You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2011/06/16 11:00:49 UTC
DO NOT REPLY [Bug 51384] New: Adding http codebase to
catalina.policy file causes ClassLoaderLogManager access denied exception
https://issues.apache.org/bugzilla/show_bug.cgi?id=51384
Bug #: 51384
Summary: Adding http codebase to catalina.policy file causes
ClassLoaderLogManager access denied exception
Product: Tomcat 6
Version: 6.0.32
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: Mark.Howell@rbs.com
Classification: Unclassified
Tomcat: 6.0.32 (freshly downloaded and unpacked)
Java: 1.6.0_25 (freshly installed)
OS: Windows XP
Env variables:
JAVA_HOME=C:\Program Files\Java\jdk1.6.0_25
JAVA_OPTS=-Xmx512m
Append the following permission to the end of catalina.policy:
grant codeBase "http://www.abc.com" {
permission java.security.AllPermission;
};
bin/startup.bat -security
Generates (in console window, no log files generated):
Could not load Logmanager "org.apache.juli.ClassLoaderLogManager"
java.security.AccessControlException: access denied
(java.lang.RuntimePermission setContextClassLoader)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
at
java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.Thread.setContextClassLoader(Thread.java:1394)
at java.util.logging.LogManager$Cleaner.<init>(LogManager.java:204)
at java.util.logging.LogManager$Cleaner.<init>(LogManager.java:198)
at java.util.logging.LogManager.<init>(LogManager.java:235)
at
org.apache.juli.ClassLoaderLogManager.<init>(ClassLoaderLogManager.java:64)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at java.util.logging.LogManager$1.run(LogManager.java:164)
at java.security.AccessController.doPrivileged(Native Method)
at java.util.logging.LogManager.<clinit>(LogManager.java:156)
at java.util.logging.Logger.getLogger(Logger.java:287)
at
sun.net.www.protocol.http.HttpURLConnection.<clinit>(HttpURLConnection.java:57)
at sun.net.www.protocol.http.Handler.openConnection(Handler.java:44)
at sun.net.www.protocol.http.Handler.openConnection(Handler.java:39)
at java.net.URL.openConnection(URL.java:945)
at
sun.security.provider.PolicyFile.canonicalizeCodebase(PolicyFile.java:1799)
at sun.security.provider.PolicyFile.getCodeSource(PolicyFile.java:783)
at sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:807)
at sun.security.provider.PolicyFile.init(PolicyFile.java:653)
at sun.security.provider.PolicyFile.access$400(PolicyFile.java:266)
at sun.security.provider.PolicyFile$3.run(PolicyFile.java:546)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:519)
at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:505)
at sun.security.provider.PolicyFile.init(PolicyFile.java:464)
at sun.security.provider.PolicyFile.<init>(PolicyFile.java:309)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at java.security.Policy.getPolicyNoCheck(Policy.java:167)
at java.security.ProtectionDomain.implies(ProtectionDomain.java:224)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:352)
at
java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at
java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
at java.lang.System.getProperty(System.java:650)
at org.apache.juli.logging.DirectJDKLog.<clinit>(DirectJDKLog.java:43)
at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:171)
at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:243)
at org.apache.juli.logging.LogFactory.getLog(LogFactory.java:298)
at org.apache.catalina.startup.Bootstrap.<clinit>(Bootstrap.java:55)
Note: This works fine with Java 1.5.0
Seems to be a Java 1.6.0 related problem. I have tried several versions of Java
1.6.0 and all exhibit the same problem.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 51384] Adding http codebase to catalina.policy
file causes ClassLoaderLogManager access denied exception
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51384
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
--- Comment #1 from Mark Thomas <ma...@apache.org> 2011-06-20 09:54:18 UTC ---
As of Java 1.6 the combination of:
- custom LogManager
- security manager
- http codebase in security policy file
won't work.
The root cause is the following circular dependency:
- The Custom LogManager has to extend the standard LogManager
- standard LogManager starts a Cleaner that calls setContextClassloader
- that triggers a security check
- that triggers the parsing of the policy file
- that triggers a validity check of the http codebase
- that uses HttpUrlConnection
- that tries to create a Logger
- that requires LogManager to be initialised
The standard LogManager avoids this since it is viewed as System code hence all
security checks are bypassed.
I don't see a way around this without changes to java.util.logging.LogManager
and that is outside the control of the Tomcat project.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org