You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2002/08/27 21:52:27 UTC

DO NOT REPLY [Bug 12101] New: - SecurityManager + removal of sample webapps = unprivileged getParameter()!

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12101>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12101

SecurityManager + removal of sample webapps = unprivileged getParameter()!

           Summary: SecurityManager + removal of sample webapps =
                    unprivileged getParameter()!
           Product: Tomcat 4
           Version: 4.0.4 Final
          Platform: Other
        OS/Version: Other
            Status: NEW
          Severity: Critical
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: ruvinsky@yahoo.com


When the sample webapps that come with Tomcat are removed from the "webapps/" 
directory (i.e., when they aren't auto installed on server startup), Catalina 
does not get initialized correctly -- as it "does" when the sample webapps do 
get auto installed on server startup.

This is very reproducible:

First, build a tester webapp ("tester.war") with a sample server that calls 
getParameter() for each request, and perhaps displays some output.

Begin with the stock Tomcat 4.0.4 distribution, remove all the files 
in "webapps/" and remove the Context declarations for the sample webapps 
in "conf/server.xml".  Next, copy "tester.war" into "webapps/" so that it is 
the only webapp.

Launch the server instance with a SecurityManager, by executing "bin/catalina 
start -security".  Note that the only webapp started automatically at server 
startup is the "tester.war" using the context path "/tester".

Now, simply send a request the servlet in tester that calls getParameter().  
You should get a stack trace similar to the following:

StandardClassLoader: Security Violation, attempt to use Restricted Class: 
org.apache.catalina.util.LocalStrings
Security Violation, attempt to use Restricted Class: 
org.apache.catalina.util.LocalStrings_en
java.security.AccessControlException: access denied 
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util)
        at java.security.AccessControlContext.checkPermission
(AccessControlContext.java:267)
        at java.security.AccessController.checkPermission
(AccessController.java:394)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:540)
        at java.lang.SecurityManager.checkPackageAccess
(SecurityManager.java:1496)
        at org.apache.catalina.loader.StandardClassLoader.loadClass
(StandardClassLoader.java:1056)
        at org.apache.catalina.loader.StandardClassLoader.loadClass
(StandardClassLoader.java:992)
        at java.util.ResourceBundle.loadBundle(ResourceBundle.java:905)
        at java.util.ResourceBundle.findBundle(ResourceBundle.java:786)
        at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:635)
        at java.util.ResourceBundle.getBundle(ResourceBundle.java:541)
        at org.apache.catalina.util.StringManager.<init>(StringManager.java:115)
        at org.apache.catalina.util.StringManager.getManager
(StringManager.java:260)
        at org.apache.catalina.util.ParameterMap.<clinit>(ParameterMap.java:174)
        at org.apache.catalina.connector.HttpRequestBase.parseParameters
(HttpRequestBase.java:615)
        at org.apache.catalina.connector.HttpRequestBase.getParameter
(HttpRequestBase.java:691)
        at org.apache.catalina.connector.RequestFacade.getParameter
(RequestFacade.java:160)
        at com.akamai.edgejava.tests.SessionTest.doGet(SessionTest.java:35)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:247)
        at org.apache.catalina.core.ApplicationFilterChain.access$0
(ApplicationFilterChain.java:197)
        at org.apache.catalina.core.ApplicationFilterChain$1.run
(ApplicationFilterChain.java:176)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter
(ApplicationFilterChain.java:172)
        at org.apache.catalina.core.StandardWrapperValve.invoke
(StandardWrapperValve.java:243)
        at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:566)
        at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:472)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
        at org.apache.catalina.core.StandardContextValve.invoke
(StandardContextValve.java:190)
        at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:566)
        at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:472)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
        at org.apache.catalina.core.StandardContext.invoke
(StandardContext.java:2347)
        at org.apache.catalina.core.StandardHostValve.invoke
(StandardHostValve.java:180)
        at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:566)
        at org.apache.catalina.valves.ErrorDispatcherValve.invoke
(ErrorDispatcherValve.java:170)
        at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:564)
        at org.apache.catalina.valves.ErrorReportValve.invoke
(ErrorReportValve.java:170)
        at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:564)
        at org.apache.catalina.valves.AccessLogValve.invoke
(AccessLogValve.java:468)
        at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:564)
        at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:472)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
        at org.apache.catalina.core.StandardEngineValve.invoke
(StandardEngineValve.java:174)
        at org.apache.catalina.core.StandardPipeline.invokeNext
(StandardPipeline.java:566)
        at org.apache.catalina.core.StandardPipeline.invoke
(StandardPipeline.java:472)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
        at org.apache.catalina.connector.http.HttpProcessor.process
(HttpProcessor.java:1027)
        at org.apache.catalina.connector.http.HttpProcessor.run
(HttpProcessor.java:1125)
        at java.lang.Thread.run(Thread.java:479)

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>