You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by David Wall <d....@computer.org> on 2006/05/29 23:07:04 UTC
TC 5.5.17 problem with multiple webapps using JCE provider and security
manager
Since upgrading from Tomcat from 5.5.9 to 5.5.17, I found that my two
webapps that both need to use encryption via JCE providers are not
working. Only the "first to load" webapp works as it installs the
provider just fine, but the other cannot and then fails.
It seems that a single JVM can only load the security providers once.
When running tomcat with a security manager, it appears that the first
webapp to initialize loads the provider successfully (says in slot 7).
The second webapp tries to also load the provider, gets the routine
error saying it was installed in slot -1, but now fails to be able to
find the provider.
If I turn off the security manager in TC (no -security startup option),
it works fine, even though the second to load still gets the "-1 slot"
error installing the JCE provider. This all worked fine under 5.5.9
with a security manager.
So, the problem appears to be with the security manager in 5.5.17 is not
able to find the provider as it once could because it's been loaded into
the JVM by another webapp. At the bottom is the exception stack trace.
I am running Tomcat 5.5.17 with a security manager (started with
-security) under RedHat Linux using BouncyCastle JCE 1.33 with JDK 1.5.
Thanks,
David
java.security.NoSuchAlgorithmException: class configured for
SecretKeyFactory(provider: BC)cannot be found.
at java.security.Provider$Service.getImplClass(Provider.java:1178)
at java.security.Provider$Service.newInstance(Provider.java:1129)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
at javax.crypto.SunJCE_b.a(DashoA12275)
at javax.crypto.SecretKeyFactory.getInstance(DashoA12275)
at com.test.cryptotest.PbeUtil.<init>(PbeUtil.java:48)
at com.test.BootService.<init>(BootService.java:62)
at com.test.Context.loadSessionKeys(YoContext.java:547)
at com.test.Context.<init>(YoContext.java:154)
at com.test.Application.init(Application.java:825)
at
com.test.servlet.ContextListener.contextInitialized(ContextListener.java:38)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3729)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4187)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:121)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:737)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
at
org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
at
org.apache.catalina.core.StandardService.start(StandardService.java:450)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Caused by: java.lang.ClassNotFoundException:
org.bouncycastle.jce.provider.JCESecretKeyFactory$PBEWithSHAAndDES3Key
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1352)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1198)
at java.security.Provider$Service.getImplClass(Provider.java:1172)
... 37 more
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: TC 5.5.17 problem with multiple webapps using JCE provider and
security manager
Posted by David Wall <d....@computer.org>.
Thought I'd post this one more time since doing so over the U.S. holiday
weekend likely left a lot of folks out of the loop... I'm either left
with running my webapps without a security manager, or staying on an
older Tomcat that has other bugs that I need resolved by 5.5.17
(clearing of listeners on webapp restart that made it impossible to
install a "system down" webapp during maintenance).
Thanks...
> Since upgrading from Tomcat from 5.5.9 to 5.5.17, I found that my two
> webapps that both need to use encryption via JCE providers are not
> working. Only the "first to load" webapp works as it installs the
> provider just fine, but the other cannot and then fails.
> It seems that a single JVM can only load the security providers once.
> When running tomcat with a security manager, it appears that the first
> webapp to initialize loads the provider successfully (says in slot
> 7). The second webapp tries to also load the provider, gets the
> routine error saying it was installed in slot -1, but now fails to be
> able to find the provider.
> If I turn off the security manager in TC (no -security startup
> option), it works fine, even though the second to load still gets the
> "-1 slot" error installing the JCE provider. This all worked fine
> under 5.5.9 with a security manager.
>
> So, the problem appears to be with the security manager in 5.5.17 is
> not able to find the provider as it once could because it's been
> loaded into the JVM by another webapp. At the bottom is the exception
> stack trace.
>
> I am running Tomcat 5.5.17 with a security manager (started with
> -security) under RedHat Linux using BouncyCastle JCE 1.33 with JDK 1.5.
>
> Thanks,
> David
>
>
> java.security.NoSuchAlgorithmException: class configured for
> SecretKeyFactory(provider: BC)cannot be found.
> at java.security.Provider$Service.getImplClass(Provider.java:1178)
> at java.security.Provider$Service.newInstance(Provider.java:1129)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
> at javax.crypto.SunJCE_b.a(DashoA12275)
> at javax.crypto.SecretKeyFactory.getInstance(DashoA12275)
> at com.test.cryptotest.PbeUtil.<init>(PbeUtil.java:48)
> at com.test.BootService.<init>(BootService.java:62)
> at com.test.Context.loadSessionKeys(YoContext.java:547)
> at com.test.Context.<init>(YoContext.java:154)
> at com.test.Application.init(Application.java:825)
> at
> com.test.servlet.ContextListener.contextInitialized(ContextListener.java:38)
>
> at
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3729)
>
> at
> org.apache.catalina.core.StandardContext.start(StandardContext.java:4187)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
>
> at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:121)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
>
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:737)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
> at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
>
> at
> org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
>
> at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
> at
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
> at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
>
> at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
> at
> org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
> at
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:450)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
> Caused by: java.lang.ClassNotFoundException:
> org.bouncycastle.jce.provider.JCESecretKeyFactory$PBEWithSHAAndDES3Key
> at
> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1352)
>
> at
> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1198)
>
> at java.security.Provider$Service.getImplClass(Provider.java:1172)
> ... 37 more
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: TC 5.5.17 problem with multiple webapps using JCE provider and
security manager - RESOLVED
Posted by David Wall <d....@computer.org>.
On reading more in the release notes
(http://tomcat.apache.org/tomcat-5.5-doc/RELEASE-NOTES.txt), I figured
I'd give the shared/lib idea a try. I found that just by moving the
BouncyCastle JCE jar into shared/lib and out of the WEB-INF/lib of the
various webapps, all seems to work okay.
Note that when using a security manager, I had to add the following
additional GRANTs before TC would actually start up, so these should
probably be added to the default catalina.policy file in the
distribution (under the default grant {} entry):
// Extra permission found by Yozons that need to be set for whatever reason
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.*";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.compiler";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.util.net";
David
David Wall wrote:
> Since upgrading from Tomcat from 5.5.9 to 5.5.17, I found that my two
> webapps that both need to use encryption via JCE providers are not
> working. Only the "first to load" webapp works as it installs the
> provider just fine, but the other cannot and then fails.
> It seems that a single JVM can only load the security providers once.
> When running tomcat with a security manager, it appears that the first
> webapp to initialize loads the provider successfully (says in slot
> 7). The second webapp tries to also load the provider, gets the
> routine error saying it was installed in slot -1, but now fails to be
> able to find the provider.
> If I turn off the security manager in TC (no -security startup
> option), it works fine, even though the second to load still gets the
> "-1 slot" error installing the JCE provider. This all worked fine
> under 5.5.9 with a security manager.
>
> So, the problem appears to be with the security manager in 5.5.17 is
> not able to find the provider as it once could because it's been
> loaded into the JVM by another webapp. At the bottom is the exception
> stack trace.
>
> I am running Tomcat 5.5.17 with a security manager (started with
> -security) under RedHat Linux using BouncyCastle JCE 1.33 with JDK 1.5.
>
> Thanks,
> David
>
>
> java.security.NoSuchAlgorithmException: class configured for
> SecretKeyFactory(provider: BC)cannot be found.
> at java.security.Provider$Service.getImplClass(Provider.java:1178)
> at java.security.Provider$Service.newInstance(Provider.java:1129)
> at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
> at javax.crypto.SunJCE_b.a(DashoA12275)
> at javax.crypto.SecretKeyFactory.getInstance(DashoA12275)
> at com.test.cryptotest.PbeUtil.<init>(PbeUtil.java:48)
> at com.test.BootService.<init>(BootService.java:62)
> at com.test.Context.loadSessionKeys(YoContext.java:547)
> at com.test.Context.<init>(YoContext.java:154)
> at com.test.Application.init(Application.java:825)
> at
> com.test.servlet.ContextListener.contextInitialized(ContextListener.java:38)
>
> at
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3729)
>
> at
> org.apache.catalina.core.StandardContext.start(StandardContext.java:4187)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
>
> at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:121)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
>
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:737)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
> at
> org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
>
> at
> org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
>
> at
> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
> at
> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
> at
> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
>
> at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
>
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
> at
> org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
> at
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:450)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
> Caused by: java.lang.ClassNotFoundException:
> org.bouncycastle.jce.provider.JCESecretKeyFactory$PBEWithSHAAndDES3Key
> at
> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1352)
>
> at
> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1198)
>
> at java.security.Provider$Service.getImplClass(Provider.java:1172)
> ... 37 more
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org