You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/06/16 11:00:49 UTC

DO NOT REPLY [Bug 51384] New: Adding http codebase to catalina.policy file causes ClassLoaderLogManager access denied exception

https://issues.apache.org/bugzilla/show_bug.cgi?id=51384

             Bug #: 51384
           Summary: Adding http codebase to catalina.policy file causes
                    ClassLoaderLogManager access denied exception
           Product: Tomcat 6
           Version: 6.0.32
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: Mark.Howell@rbs.com
    Classification: Unclassified


Tomcat: 6.0.32 (freshly downloaded and unpacked)
Java: 1.6.0_25 (freshly installed)
OS: Windows XP
Env variables:
JAVA_HOME=C:\Program Files\Java\jdk1.6.0_25
JAVA_OPTS=-Xmx512m

Append the following permission to the end of catalina.policy:

grant codeBase "http://www.abc.com" {
        permission java.security.AllPermission;
};

bin/startup.bat -security

Generates (in console window, no log files generated):

Could not load Logmanager "org.apache.juli.ClassLoaderLogManager"
java.security.AccessControlException: access denied
(java.lang.RuntimePermission setContextClassLoader)
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
        at
java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at java.lang.Thread.setContextClassLoader(Thread.java:1394)
        at java.util.logging.LogManager$Cleaner.<init>(LogManager.java:204)
        at java.util.logging.LogManager$Cleaner.<init>(LogManager.java:198)
        at java.util.logging.LogManager.<init>(LogManager.java:235)
        at
org.apache.juli.ClassLoaderLogManager.<init>(ClassLoaderLogManager.java:64)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)

        at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
        at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
        at java.lang.Class.newInstance0(Class.java:355)
        at java.lang.Class.newInstance(Class.java:308)
        at java.util.logging.LogManager$1.run(LogManager.java:164)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.util.logging.LogManager.<clinit>(LogManager.java:156)
        at java.util.logging.Logger.getLogger(Logger.java:287)
        at
sun.net.www.protocol.http.HttpURLConnection.<clinit>(HttpURLConnection.java:57)
        at sun.net.www.protocol.http.Handler.openConnection(Handler.java:44)
        at sun.net.www.protocol.http.Handler.openConnection(Handler.java:39)
        at java.net.URL.openConnection(URL.java:945)
        at
sun.security.provider.PolicyFile.canonicalizeCodebase(PolicyFile.java:1799)
        at sun.security.provider.PolicyFile.getCodeSource(PolicyFile.java:783)
        at sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:807)
        at sun.security.provider.PolicyFile.init(PolicyFile.java:653)
        at sun.security.provider.PolicyFile.access$400(PolicyFile.java:266)
        at sun.security.provider.PolicyFile$3.run(PolicyFile.java:546)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:519)
        at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:505)
        at sun.security.provider.PolicyFile.init(PolicyFile.java:464)
        at sun.security.provider.PolicyFile.<init>(PolicyFile.java:309)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)

        at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
        at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
        at java.lang.Class.newInstance0(Class.java:355)
        at java.lang.Class.newInstance(Class.java:308)
        at java.security.Policy.getPolicyNoCheck(Policy.java:167)
        at java.security.ProtectionDomain.implies(ProtectionDomain.java:224)
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:352)
        at
java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at
java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
        at java.lang.System.getProperty(System.java:650)
        at org.apache.juli.logging.DirectJDKLog.<clinit>(DirectJDKLog.java:43)
        at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:171)
        at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:243)
        at org.apache.juli.logging.LogFactory.getLog(LogFactory.java:298)
        at org.apache.catalina.startup.Bootstrap.<clinit>(Bootstrap.java:55)

Note: This works fine with Java 1.5.0

Seems to be a Java 1.6.0 related problem. I have tried several versions of Java
1.6.0 and all exhibit the same problem.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 51384] Adding http codebase to catalina.policy file causes ClassLoaderLogManager access denied exception

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51384

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX

--- Comment #1 from Mark Thomas <ma...@apache.org> 2011-06-20 09:54:18 UTC ---
As of Java 1.6 the combination of:
- custom LogManager
- security manager
- http codebase in security policy file
won't work.

The root cause is the following circular dependency:
- The Custom LogManager has to extend the standard LogManager
- standard LogManager starts a Cleaner that calls setContextClassloader
- that triggers a security check
- that triggers the parsing of the policy file
- that triggers a validity check of the http codebase
- that uses HttpUrlConnection
- that tries to create a Logger
- that requires LogManager to be initialised

The standard LogManager avoids this since it is viewed as System code hence all
security checks are bypassed.

I don't see a way around this without changes to java.util.logging.LogManager
and that is outside the control of the Tomcat project.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org