BugRat Report #690 has been filed.

[BugRat Mail System <to...@cortexity.com>]

Bug report #690 has just been filed.

You can view the report at the following URL:

   <http://znutar.cortexity.com/BugRatViewer/ShowReport/690>

REPORT #690 Details.

Project: Tomcat
Category: Bug Report
SubCategory: New Bug Report
Class: swbug
State: received
Priority: high
Severity: serious
Confidence: public
Environment: 
   Release: Tomcat 3.2.1
   JVM Release: 1.2.2
   Operating System: Windows 2000 Pro
   OS Release: ?
   Platform: Intel

Synopsis: 
jsp compliation error

Description:
The default javasoft/JRE/1.2/lib/security/java.security file restricts use of the sun. packages.

Both Tomcat and EmbededTomcat fail with the following error:

Unable to compile class for JSP
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.tools.java 

Adding the following to the default tomcat.policy file does not correct the error:

grant {
  permission java.lang.RuntimePermission "accessClassInPackage.sun.tools.java";
};

Re: BugRat Report #690 has been filed.

[Glenn Nielsen <gl...@voyager.apg.more.net>]

Craig,

Bug fixes for use of the Java SecurityManager are done and working well.

I do want to add another doc for setting up the SecurityManager when using
MS Windows OS's.

Glenn

"Craig R. McClanahan" wrote:
> 
> Glenn Nielsen wrote:
> 
> > I stand corrected.
> >
> > The below problem was a bug in Tomcat.  Wrapping the RequestDispatcher
> > forward() and include() methods with a doPrivileged() if a SecurityManager
> > is being used fixed the problem.  When Tomcat 3.2.2 is released you will
> > no longer need to edit the jre/lib/security/java.security file to comment
> > out the package.access=sun. line.
> >
> > This fix is in the 3.2 CVS branch, and will be in the Tomcat 3.2.2 release.
> >
> 
> Glenn (and others),
> 
> Have we accumulated enough bug fixes where it's worth creating a 3.2.2 release, or are there more issues that should be
> dealt with first?
> 
> >
> > Regards,
> >
> > Glenn
> >
> 
> Craig
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

Re: BugRat Report #690 has been filed.

[Dan Milstein <da...@shore.net>]

There have been some pretty major bugs fixed in the mod_jk / ajp13 world.  The broken File Upload problem, which people repost as a bug pretty often, and a load-balancing bug, which also seems to cause a lot of pain.

Just to factor that into whatever else has been fixed...

-Dan

> Glenn (and others),
> 
> Have we accumulated enough bug fixes where it's worth creating a 3.2.2 release, or are there more issues that should be
> dealt with first?
-- 

Dan Milstein // danmil@shore.net

Re: Tomcat 3.2.2 [Was: Re: BugRat Report #690 has been filed.]

[Hans Bergsten <ha...@gefionsoftware.com>]

Marc Saegesser wrote:
> 
> Regarding BugReport #744.  I've been trying to duplicate it on my Win2000
> system and haven't had any luck.  I always get back the executed page.  Has
> anyone else been able to duplicate the problem behavior?

I actually tested it today (on a Red Hat 7 system, but I doubt that
matters)
and was able to reproduce it easily; just make a GET request without the
protocol. I haven't had a chance to try to figure out why yet though.

> [...]

Hans
-- 
Hans Bergsten		hans@gefionsoftware.com
Gefion Software		http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com

RE: Tomcat 3.2.2 [Was: Re: BugRat Report #690 has been filed.]

[Marc Saegesser <ma...@apropos.com>]

Regarding BugReport #744.  I've been trying to duplicate it on my Win2000
system and haven't had any luck.  I always get back the executed page.  Has
anyone else been able to duplicate the problem behavior?

As for 3.2.2, I think we should give 3.2.1 a little more soak time.  The
flow of bug reports seems to have increased which means that people are
using the release.  I don't think there are any really critical bugs fixed
so far so another week or so should hurt and with the extra usage we might
find something that should be addressed.

With any luck, 3.2.2 puts this release to bed and there won't be a need for
a 3.2.3.

> -----Original Message-----
> From: hans@servlets.net [mailto:hans@servlets.net]On Behalf Of Hans
> Bergsten
> Sent: Thursday, January 11, 2001 3:03 PM
> To: tomcat-dev@jakarta.apache.org
> Subject: Tomcat 3.2.2 [Was: Re: BugRat Report #690 has been filed.]
>
>
> "Craig R. McClanahan" wrote:
> >
> > Glenn Nielsen wrote:
> >
> > > I stand corrected.
> > >
> > > The below problem was a bug in Tomcat.  Wrapping the RequestDispatcher
> > > forward() and include() methods with a doPrivileged() if a
> SecurityManager
> > > is being used fixed the problem.  When Tomcat 3.2.2 is
> released you will
> > > no longer need to edit the jre/lib/security/java.security
> file to comment
> > > out the package.access=sun. line.
> > >
> > > This fix is in the 3.2 CVS branch, and will be in the Tomcat
> 3.2.2 release.
> > >
> >
> > Glenn (and others),
> >
> > Have we accumulated enough bug fixes where it's worth creating
> a 3.2.2 release,
> > or are there more issues that should be
> > dealt with first?
>
> I've seen the problem most recently reported in BugReport #744 described
> a
> few times now, but I haven't had a chance to verify it and look for a
> solution.
> Since this is a security bug, it seems like something that should be
> included
> in 3.2.2.
>
> I'll try to take a closer look at it this weekend, but can't promise
> anything.
>
> Hans
> --
> Hans Bergsten		hans@gefionsoftware.com
> Gefion Software		http://www.gefionsoftware.com
> Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org

Tomcat 3.2.2 [Was: Re: BugRat Report #690 has been filed.]

[Hans Bergsten <ha...@gefionsoftware.com>]

"Craig R. McClanahan" wrote:
> 
> Glenn Nielsen wrote:
> 
> > I stand corrected.
> >
> > The below problem was a bug in Tomcat.  Wrapping the RequestDispatcher
> > forward() and include() methods with a doPrivileged() if a SecurityManager
> > is being used fixed the problem.  When Tomcat 3.2.2 is released you will
> > no longer need to edit the jre/lib/security/java.security file to comment
> > out the package.access=sun. line.
> >
> > This fix is in the 3.2 CVS branch, and will be in the Tomcat 3.2.2 release.
> >
> 
> Glenn (and others),
> 
> Have we accumulated enough bug fixes where it's worth creating a 3.2.2 release, 
> or are there more issues that should be
> dealt with first?

I've seen the problem most recently reported in BugReport #744 described
a 
few times now, but I haven't had a chance to verify it and look for a
solution. 
Since this is a security bug, it seems like something that should be
included 
in 3.2.2.

I'll try to take a closer look at it this weekend, but can't promise
anything.

Hans
-- 
Hans Bergsten		hans@gefionsoftware.com
Gefion Software		http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com

Re: BugRat Report #690 has been filed.

["Craig R. McClanahan" <Cr...@eng.sun.com>]

Glenn Nielsen wrote:

> I stand corrected.
>
> The below problem was a bug in Tomcat.  Wrapping the RequestDispatcher
> forward() and include() methods with a doPrivileged() if a SecurityManager
> is being used fixed the problem.  When Tomcat 3.2.2 is released you will
> no longer need to edit the jre/lib/security/java.security file to comment
> out the package.access=sun. line.
>
> This fix is in the 3.2 CVS branch, and will be in the Tomcat 3.2.2 release.
>

Glenn (and others),

Have we accumulated enough bug fixes where it's worth creating a 3.2.2 release, or are there more issues that should be
dealt with first?

>
> Regards,
>
> Glenn
>

Craig

Re: BugRat Report #690 has been filed.

[Glenn Nielsen <gl...@voyager.apg.more.net>]

I stand corrected.

The below problem was a bug in Tomcat.  Wrapping the RequestDispatcher
forward() and include() methods with a doPrivileged() if a SecurityManager
is being used fixed the problem.  When Tomcat 3.2.2 is released you will
no longer need to edit the jre/lib/security/java.security file to comment
out the package.access=sun. line.

This fix is in the 3.2 CVS branch, and will be in the Tomcat 3.2.2 release.

Regards,

Glenn

Glenn Nielsen wrote:
> 
> This isn't a Tomcat bug, its the way security works (whether correct or not).
> Perhaps this should be sent in as a Java bug report to Sun.
> 
> This is documented in tomcat-security.html, you have to comment out
> the line:
> 
> package.access=sun.
> 
> in your $JAVA_HOME/jre/lib/security/java.security file.
> 
> BugRat Mail System wrote:
> >
> > Bug report #690 has just been filed.
> >
> > You can view the report at the following URL:
> >
> >    <http://znutar.cortexity.com/BugRatViewer/ShowReport/690>
> >
> > REPORT #690 Details.
> >
> > Project: Tomcat
> > Category: Bug Report
> > SubCategory: New Bug Report
> > Class: swbug
> > State: received
> > Priority: high
> > Severity: serious
> > Confidence: public
> > Environment:
> >    Release: Tomcat 3.2.1
> >    JVM Release: 1.2.2
> >    Operating System: Windows 2000 Pro
> >    OS Release: ?
> >    Platform: Intel
> >
> > Synopsis:
> > jsp compliation error
> >
> > Description:
> > The default javasoft/JRE/1.2/lib/security/java.security file restricts use of the sun. packages.
> >
> > Both Tomcat and EmbededTomcat fail with the following error:
> >
> > Unable to compile class for JSP
> > java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.tools.java
> >
> > Adding the following to the default tomcat.policy file does not correct the error:
> >
> > grant {
> >   permission java.lang.RuntimePermission "accessClassInPackage.sun.tools.java";
> > };
> >
> >   ------------------------------------------------------------------------------------------
> >                          Name: Report-690.html
> >    Report-690.html       Type: Hypertext Markup Language (text/html)
> >                      Encoding: 7bit
> >                   Description: DataSource attachment 'Report-690.html'
> >
> >    Part 1.3Type: Plain Text (text/plain)
> 
> --
> ----------------------------------------------------------------------
> Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
> MOREnet System Programming               |  * if iz ina coment.      |
> Missouri Research and Education Network  |  */                       |
> ----------------------------------------------------------------------
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

Re: BugRat Report #690 has been filed.

[Glenn Nielsen <gl...@voyager.apg.more.net>]

This isn't a Tomcat bug, its the way security works (whether correct or not).
Perhaps this should be sent in as a Java bug report to Sun.

This is documented in tomcat-security.html, you have to comment out
the line:

package.access=sun.

in your $JAVA_HOME/jre/lib/security/java.security file.


BugRat Mail System wrote:
> 
> Bug report #690 has just been filed.
> 
> You can view the report at the following URL:
> 
>    <http://znutar.cortexity.com/BugRatViewer/ShowReport/690>
> 
> REPORT #690 Details.
> 
> Project: Tomcat
> Category: Bug Report
> SubCategory: New Bug Report
> Class: swbug
> State: received
> Priority: high
> Severity: serious
> Confidence: public
> Environment:
>    Release: Tomcat 3.2.1
>    JVM Release: 1.2.2
>    Operating System: Windows 2000 Pro
>    OS Release: ?
>    Platform: Intel
> 
> Synopsis:
> jsp compliation error
> 
> Description:
> The default javasoft/JRE/1.2/lib/security/java.security file restricts use of the sun. packages.
> 
> Both Tomcat and EmbededTomcat fail with the following error:
> 
> Unable to compile class for JSP
> java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.tools.java
> 
> Adding the following to the default tomcat.policy file does not correct the error:
> 
> grant {
>   permission java.lang.RuntimePermission "accessClassInPackage.sun.tools.java";
> };
> 
>   ------------------------------------------------------------------------------------------
>                          Name: Report-690.html
>    Report-690.html       Type: Hypertext Markup Language (text/html)
>                      Encoding: 7bit
>                   Description: DataSource attachment 'Report-690.html'
> 
>    Part 1.3Type: Plain Text (text/plain)

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------