You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2017/03/27 23:01:30 UTC
[Bug 60925] New: Running with SecurityManager - Property
'serverInfo' not found on type
org.apache.catalina.core.ApplicationContextFacade
https://bz.apache.org/bugzilla/show_bug.cgi?id=60925
Bug ID: 60925
Summary: Running with SecurityManager - Property 'serverInfo'
not found on type
org.apache.catalina.core.ApplicationContextFacade
Product: Tomcat 8
Version: 8.5.12
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: EL
Assignee: dev@tomcat.apache.org
Reporter: knst.kolinko@gmail.com
Target Milestone: ----
Created attachment 34884
--> https://bz.apache.org/bugzilla/attachment.cgi?id=34884&action=edit
localhost.2017-03-28.log
Noted when smoke-testing 8.5.13 RC, but this is reproducible with released
8.5.12 as well, so it is not a regression.
Steps to reproduce:
1. Start Tomcat 8.5 with security manager enabled
catalina.bat start -security
2. Access the root page,
http://localhost:8080/
It fails with error 500.
Stacktrace from 8.5.13:
javax.el.PropertyNotFoundException: Property 'serverInfo' not found on type
org.apache.catalina.core.ApplicationContextFacade
at javax.el.BeanELResolver$BeanProperties.get(BeanELResolver.java:259)
at javax.el.BeanELResolver$BeanProperties.access$300(BeanELResolver.java:212)
at javax.el.BeanELResolver.property(BeanELResolver.java:346)
at javax.el.BeanELResolver.getValue(BeanELResolver.java:92)
at org.apache.jasper.el.JasperELResolver.getValue(JasperELResolver.java:110)
at org.apache.el.parser.AstValue.getValue(AstValue.java:169)
at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:184)
at
org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:944)
at org.apache.jsp.index_jsp._jspService(index_jsp.java:155)
See attached file with full stacktrace.
Notes:
1. This does not happen when running without SecurityManager.
2. This does not depends on version of java (occurs both with 7u80 and 8u121).
I have seen similar errors when we were fixing CVE-2014-7810
(see thread from 2014-11-17), but it should have been fixed by r1644017
that improved javax.el.BeanELResolver.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60925] Running with SecurityManager - Property 'serverInfo' not
found on type org.apache.catalina.core.ApplicationContextFacade
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60925
--- Comment #2 from Konstantin Kolinko <kn...@gmail.com> ---
I think that this is triggered by the change in r1784768,
that changed inheritance hierarchy in ApplicationContextFacade
and the cause is that the solution implemented in r1644017 is incomplete:
method BeanELResolver.populateFromInterfaces() does not enumerate parent
interfaces of an interface.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60925] Running with SecurityManager - Property 'serverInfo' not
found on type org.apache.catalina.core.ApplicationContextFacade
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60925
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Mark Thomas <ma...@apache.org> ---
To state the obvious, that work-around exposes a lot of Tomcat's internals to
the web application.
Fixed in:
- trunk for 9.0.0.M20 onwards
- 8.5.x for 8.5.14 onwards
- 8.0.x for 8.0.44 onwards
- 7.0.x for 7.0.78 onwards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60925] Running with SecurityManager - Property 'serverInfo' not
found on type org.apache.catalina.core.ApplicationContextFacade
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60925
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--- Comment #1 from Konstantin Kolinko <kn...@gmail.com> ---
Tomcat 8.5.11 does not have this issue. The root page displays successfully.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 60925] Running with SecurityManager - Property 'serverInfo' not
found on type org.apache.catalina.core.ApplicationContextFacade
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=60925
--- Comment #3 from Konstantin Kolinko <kn...@gmail.com> ---
For a record:
There exists a working temporary workaround for this issue:
grant permission to access the "core" package.
E.g. for this test scenario (the ROOT web application),
adding the following lines to catalina.policy file is sufficient:
grant codeBase "file:${catalina.base}/webapps/ROOT/-" {
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.core";
};
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org