[Bug 57906] New: Failure to load ApplicationContextFacadeBeanInfo class when running with SecurityManager enabled

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=57906

            Bug ID: 57906
           Summary: Failure to load ApplicationContextFacadeBeanInfo class
                    when running with SecurityManager enabled
           Product: Tomcat 7
           Version: 7.0.61
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: knst.koli...@gmail.com

I noted this while testing 7.0.62 release candidate, but this is reproducible
with 7.0.61 as well, so it is not a regression.

The issue does not happen when running with Java 8u45.
The issue does not happen when running with Java 7u80.
The issue DOES happen when running with Java 6u45 (Windows 7).

So it depends on version of JRE.

Steps:
1. Get a clean copy of Tomcat 7
2. Set JAVA_HOME = jdk 6u45
3. Start with SecurityManager enabled  (catalina.bat start -security)
4. Access http://localhost:8080/
5. An INFO message with a stacktrace of java.security.AccessControlException is
logged by WebappClassLoader to catalina.yyyy-mm-dd.log, as well as console.

I do not notice any user-visible consequences from the above. The index page
shows successfully. Generated HTML is the same as when running without security
manager.

The examples web application works successfully.

The message is only logged on the first access to index page of ROOT web
application after Tomcat start. It is not logged on reloads of the page.

It is not logged for examples web application. If I restart Tomcat and walk
around examples, there is no message. Once I visit the index page the message
is logged.

The message: (Tomcat 7.0.62, Java 6u45)

[[[
08.05.2015 18:17:05 org.apache.catalina.loader.WebappClassLoader loadClass
INFO: Security Violation, attempt to use Restricted Class:
org.apache.catalina.core.ApplicationContextFacadeBeanInfo
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core)
    at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
    at
java.security.AccessController.checkPermission(AccessController.java:549)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
    at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
    at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1656)
    at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
    at java.beans.Introspector.instantiate(Introspector.java:1470)
    at java.beans.Introspector.findExplicitBeanInfo(Introspector.java:431)
    at java.beans.Introspector.<init>(Introspector.java:380)
    at java.beans.Introspector.getBeanInfo(Introspector.java:154)
    at javax.el.BeanELResolver$BeanProperties.<init>(BeanELResolver.java:252)
    at javax.el.BeanELResolver.property(BeanELResolver.java:373)
    at javax.el.BeanELResolver.getValue(BeanELResolver.java:97)
    at
org.apache.jasper.el.JasperELResolver.getValue(JasperELResolver.java:104)
    at org.apache.el.parser.AstValue.getValue(AstValue.java:183)
    at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:184)
    at
org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:944)
    at org.apache.jsp.index_jsp._jspService(index_jsp.java:107)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:439)
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:395)
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:339)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:308)
    at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:168)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
    at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
    at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:957)
    at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
    at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
    at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)
    at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
    at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:662)
]]]


I tried to workaround the issue by adding the following attribute to
JreMemoryLeakPreventionListener class in server.xml [1]:

classesToInitialize="org.apache.catalina.core.ApplicationContextFacadeBeanInfo"

to preload that class. The workaround did not help. The behaviour with Java
6u45 has not changed.


[1] http://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org