[Bug 58125] New: java.lang.ClassCircularityError can occur if Tomcat is run with a Java Security Manager

Sat, 11 Jul 2015 11:44:16 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=58125

            Bug ID: 58125
           Summary: java.lang.ClassCircularityError can occur if Tomcat is
                    run with a Java Security Manager
           Product: Tomcat 8
           Version: 8.0.24
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: richard.ev...@blueallegro.net

Tomcat 8.0.24, Java 1.8u45.

Run Tomcat is run with a Java security manager, and a ppolicy file containing a
grant to a principal class, as in:

grant principal javax.management.remote.JMXPrincipal "jmx" {
    permission java.security.AllPermission;

};

On a thread with an implied Subject containing at least one Principal, perform
an action which requires a Java permission check.  The Java Policy file
implementation will attempt to load the principal class from the policy file. 
The tomcat WebAppClassLoaderBase.loadClass method will check for a system class
using getResource on the system loader.  This will in turn trigger another
permission check which will then attempt to load the principal class again,
triggering the ClassCircularityError.  

Here's a stack trace extract showing the error:

Class<T>.forName(String, boolean, ClassLoader) line: 348    
PolicyFile.addPermissions(Permissions, CodeSource, Principal[],
PolicyFile$PolicyEntry) line: 1357    
PolicyFile.getPermissions(Permissions, CodeSource, Principal[]) line: 1228    
PolicyFile.getPermissions(Permissions, ProtectionDomain) line: 1191    
PolicyFile.getPermissions(ProtectionDomain) line: 1132    
PolicyFile.implies(ProtectionDomain, Permission) line: 1086    
ProtectionDomain.implies(Permission) line: 272    
AccessControlContext.checkPermission(Permission) line: 435    
AccessController.checkPermission(Permission) line: 884    
SecurityManager.checkPermission(Permission) line: 549    
URLClassPath.check(URL) line: 607    
URLClassPath$JarLoader.checkResource(String, boolean, JarEntry) line: 924    
URLClassPath$JarLoader.getResource(String, boolean) line: 1007    
URLClassPath.getResource(String, boolean) line: 212    
URLClassPath.getResource(String) line: 265    
ClassLoader.getBootstrapResource(String) line: 1261    
Launcher$ExtClassLoader(ClassLoader).getResource(String) line: 1090    
WebappClassLoader(WebappClassLoaderBase).loadClass(String, boolean) line: 1230  
WebappClassLoader(WebappClassLoaderBase).loadClass(String) line: 1164    
Class<T>.forName0(String, boolean, ClassLoader, Class<?>) line: not available
[native method]    
Class<T>.forName(String, boolean, ClassLoader) line: 348    
PolicyFile.addPermissions(Permissions, CodeSource, Principal[],
PolicyFile$PolicyEntry) line: 1357    
PolicyFile.getPermissions(Permissions, CodeSource, Principal[]) line: 1228    
PolicyFile.getPermissions(Permissions, ProtectionDomain) line: 1191    
PolicyFile.getPermissions(ProtectionDomain) line: 1132    
PolicyFile.implies(ProtectionDomain, Permission) line: 1086    
ProtectionDomain.implies(Permission) line: 272    
AccessControlContext.checkPermission(Permission) line: 435    
AccessController.checkPermission(Permission) line: 884    
SecurityManager.checkPermission(Permission) line: 549    
SecurityManager.checkRead(String) line: 888

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to