https://bz.apache.org/bugzilla/show_bug.cgi?id=61150
Bug ID: 61150
Summary: One of the session attributes on the [host-]manager
application is disallowed by the Security Manager
Product: Tomcat 8
Version: 8.0.x-trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ----
To reproduce:
1) Configure tomcat user for testing (conf/tomcat-users.xml):
<user username="tomcat" password="tomcat" roles="admin-gui,manager-gui"/>
2) Start Tomcat
bin/catalina.sh start
3) Create a session
$ curl -is http://tomcat:tomcat@localhost:8080/manager/html | egrep
'(HTTP|JSESSIONID)'
HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=DAF81E606AED325CB2E5C2773DB866CE; Path=/manager;
HttpOnly
4) Stop Tomcat so that the session are serialized
bin/catalina.sh stop
5) Start Tomcat with Security Manager to deserialize the sessions
bin/catalina.sh start -security
6) Check log for exception after startup:
02-Jun-2017 14:16:46.114 SEVERE [localhost-startStop-1]
org.apache.catalina.session.StandardManager.startInternal Exception loading
sessions from persistent storage
java.io.InvalidClassException: The class
[org.apache.catalina.filters.CsrfPreventionFilter$LruCache] did not match the
regular expression [java\.lang\.(?:Boolean|Integer|Long|Number|String)] for
classes allowed to be deserialized
at
org.apache.catalina.util.CustomObjectInputStream.resolveClass(CustomObjectInputStream.java:146)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1612)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1517)
at
java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1771)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
at
org.apache.catalina.session.StandardSession.doReadObject(StandardSession.java:1624)
at
org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1090)
at
org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:218)
at
org.apache.catalina.session.StandardManager$PrivilegedDoLoad.run(StandardManager.java:74)
at
org.apache.catalina.session.StandardManager$PrivilegedDoLoad.run(StandardManager.java:65)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.session.StandardManager.load(StandardManager.java:149)
at
org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:356)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5331)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:753)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
