[Bug 57906] Message about failure to load ApplicationContextFacadeBeanInfo class when running with SecurityManager enabled

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=57906

--- Comment #4 from Konstantin Kolinko <knst.koli...@gmail.com> ---
1. This issue was not visible with 7.0.57 because EL evaluation was performed
with elevated privileges (CVE-2014-7810, fixed in 7.0.58 onwards)

2. The differences between versions of Java

> at java.beans.Introspector.instantiate(Introspector.java:1470)
> at java.beans.Introspector.findExplicitBeanInfo(Introspector.java:431)

In JDK 6u45 Introspector.instantiate() is a method that tries several
classloaders to load class named (beanClass.getName() + BEANINFO_SUFFIX)

a. tries original classloader beanClass
b. tries system classloader
c. tries TCCL

All tries are wrapped with try{}catch(Exception){} and the Exception is
silently swallowed.

The "c." step is what triggers the INFO message and stacktrace here.


In Java 7 the implementation was moved into different class,
com.sun.beans.finder.ClassFinder.findClass(className,
beanClass.getClassLoader())

According to some version of source code [1], the implementation of that method
starts with a "checkPackageAccess(name);" call. So a SecurityException is
raised immediately and no class loading occurs.


[1]
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/7u40-b43/com/sun/beans/finder/ClassFinder.java/#100


3. Stacktrace with current Tomcat 7 (@rev.1720550) and Java 6u45

Behaviour is the same as documented in Comment 0, but stacktrace is a bit
different. WebappClassLoader has been refactored, so the calls are now in
WebappClassLoaderBase class.

[[[
17.12.2015 17:08:00 org.apache.catalina.loader.WebappClassLoaderBase loadClass
INFO: Security Violation, attempt to use Restricted Class:
org.apache.catalina.core.ApplicationContextFacadeBeanInfo
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core)
    at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
    at
java.security.AccessController.checkPermission(AccessController.java:549)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
    at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
    at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1791)
    at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1705)
    at java.beans.Introspector.instantiate(Introspector.java:1470)
    at java.beans.Introspector.findExplicitBeanInfo(Introspector.java:431)
    at java.beans.Introspector.<init>(Introspector.java:380)
    at java.beans.Introspector.getBeanInfo(Introspector.java:154)
    at javax.el.BeanELResolver$BeanProperties.<init>(BeanELResolver.java:252)
    at javax.el.BeanELResolver.property(BeanELResolver.java:373)
    at javax.el.BeanELResolver.getValue(BeanELResolver.java:97)
    at
org.apache.jasper.el.JasperELResolver.getValue(JasperELResolver.java:104)
    at org.apache.el.parser.AstValue.getValue(AstValue.java:184)
    at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:184)
    at
org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:950)
    at org.apache.jsp.test57905_jsp._jspService(test57905_jsp.java:82)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
    at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
    at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
    at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
    at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
    at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
    at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:662)
]]]

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org