[Bug 61568] New: [Security Manager] InnocuousThread raises SecurityException for some HTTP requests

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=61568

            Bug ID: 61568
           Summary: [Security Manager] InnocuousThread raises
                    SecurityException for some HTTP requests
           Product: Tomcat 8
           Version: 8.5.20
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: 1...@gmx.net
  Target Milestone: ----

I am running two webapps with two servlets on my server with security manager
enabled. When manually testing the servlets, they respond just fine to HTTP
post and get requests. When stress testing (e.g. multiple simultaneous
requests) some requests fail (<1%) and raise the exception pasted below. When
adding the permission java.security.AllPermission to the webapps, the exception
still occurs. Therefore, I assume, this is a bug directly related to the
security manager.

Without the security manager enabled, all requests are handled fine, even when
stress testing.


Exception:

Exception in thread "anInnocuousThread" java.lang.SecurityException:
setContextClassLoader
at sun.misc.InnocuousThread.setContextClassLoader(InnocuousThread.java:64)
at
org.apache.tomcat.util.security.PrivilegedSetTccl.run(PrivilegedSetTccl.java:31)
at
org.apache.tomcat.util.security.PrivilegedSetTccl.run(PrivilegedSetTccl.java:21)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.tomcat.util.threads.TaskThreadFactory.newThread(TaskThreadFactory.java:66)
at
java.util.concurrent.ThreadPoolExecutor$Worker.<init>(ThreadPoolExecutor.java:610)
at
java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExecutor.java:924)
at
java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1371)

at
org.apache.tomcat.util.threads.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:167)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:145)
at
sun.nio.ch.AsynchronousChannelGroupImpl.executeOnPooledThread(AsynchronousChannelGroupImpl.java:188)
at sun.nio.ch.Invoker.invokeIndirectly(Invoker.java:212)
at
sun.nio.ch.UnixAsynchronousSocketChannelImpl.finishRead(UnixAsynchronousSocketChannelImpl.java:432)
at
sun.nio.ch.UnixAsynchronousSocketChannelImpl.finish(UnixAsynchronousSocketChannelImpl.java:191)
at
sun.nio.ch.UnixAsynchronousSocketChannelImpl.onEvent(UnixAsynchronousSocketChannelImpl.java:213)
at sun.nio.ch.EPollPort$EventHandlerTask.run(EPollPort.java:293)
at java.lang.Thread.run(Thread.java:745)
at sun.misc.InnocuousThread.run(InnocuousThread.java:74)


Environment:

# uname -a
Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u1 (2017-06-18) x86_64
GNU/Linux

# java -version
java version "1.7.0_131"
OpenJDK Runtime Environment (IcedTea 2.6.9) (7u131-2.6.9-2~deb8u1)
OpenJDK 64-Bit Server VM (build 24.131-b00, mixed mode)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org