[Bug 56776] New: java.security.AccessControlException in ClassLoaderLogManager on ClassLoader.getParent() call

Mon, 28 Jul 2014 00:44:24 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=56776

            Bug ID: 56776
           Summary: java.security.AccessControlException in
                    ClassLoaderLogManager on ClassLoader.getParent() call
           Product: Tomcat 7
           Version: 7.0.54
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: [email protected]
          Reporter: [email protected]

The issue is based on user's report on the users mailing list,
"Security Manager Exception"
http://tomcat.markmail.org/thread/yckvcjov5yqlsgam

Stack trace: (Tomcat 7.0.54 running with Security Manager enabled)
[[[
2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR
org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]-
Servlet.service() for servlet [jsp] in context with path [] threw exception
[java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "getClassLoader")] with root cause
java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "getClassLoader")
        at java.security.AccessControlContext.checkPermission(Unknown Source)
        at java.security.AccessController.checkPermission(Unknown Source)
        at java.lang.SecurityManager.checkPermission(Unknown Source)
        at java.lang.ClassLoader.checkClassLoaderPermission(Unknown Source)
        at java.lang.ClassLoader.getParent(Unknown Source)
        at
org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295)
        at
org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266)
        at
org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144)
        at java.util.logging.LogManager.demandLogger(Unknown Source)
        at java.util.logging.Logger.demandLogger(Unknown Source)
        at java.util.logging.Logger.getLogger(Unknown Source)
        at com.sun.mail.util.MailLogger.<init>(MailLogger.java:115)
        at javax.mail.Session.initLogger(Session.java:226)
        at javax.mail.Session.<init>(Session.java:210)
        at javax.mail.Session.getInstance(Session.java:247)
        at com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470)
]]]

Note that com.sun.* code uses standard java.util.logging API to get a logger.

The java.lang.ClassLoader.getParent() call requires a "getClassLoader"
permission, but untrusted code should not have that one by default.
Such calls shall be wrapped by AccessController.doPrivileged() so that only the
JULI jar permissions are checked instead of checking permissions of all code in
the call chain.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to