https://bz.apache.org/bugzilla/show_bug.cgi?id=61424
Bug ID: 61424 Summary: Obtaining a StackOverflowError when running Tomcat 8.5 or 9 with SecurityManager, a javax.management.remote.JMXPrincipal entry is present in catalina.policy file and Subject.doAs method is called. Product: Tomcat 8 Version: 8.5.20 Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: robert.gher...@museglobal.ro Target Milestone: ---- Created attachment 35231 --> https://bz.apache.org/bugzilla/attachment.cgi?id=35231&action=edit Project used to reproduce the StackOverflowError When run Tomcat 8.5.20 with SecurityManager and catalina.policy contains an javax.management.remote.JMXPrincipal entry and Subject.doAs method is called, then a StackOverflowError is thrown. Same error is reproducible in Tomcat 9.0.0.M26, but is not present in Tomcat 8.0.45. The test was made using JDK 1.8.0_144. In order to reproduce this error, we build a short example(see JMXSubject.war in attachment) containing a simple servlet with the following source code: package servlet; import java.io.IOException; import java.lang.reflect.InvocationTargetException; import java.security.Principal; import java.security.PrivilegedExceptionAction; import java.util.Collections; import java.util.HashSet; import java.util.Set; import javax.security.auth.Subject; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @WebServlet("/") public class MyServlet extends HttpServlet { private static final long serialVersionUID = -1647039991464261998L; @Override protected void doGet(HttpServletRequest reqest, HttpServletResponse response) throws ServletException, IOException { Object doAsResult = null; Set<Principal> principals = new HashSet<>(); principals.add(new Principal() { @Override public String getName() { return "myName"; } }); Subject subject = new Subject(false, principals, Collections.EMPTY_SET, Collections.EMPTY_SET); try { doAsResult = Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { public Object run() throws IllegalAccessException, InvocationTargetException { return System.currentTimeMillis(); } }); } catch (Exception e) { e.printStackTrace(); } response.getWriter().println("CurrentTimeMillis: " + doAsResult); } } Step to reproduce: 1) Deploy the provided JMXSubject.war web project (which also includes in the archive the source code) in ${catalina.home}/webapps folder. 2) Add in ${catalina.home}/conf/catalina.policy file the following lines: grant codeBase "file:/-" { permission java.security.AllPermission; }; grant principal javax.management.remote.JMXPrincipal "jmx" { permission java.security.AllPermission; }; 3) Start server with SecurityManager: catalina.bat run -security 4) Access the following page: http://localhost:8080/JMXSubject Now the following exception is thrown in tomcat 8.5.20: javax.servlet.ServletException org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:337) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) java.security.AccessController.doPrivileged(Native Method) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:498) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:549) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) Root Cause java.lang.StackOverflowError java.security.AccessController.doPrivileged(Native Method) java.io.FilePermission.init(FilePermission.java:203) java.io.FilePermission.<init>(FilePermission.java:277) java.lang.SecurityManager.checkRead(SecurityManager.java:888) java.io.File.isDirectory(File.java:844) sun.net.www.ParseUtil.fileToEncodedURL(ParseUtil.java:269) sun.security.provider.PolicyFile.canonicalizeCodebase(PolicyFile.java:1735) sun.security.provider.PolicyFile.access$700(PolicyFile.java:258) sun.security.provider.PolicyFile$5.run(PolicyFile.java:1188) sun.security.provider.PolicyFile$5.run(PolicyFile.java:1186) java.security.AccessController.doPrivileged(Native Method) sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1185) sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1132) sun.security.provider.PolicyFile.implies(PolicyFile.java:1086) java.security.ProtectionDomain.implies(ProtectionDomain.java:285) java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) java.security.AccessController.checkPermission(AccessController.java:884) java.lang.SecurityManager.checkPermission(SecurityManager.java:549) sun.misc.URLClassPath.check(URLClassPath.java:642) sun.misc.URLClassPath$JarLoader.checkResource(URLClassPath.java:961) sun.misc.URLClassPath$JarLoader.getResource(URLClassPath.java:1044) sun.misc.URLClassPath.getResource(URLClassPath.java:239) sun.misc.URLClassPath.getResource(URLClassPath.java:292) java.lang.ClassLoader.getBootstrapResource(ClassLoader.java:1264) java.lang.ClassLoader.getResource(ClassLoader.java:1093) org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1194) org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1119) java.lang.Class.forName0(Native Method) java.lang.Class.forName(Class.java:348) sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1357) sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1228) sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1191) sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1132) sun.security.provider.PolicyFile.implies(PolicyFile.java:1086) java.security.ProtectionDomain.implies(ProtectionDomain.java:285) java.security.AccessControlContext.checkPermission(AccessControlContext.java:450) java.security.AccessController.checkPermission(AccessController.java:884) java.lang.SecurityManager.checkPermission(SecurityManager.java:549) sun.misc.URLClassPath.check(URLClassPath.java:642) sun.misc.URLClassPath$JarLoader.checkResource(URLClassPath.java:961) sun.misc.URLClassPath$JarLoader.getResource(URLClassPath.java:1044) sun.misc.URLClassPath.getResource(URLClassPath.java:239) sun.misc.URLClassPath.getResource(URLClassPath.java:292) java.lang.ClassLoader.getBootstrapResource(ClassLoader.java:1264) java.lang.ClassLoader.getResource(ClassLoader.java:1093) org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1194) org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1119) java.lang.Class.forName0(Native Method) java.lang.Class.forName(Class.java:348) -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org