You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by George Sexton <ge...@mhsoftware.com> on 2014/07/22 18:04:46 UTC
Security Manager Exception
I'm using Tomcat 7.0.54 with the security manager. I'm getting an
exception I don't understand:
2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]- Servlet.service() for servlet [jsp] in context with path [] threw exception [java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")] with root cause
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.ClassLoader.checkClassLoaderPermission(Unknown Source)
at java.lang.ClassLoader.getParent(Unknown Source)
at org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295)
at org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266)
at org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144)
at java.util.logging.LogManager.demandLogger(Unknown Source)
at java.util.logging.Logger.demandLogger(Unknown Source)
at java.util.logging.Logger.getLogger(Unknown Source)
at com.sun.mail.util.MailLogger.<init>(MailLogger.java:115)
at javax.mail.Session.initLogger(Session.java:226)
at javax.mail.Session.<init>(Session.java:210)
at javax.mail.Session.getInstance(Session.java:247)
at com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470)
Line 144 of ClassLoaderLogManager is the addLogger method trying to read
the .level property for the logger being created.
The catalina.policy is pretty much the stock one. I'm confused because
the catalina.policy has:
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.lang.RuntimePermission "getClassLoader";
The page in question that's erroring out is a JSP that's calling a
per-context jar. The hierarchy looks something like:
JSP ->
context/WEB-INF/lib/jar Class File ->
$CATALINA_BASE/lib/ MH Software.jar ->
$CATALINA_BASE javax.mail.jar ->
$CATALINA_HOME/bin/tomcat-juli.jar
$CATALINA_BASE/lib, has the grant for java.security.AllPermission;
I don't know if this makes a difference, but I'm using log4j, and
following the instructions here:
http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
I've made $CATALINA_BASE/conf/logging.properties an empty file.
Finally, it SEEMS to only be happening in JSP files. calls directly from
classes in the context jar file don't seem to be failing.
If anyone could point me in the right direction, I would really
appreciate it.
--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com
Security Manager Exception
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 7/22/2014 11:04 AM, George Sexton wrote:
> I'm using Tomcat 7.0.54 with the security manager. I'm getting an
> exception I don't understand:
>
> 2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR
> org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]-
> Servlet.service() for servlet [jsp] in context with path [] threw
> exception [java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")] with root cause
> java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")
> at java.security.AccessControlContext.checkPermission(Unknown
> Source)
> at java.security.AccessController.checkPermission(Unknown Source)
> at java.lang.SecurityManager.checkPermission(Unknown Source)
> at java.lang.ClassLoader.checkClassLoaderPermission(Unknown
> Source)
> at java.lang.ClassLoader.getParent(Unknown Source)
> at
> org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295)
> at
> org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266)
> at
> org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144)
> at java.util.logging.LogManager.demandLogger(Unknown Source)
> at java.util.logging.Logger.demandLogger(Unknown Source)
> at java.util.logging.Logger.getLogger(Unknown Source)
> at com.sun.mail.util.MailLogger.<init>(MailLogger.java:115)
> at javax.mail.Session.initLogger(Session.java:226)
> at javax.mail.Session.<init>(Session.java:210)
> at javax.mail.Session.getInstance(Session.java:247)
> at com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470)
>
>
> Line 144 of ClassLoaderLogManager is the addLogger method trying to
> read the .level property for the logger being created.
>
> The catalina.policy is pretty much the stock one. I'm confused because
> the catalina.policy has:
>
> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
> permission java.lang.RuntimePermission "getClassLoader";
>
> The page in question that's erroring out is a JSP that's calling a
> per-context jar. The hierarchy looks something like:
>
> JSP ->
> context/WEB-INF/lib/jar Class File ->
> $CATALINA_BASE/lib/ MH Software.jar ->
> $CATALINA_BASE javax.mail.jar ->
> $CATALINA_HOME/bin/tomcat-juli.jar
>
> $CATALINA_BASE/lib, has the grant for java.security.AllPermission;
>
> I don't know if this makes a difference, but I'm using log4j, and
> following the instructions here:
>
> http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
>
> I've made $CATALINA_BASE/conf/logging.properties an empty file.
>
> Finally, it SEEMS to only be happening in JSP files. calls directly
> from classes in the context jar file don't seem to be failing.
>
> If anyone could point me in the right direction, I would really
> appreciate it.
>
>
Have you granted permissions to the classes in WEB-INF?
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security Manager Exception
Posted by Mark Eggers <it...@yahoo.com.INVALID>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 7/22/2014 9:04 AM, George Sexton wrote:
> I'm using Tomcat 7.0.54 with the security manager. I'm getting an
> exception I don't understand:
>
> 2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR
> org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]-
>
>
Servlet.service() for servlet [jsp] in context with path [] threw
> exception [java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")] with root cause
> java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader") at
> java.security.AccessControlContext.checkPermission(Unknown Source)
> at java.security.AccessController.checkPermission(Unknown Source)
> at java.lang.SecurityManager.checkPermission(Unknown Source) at
> java.lang.ClassLoader.checkClassLoaderPermission(Unknown Source) at
> java.lang.ClassLoader.getParent(Unknown Source) at
> org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295)
>
> at
> org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266)
>
> at
> org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144)
>
> at java.util.logging.LogManager.demandLogger(Unknown Source) at
> java.util.logging.Logger.demandLogger(Unknown Source) at
> java.util.logging.Logger.getLogger(Unknown Source) at
> com.sun.mail.util.MailLogger.<init>(MailLogger.java:115) at
> javax.mail.Session.initLogger(Session.java:226) at
> javax.mail.Session.<init>(Session.java:210) at
> javax.mail.Session.getInstance(Session.java:247) at
> com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470)
>
>
> Line 144 of ClassLoaderLogManager is the addLogger method trying to
> read the .level property for the logger being created.
>
> The catalina.policy is pretty much the stock one. I'm confused
> because the catalina.policy has:
>
> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
> permission java.lang.RuntimePermission "getClassLoader";
>
> The page in question that's erroring out is a JSP that's calling a
> per-context jar. The hierarchy looks something like:
>
> JSP -> context/WEB-INF/lib/jar Class File -> $CATALINA_BASE/lib/ MH
> Software.jar -> $CATALINA_BASE javax.mail.jar ->
> $CATALINA_HOME/bin/tomcat-juli.jar
>
> $CATALINA_BASE/lib, has the grant for java.security.AllPermission;
>
> I don't know if this makes a difference, but I'm using log4j, and
> following the instructions here:
>
> http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
>
> I've made $CATALINA_BASE/conf/logging.properties an empty file.
>
> Finally, it SEEMS to only be happening in JSP files. calls directly
> from classes in the context jar file don't seem to be failing.
>
> If anyone could point me in the right direction, I would really
> appreciate it.
>
>
See if this helps:
http://www.oracle.com/technetwork/java/faq-135477.html#securityManager
. . . just my two cents
/mde/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTzpRyAAoJEEFGbsYNeTwtx0IH/1cc385fyYb5vYfjXyt0NJHk
W+QG5KTGmBN2fU59J8wjdQ3vzYc4Ysa2rJO98fx90a682P2XrpxesdcHJeE1Za6+
E48WksP+uPQ9KnmEUOv+XMeCrY8gKknZgL/XrjKHkJhlsr2pP0VUdcgzdJph4hZm
UDoKAnFkPTJ6Pj3gWcTJMNo/Hs5/Jdt4LD4SKVRlI/9lmpiL6RdqL4n3voRHlo6m
KTinVBBDSjY2mZuuOML3B3JbnZOBUuUsj8/jH1L7DBWdIfgKKF2il9858ckDNLZc
p4TAlCbGpNZBD1E/bS3BWwmGAcGtebpbgiFG+c9dgA5FI4OhLc84y8HflwdTgb0=
=Q8u+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Security Manager Exception
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-07-22 20:04 GMT+04:00 George Sexton <ge...@mhsoftware.com>:
> I'm using Tomcat 7.0.54 with the security manager. I'm getting an exception
> I don't understand:
>
> 2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR
> org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]-
> Servlet.service() for servlet [jsp] in context with path [] threw exception
> [java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")] with root cause
> java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")
> at java.security.AccessControlContext.checkPermission(Unknown
> Source)
> at java.security.AccessController.checkPermission(Unknown Source)
> at java.lang.SecurityManager.checkPermission(Unknown Source)
> at java.lang.ClassLoader.checkClassLoaderPermission(Unknown Source)
> at java.lang.ClassLoader.getParent(Unknown Source)
> at
> org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295)
> at
> org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266)
> at
> org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144)
> at java.util.logging.LogManager.demandLogger(Unknown Source)
> at java.util.logging.Logger.demandLogger(Unknown Source)
> at java.util.logging.Logger.getLogger(Unknown Source)
> at com.sun.mail.util.MailLogger.<init>(MailLogger.java:115)
> at javax.mail.Session.initLogger(Session.java:226)
> at javax.mail.Session.<init>(Session.java:210)
> at javax.mail.Session.getInstance(Session.java:247)
> at com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470)
>
>
> Line 144 of ClassLoaderLogManager is the addLogger method trying to read the
> .level property for the logger being created.
>
> The catalina.policy is pretty much the stock one. I'm confused because the
> catalina.policy has:
>
> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
> permission java.lang.RuntimePermission "getClassLoader";
>
> The page in question that's erroring out is a JSP that's calling a
> per-context jar. The hierarchy looks something like:
>
> JSP ->
> context/WEB-INF/lib/jar Class File ->
> $CATALINA_BASE/lib/ MH Software.jar ->
> $CATALINA_BASE javax.mail.jar ->
> $CATALINA_HOME/bin/tomcat-juli.jar
>
> $CATALINA_BASE/lib, has the grant for java.security.AllPermission;
>
> I don't know if this makes a difference, but I'm using log4j, and following
> the instructions here:
>
> http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
>
> I've made $CATALINA_BASE/conf/logging.properties an empty file.
>
> Finally, it SEEMS to only be happening in JSP files. calls directly from
> classes in the context jar file don't seem to be failing.
>
> If anyone could point me in the right direction, I would really appreciate
> it.
I filed an issue for this into bugzilla:
https://issues.apache.org/bugzilla/show_bug.cgi?id=56776
> per-context jar. The hierarchy looks something like:
>
> JSP ->
> context/WEB-INF/lib/jar Class File ->
> $CATALINA_BASE/lib/ MH Software.jar ->
> $CATALINA_BASE javax.mail.jar ->
> $CATALINA_HOME/bin/tomcat-juli.jar
>
> $CATALINA_BASE/lib, has the grant for java.security.AllPermission;
>
Unless all classes in the call chain have the necessary permission
("java.lang.RuntimePermission" "getClassLoader") the call won't be
allowed.
A workaround is to grant that permission to web applications, but I
would not really recommend that as a long-term solution, as it makes
the system less secure. It should be possible to fix this at Tomcat
side, thus I filed the issue.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org