You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2009/12/23 14:26:19 UTC
DO NOT REPLY [Bug 48438] New: RC2 of 6.0.21:
java.security.AccessControlException on Error 500 page
https://issues.apache.org/bugzilla/show_bug.cgi?id=48438
Summary: RC2 of 6.0.21: java.security.AccessControlException on
Error 500 page
Product: Tomcat 6
Version: 6.0.20
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: Jasper
AssignedTo: dev@tomcat.apache.org
ReportedBy: knst.kolinko@gmail.com
Created an attachment (id=24753)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24753)
/webapps/examples/jsp/tagplugin/if.jsp
Steps to reproduce:
1. Download and install 6.0.21 release candidate "try2"
2. Replace /webapps/examples/jsp/tagplugin/if.jsp with the file attacted to
this bug report. It has a few lines added to reproduce bug 48112.
3. Run catalina start -security
4. Access http://localhost:8080/examples/jsp/tagplugin/if.jsp
5. Observe Error 500 page with java.security.AccessControlException
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.security)
java.security.AccessControlContext.checkPermission(Unknown Source)
java.security.AccessController.checkPermission(Unknown Source)
java.lang.SecurityManager.checkPermission(Unknown Source)
java.lang.SecurityManager.checkPackageAccess(Unknown Source)
sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
java.lang.ClassLoader.loadClass(Unknown Source)
java.lang.ClassLoader.loadClass(Unknown Source)
java.lang.ClassLoader.loadClassInternal(Unknown Source)
org.apache.jasper.runtime.ProtectedFunctionMapper.getMapForFunction(ProtectedFunctionMapper.java:145)
org.apache.jsp.jsp.tagplugin.if_jsp.<clinit>(if_jsp.java:13)
The full stack trace will be in an attachment.
6. If run without Security manager, the error report as described in bug 48112
is observed, that is
(..)
org.apache.el.parser.ParseException: Encountered " <ILLEGAL_CHARACTER> "\' ""
at line 1, column 11.
(..)
5. is the unexpected result, 6. is the expected result
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48438] RC2 of 6.0.21:
java.security.AccessControlException on Error 500 page
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48438
--- Comment #2 from Konstantin Kolinko <kn...@gmail.com> 2009-12-23 06:01:26 UTC ---
Retrying to reproduce this with
\webapps\examples\jsp\jsp2\el\basic-arithmetic.jsp
If I add the following four lines to the end of the file:
48112:
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
<c:out value="${fn:trim('{world}')}"/>
When running with Security Manager I observe three different behaviors:
A). The proper error report from bug 48112
(..)
org.apache.el.parser.ParseException: Encountered " <ILLEGAL_CHARACTER> "\' ""
at line 1, column 11.
(..)
To reproduce:
1. Clear the working directory
2. Start Tomcat
3. Remove added lines from basic-arithmetic.jsp, so that it becomes valid
4. Browse http://localhost:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp
5. Add the lines to basic-arithmetic.jsp
6. Reload the page in the browser
7. Observe the error
B). AccessControlException
To reproduce:
1. Clear the working directory
2. Start Tomcat
3. Add the lines to basic-arithmetic.jsp
4. Browse http://localhost:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp
5. Observe the error
C). NoClassDefFoundError
To reproduce:
1. Run A) or B)
2. Stop Tomcat and do *not* clear the working directory
3. Start Tomcat
4. Browse http://localhost:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp
5. Observe the error
java.lang.NoClassDefFoundError: Could not initialize class
org.apache.jsp.jsp.jsp2.el.basic_002darithmetic_jsp
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
java.lang.reflect.Constructor.newInstance(Unknown Source)
java.lang.Class.newInstance0(Unknown Source)
java.lang.Class.newInstance(Unknown Source)
org.apache.jasper.servlet.JspServletWrapper.getServlet(JspServletWrapper.java:145)
I observe the following oddity:
1. Run B)
2. In the working folder both java and class file for the page are present:
basic_002darithmetic_jsp.class
basic_002darithmetic_jsp.java
So, how does it produce a class file when java file generation should have
failed with an exception?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48438] RC2 of 6.0.21:
java.security.AccessControlException on Error 500 page
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48438
--- Comment #3 from Konstantin Kolinko <kn...@gmail.com> 2009-12-23 06:08:21 UTC ---
Created an attachment (id=24755)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24755)
localhost.2009-12-23.log for Comment 2
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48438] RC2 of 6.0.21:
java.security.AccessControlException on Error 500 page
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48438
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #24755|application/octet-stream |text/plain
mime type| |
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48438] RC2 of 6.0.21:
java.security.AccessControlException on Error 500 page
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48438
--- Comment #1 from Konstantin Kolinko <kn...@gmail.com> 2009-12-23 05:28:43 UTC ---
Created an attachment (id=24754)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24754)
localhost.2009-12-23.log that contains the full stack trace
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48438] RC2 of 6.0.21:
java.security.AccessControlException on Error 500 page
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48438
--- Comment #4 from Konstantin Kolinko <kn...@gmail.com> 2009-12-23 06:15:23 UTC ---
Additional observation for A):
That org.apache.el.parser.ParseException: occurs at run time, not at compile
time!
It explains why the class file is generated.
You can see the stacktrace for this case in attachment 24755.
It is
at org.apache.el.parser.ELParser.generateParseException(ELParser.java:2142)
at org.apache.el.parser.ELParser.jj_consume_token(ELParser.java:2024)
(.. a dozen of ELParser methods)
(.. a pair of ExpressionBuilder methods)
at
org.apache.el.ExpressionFactoryImpl.createValueExpression(ExpressionFactoryImpl.java:68)
at org.apache.jasper.runtime.PageContextImpl$13.run(PageContextImpl.java:919)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:913)
at
org.apache.jsp.jsp.jsp2.el.basic_002darithmetic_jsp._jspx_meth_c_005fout_005f0(basic_002darithmetic_jsp.java:205)
at
org.apache.jsp.jsp.jsp2.el.basic_002darithmetic_jsp._jspService(basic_002darithmetic_jsp.java:179)
So it occurs in _jspService() of a running page, when it calls
PageContextImpl.proprietaryEvaluate to evaluate an EL expression.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 48438] RC2 of 6.0.21:
java.security.AccessControlException on Error 500 page
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48438
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
--- Comment #5 from Konstantin Kolinko <kn...@gmail.com> 2010-01-20 12:02:34 UTC ---
It is a duplicate of bug 48580.
That this page would fail without SecurityManager is just a coincidence.
With a SecurityManager it does not initialize (fails in its <clinit>), and that
happens earlier than any EL evaluation takes place.
*** This bug has been marked as a duplicate of bug 48580 ***
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org