https://bz.apache.org/bugzilla/show_bug.cgi?id=65577
Bug ID: 65577
Summary: Intermittent AccessControlException using NIO2 with
security manager enabled
Product: Tomcat 8
Version: 8.5.70
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: shakita.3df4f...@nicoric.com
Target Milestone: ----
We are doing some testing prior to upgrading from 8.5.66 to 8.5.70. When we
configure a SSL/TLS connector using Nio2 and run Tomcat with Security Manger
enabled we are getting intermittent java.security.AccessControlException errors
when accessing the default Tomcat root, e.g. https://hostname:8443/
We have observed the issue using Oracle Java 1.8.0_251, 1.8.0_301 and 11.0.8
2020-07-14 LTS on Windows Server 2019 and RedHat Linux 7.
When we change the connector configuration to use
org.apache.coyote.http11.Http11NioProtocol the errors are not present.
Example connector configuration
----------------
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate
certificateKeystoreFile="I:\tomcat-win\8.5.70\apache-tomcat-8.5.70\cert\tomcat.jks"
certificateKeystorePassword="xxxxx"
type="RSA" />
</SSLHostConfig>
</Connector>
The catalina.policy is the default one which comes with the 8.5.70 release
Startup command:
.\catalina.bat start -security
Example error message
--------------------
16-Sep-2021 12:38:11.824 SEVERE [https-jsse-nio2-8443-exec-4]
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun Error running
socket processor
java.security.AccessControlException: access denied
("java.lang.RuntimePermission"
"accessClassInPackage.org.apache.tomcat.util.net")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:886)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
at
sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)
at java.lang.ClassLoader.loadClass(ClassLoader.java:405)
at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
at
org.apache.tomcat.util.net.SecureNio2Channel.processSNI(SecureNio2Channel.java:387)
at
org.apache.tomcat.util.net.SecureNio2Channel.handshakeInternal(SecureNio2Channel.java:231)
at
org.apache.tomcat.util.net.SecureNio2Channel.handshake(SecureNio2Channel.java:222)
at
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1593)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1111)
at
org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:104)
at
org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:97)
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
at sun.nio.ch.Invoker$2.run(Invoker.java:218)
at
sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Example Java security debug output
-------------
access: access denied ("java.lang.RuntimePermission"
"accessClassInPackage.org.apache.tomcat.util.net")
java.lang.Exception: Stack trace
at java.base/java.lang.Thread.dumpStack(Thread.java:1387)
at
java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:462)
at
java.base/java.security.AccessController.checkPermission(AccessController.java:897)
at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at
java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1290)
at
java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:174)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:575)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
at
org.apache.tomcat.util.net.SecureNio2Channel.processSNI(SecureNio2Channel.java:387)
at
org.apache.tomcat.util.net.SecureNio2Channel.handshakeInternal(SecureNio2Channel.java:231)
at
org.apache.tomcat.util.net.SecureNio2Channel.handshake(SecureNio2Channel.java:222)
at
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1593)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1111)
at
org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:104)
at
org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:97)
at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
at
java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:834)
access: domain that failed ProtectionDomain null
null
<no principals>
null
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
