[Bug 57906] Message about failure to load ApplicationContextFacadeBeanInfo class when running with SecurityManager enabled

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=57906

--- Comment #5 from Konstantin Kolinko <knst.koli...@gmail.com> ---
4. Tomcat 6 does not log any INFO message with Java 6u45.
The reason for this though is an unexpected one.

The reason is in the following block of code:

[[[
        try {
            clazz = system.loadClass(name);
            if (clazz != null) {
                if (resolve)
                    resolveClass(clazz);
                return (clazz);
            }
        } catch (ClassNotFoundException e) {
            // Ignore
        }
]]]

The system.loadClass(name) call fails with a SecurityException
(AccessControlException). This exception is not logged.


If I add an additional try/catch and debug logging in
WebappClassLoader.loadClass() method, the stacktrace is as following:

The below is 6u45 + Tomcat 6. Note: WebappClassLoader.java was edited to add
debug logging, as such line numbers are shifted.

[[[
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core)
    at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
    at
java.security.AccessController.checkPermission(AccessController.java:549)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
    at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:298)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
    at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1613)
    at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1526)
    at java.beans.Introspector.instantiate(Introspector.java:1470)
    at java.beans.Introspector.findExplicitBeanInfo(Introspector.java:431)
    at java.beans.Introspector.<init>(Introspector.java:380)
    at java.beans.Introspector.getBeanInfo(Introspector.java:154)
    at javax.el.BeanELResolver$BeanProperties.<init>(BeanELResolver.java:200)
    at javax.el.BeanELResolver.property(BeanELResolver.java:320)
    at javax.el.BeanELResolver.getValue(BeanELResolver.java:81)
    at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:54)
    at org.apache.el.parser.AstValue.getValue(AstValue.java:123)
    at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:182)
    at
org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:897)
    at org.apache.jsp.test57905_jsp._jspService(test57905_jsp.java:53)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
    at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:388)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
    at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:283)
    at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
    at java.security.AccessController.doPrivileged(Native Method)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
    at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
    at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:620)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Thread.java:662)
]]]


Tomcat 7 calls a different class loader (the j2se bootstrap classloader instead
of system one), and that call does not fail, and fails a few lines later -- at
an explicit "securityManager.checkPackageAccess(..);" call.


Conclusion
--------
1. The difference with Tomcat 6 is that
- Tomcat 6 throws original SecurityException,
- Tomcat 7 catches SecurityException, logs an INFO message and throws a new
ClassNotFoundException

I do not see any fault in Tomcat 6 rethrowing the exception. The access to
protected classes is blocked either way.


I do not know why Tomcat 7 converts a SecurityException into
ClassNotFoundException.  One guess is that the reason is that
"SecurityException" is not mentioned in javadoc of ClassLoader.loadClass()
method so it is unclear whether the method is allowed to throw one.


2. Possible mitigations:
a. Change Tomcat 7 to rethrow original SecurityException instead of converting
it into ClassNotFoundException

b. Reduce logging level from INFO to DEBUG if the loaded class name ends with
"BeanInfo".

This does not hide anything substantial. An attempt to load a '*BeanInfo' class
is not related to any attempt to load a '*' class.

c. WONTFIX.


I am in favor of mitigation "b.".

We can use "a." if there are other similar reports, but for now I do not see
enough reasons to change the behaviour.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org