruption.
> > > > > > > >
> > > > > > > >  If you no longer wish to see this warning, set
> > > SOLR_ULIMIT_CHECKS
> > > > to
> > > > > > > > false in your profile or solr.in.sh
> > > > > > > >
> > > > > > > >
> > > > > > > > Starting up Solr on port 8983 using command:
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> "/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/bin/solr"
> > > > > > > > start -p 8983 --solr-home
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> "/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server/solr"
> > > > > > > > --server-dir
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> "/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server"
> > > > > > > > -Dsolr.modules=clustering,extraction,langid,ltr,scripting
> > > > > > > > -Dsolr.ltr.enabled=true -Dsolr.clustering.enabled=true
> > > > > > > >
> > > > > > > >
> > > > > > > > *** [WARN] ***  Your Max Processes Limit is currently 2784.
> > > > > > > >
> > > > > > > >  It should be set to 65000 to avoid operational disruption.
> > > > > > > >
> > > > > > > >  If you no longer wish to see this warning, set
> > > SOLR_ULIMIT_CHECKS
> > > > to
> > > > > > > > false in your profile or solr.in.sh
> > > > > > > >
> > > > > > > > Waiting up to 180 seconds to see Solr running on port 8983
> [|]
> > > > > > > >
> > > > > > > > *Started Solr server on port 8983 (pid=25521). Happy
> > searching!*
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > *ERROR: Did not see Solr at http://localhost:8983/solr
> > > > > > > > <http://localhost:8983/solr> come online within 30 seconds!*
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > rahulgoswami@MacBookPro bin % ulimit -u
> > > > > > > >
> > > > > > > > 4176
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > solr.log
> > > > > > > >
> > > > > > > > ========
> > > > > > > >
> > > > > > > > 2025-05-20 17:29:35.210 WARN  (main) [c: s: r: x: t:]
> > > > > > > > o.e.j.x.XmlConfiguration Deprecated method public void
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebAppContext.addServerClassMatcher(org.eclipse.jetty.ee10.webapp.ClassMatcher)
> > > > > > > > in
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> file:///Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server/contexts/solr-jetty-context.xml
> > > > > > > >
> > > > > > > > 2025-05-20 17:29:35.228 WARN  (main) [c: s: r: x: t:]
> > > > > > > > o.e.j.e.w.WebAppContext Failed startup of context
> > > > > > > > oeje10w.WebAppContext@4beddc56
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> {solr-jetty-context,/solr,b=null,a=STOPPED,h=oeje10s.SessionHandler@79b663b3
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> {STOPPED}}{/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server/solr-webapp/webapp}
> > > > > > > > => *java.security.AccessControlException: access denied
> > > > > > > > ("java.io.FilePermission"
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> "/private/var/folders/j3/z8sqwjzx7n51bqx4qsw1_szw0000gn/T/jetty-127_0_0_1-8983-webapp-_solr-any-17333184592629858469"
> > > > > > > > "read")*
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488)
> > > > > > > >
> > > > > > > > java.security.AccessControlException: access denied
> > > > > > > > ("java.io.FilePermission"
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> "/private/var/folders/j3/z8sqwjzx7n51bqx4qsw1_szw0000gn/T/jetty-127_0_0_1-8983-webapp-_solr-any-17333184592629858469"
> > > > > > > > "read")
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488)
> > > > > > > > ~[?:?]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> java.base/java.security.AccessController.checkPermission(AccessController.java:1085)
> > > > > > > > ~[?:?]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
> > > > > > > > ~[?:?]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > >
> > java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:742)
> > > > > > > > ~[?:?]
> > > > > > > >
> > > > > > > >         at java.base/java.io.File.exists(File.java:831)
> ~[?:?]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.server.handler.ContextHandler.createTempDirectory(ContextHandler.java:787)
> > > > > > > > ~[jetty-server-12.0.19.jar:12.0.19]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebAppContext.createTempDirectory(WebAppContext.java:480)
> > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebInfConfiguration.preConfigure(WebInfConfiguration.java:62)
> > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.Configurations.preConfigure(Configurations.java:487)
> > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebAppContext.preConfigure(WebAppContext.java:462)
> > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:503)
> > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
> > > > > > > > ~[jetty-util-12.0.19.jar:12.0.19]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> > > > > > > > ~[jetty-util-12.0.19.jar:12.0.19]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:120)
> > > > > > > > ~[jetty-util-12.0.19.jar:12.0.19]
> > > > > > > >
> > > > > > > >         at
> > > > > > > >
> > > org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:491)
> > > > > > > > ~[jetty-server-12.0.19.jar:12.0.19]
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > request.log
> > > > > > > >
> > > > > > > > ===========
> > > > > > > >
> > > > > > > > 127.0.0.1 - - [20/May/2025:17:30:02 +0000] "GET
> > > > > > > > /solr/admin/info/system?wt=javabin HTTP/2.0" 503 405
> > > > > > > >
> > > > > > > > 127.0.0.1 - - [20/May/2025:17:30:04 +0000] "GET
> > > > > > > > /solr/admin/info/system?wt=javabin HTTP/2.0" 503 405
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Reply via email to