Tomcat 6.0.x: Programmatic use of EL conflicts with catalina.properties when Java 2 Security enabled

Wed, 25 Jun 2008 13:24:50 -0700 

Hi,

This reflects a posting to the users mail list, but I've cross posted as it
might be better answered by the development mail list - sorry if I am wrong!

An application I am writing uses code like this:-

FacesContext fc = FacesContext.getCurrentInstance();
ExpressionFactory ef = fc.getApplication().getExpressionFactory();
ELContext elc = fc.getELContext();
ValueExpression ve = ef.createValueExpression(elc, expr, clazz);
Object result = ve.getValue(elc);

The implementation of javax.el.ValueExpression is
org.apache.jasper.el.JspValueExpression which is in the
org.apache.jasper.elpackage. Access to this package is prevented by
default by the
catalina.properties file as illustrated with the following stack trace:-

SEVERE: Exception sending context initialized event to listener instance of
*class* com.sun.faces.config.GlassFishConfigureListener
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.el)
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
        at
java.security.AccessController.checkPermission(AccessController.java:427)
        at
java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
        at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
        at
org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:200)
        at
com.sun.faces.config.ConfigureListener.registerELResolverAndListenerWithJsp(ConfigureListener.java:1874)
        at
com.sun.faces.config.ConfigureListener.contextInitialized(ConfigureListener.java:546)
        at
com.sun.faces.config.GlassFishConfigureListener.contextInitialized(GlassFishConfigureListener.java:47)
        at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3830)
        at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4337)
        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
        at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:123)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:769)
        at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
        at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:626)
        at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:511)
        at
org.apache.catalina.startup.HostConfig.check(HostConfig.java:1220)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at
org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:297)
        at
com.sun.jmx.mbeanserver.DynamicMetaDataImpl.invoke(DynamicMetaDataImpl.java:213)
        at
com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
        at
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
        at
com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
        at
org.apache.catalina.manager.ManagerServlet.check(ManagerServlet.java:1458)
        at
org.apache.catalina.manager.ManagerServlet.deploy(ManagerServlet.java:820)
        at
org.apache.catalina.manager.ManagerServlet.doGet(ManagerServlet.java:348)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
        at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276)
        at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:283)
        at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56)
        at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)
        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
        at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
        at java.lang.Thread.run(Thread.java:595)
OK, so this isn't as such a bug but the issue I have is that my hosting
company wants "official" notification (official documentation, official
WIKI etc) that they need to grant the permission to my application (they
provide a vanila installation of Tomcat 6.0.x and are reluctant to grant
additional permissions). If my analysis is correct is it possible for some
"official" statement to be made confirming the requirement to grant
permission to access classes in org.apache.jasper.el?

Thanks in advance,

Mike

Reply via email to