Well this is downright interesting. I started Tomcat 7 using “./startup.sh
-security” and both manager and host-manager failed to start, although not with
access control or security exceptions. The web app with Log4j did fail to
start but it failed differently. In this case I think we would need to require
that the catalina policy file be updated as not being able to get a ClassLoader
is going to break everything. I do notice that catalina.policy has a bunch of
permissions for JULI, including setContextClassLoader.
I think we need to document what permissions we require.
Ralph
SEVERE: ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/eztax]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)
at
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1083)
at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1880)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.ExceptionInInitializerError
at
org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:55)
at
org.apache.logging.log4j.web.Log4jServletContainerInitializer.<clinit>(Log4jServletContainerInitializer.java:37)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:270)
at
org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLoader.java:187)
at
org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:152)
at
org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1546)
at
org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1268)
at
org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:876)
at
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:374)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5378)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 14 more
Caused by: java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "getClassLoader")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at
java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1561)
at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1480)
at
org.apache.logging.log4j.util.LoaderUtil.findUrlResources(LoaderUtil.java:192)
at
org.apache.logging.log4j.util.LoaderUtil.findResources(LoaderUtil.java:183)
at
org.apache.logging.log4j.util.PropertiesUtil.<init>(PropertiesUtil.java:90)
at
org.apache.logging.log4j.util.PropertiesUtil.<clinit>(PropertiesUtil.java:36)
... 28 more
On Oct 14, 2014, at 10:07 PM, Ralph Goers <ralph.go...@dslextreme.com> wrote:
> See the javadoc for Executors.privilegedThreadFactory(). It is documented as
> checking for that permission and throwing an AccessControlException. Since it
> is called in the constructor of DefaultShutdownCallbackRegistry it definitely
> has the potential for throwing an exception, which then causes log4j
> initialization to fail. That just isn’t acceptable.
>
> Ralph
>
>
> On Oct 14, 2014, at 9:45 PM, Matt Sicker <boa...@gmail.com> wrote:
>
>> We never use setContextClassLoader though. I'm not sure why that security
>> exception appears. I don't think there's any harm in fixing that.
>>
>> On 14 October 2014 22:59, Ralph Goers <ralph.go...@dslextreme.com> wrote:
>> Well darn. Matt put an Assert.requiredNonNull on the Registry in
>> Log4jContextFactory. So even if the exception is caught it can’t be ignored.
>> Unless I can find a way around this that commit is going to have to be
>> reverted.
>>
>> Ralph
>>
>> On Oct 14, 2014, at 7:57 PM, ralph.goers @dslextreme.com
>> <ralph.go...@dslextreme.com> wrote:
>>
>>> I have an app that I was able to run successfully on a vanilla Tomcat. I
>>> need to check the security settings on te server. Regardless, this should
>>> not cause initialization to fail.
>>>
>>> Ralph
>>>
>>> On Tuesday, October 14, 2014, Gary Gregory <garydgreg...@gmail.com> wrote:
>>> IIRC, it looks something Matt was working on recently and he did mention
>>> working through security issues. Hopefully he will see this message and can
>>> help out.
>>>
>>> It sounds like we need at last one integration tests for Tomcat...
>>>
>>> Gary
>>>
>>> On Tue, Oct 14, 2014 at 8:30 PM, Ralph Goers <ralph.go...@dslextreme.com>
>>> wrote:
>>> I am having a bit of trouble with the latest code. Log4j won’t start in
>>> tomcat due to a security violation. I am not going to go forward with the
>>> release until I can determine what the problem is and fix it.
>>>
>>> Ralph
>>>
>>> ERROR StatusLogger Unable to create class
>>> org.apache.logging.log4j.core.impl.Log4jContextFactory specified in
>>> jar:file:/usr/local/jakarta-tomcat/webapps/NextivaDriveBilling/WEB-INF/lib/log4j-core-2.1-SNAPSHOT.jar!/META-INF/log4j-provider.properties
>>> java.security.AccessControlException: access denied
>>> (java.lang.RuntimePermission setContextClassLoader)
>>> at
>>> java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
>>> at
>>> java.util.concurrent.Executors$PrivilegedThreadFactory.<init>(Executors.java:563)
>>> at
>>> java.util.concurrent.Executors.privilegedThreadFactory(Executors.java:321)
>>> at
>>> org.apache.logging.log4j.core.util.DefaultShutdownCallbackRegistry.<init>(DefaultShutdownCallbackRegistry.java:54)
>>> at
>>> org.apache.logging.log4j.core.impl.Log4jContextFactory.createShutdownCallbackRegistry(Log4jContextFactory.java:117)
>>> at
>>> org.apache.logging.log4j.core.impl.Log4jContextFactory.<init>(Log4jContextFactory.java:54)
>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>> Method)
>>> at
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
>>> at
>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>>> at java.lang.Class.newInstance0(Class.java:357)
>>> at java.lang.Class.newInstance(Class.java:310)
>>> at org.apache.logging.log4j.LogManager.<clinit>(LogManager.java:96)
>>> at
>>> org.apache.logging.log4j.core.config.Configurator.getFactory(Configurator.java:154)
>>> at
>>> org.apache.logging.log4j.core.config.Configurator.initialize(Configurator.java:109)
>>> at
>>> org.apache.logging.log4j.web.Log4jWebInitializerImpl.initializeNonJndi(Log4jWebInitializerImpl.java:157)
>>> at
>>> org.apache.logging.log4j.web.Log4jWebInitializerImpl.start(Log4jWebInitializerImpl.java:107)
>>> at
>>> org.apache.logging.log4j.web.Log4jServletContextListener.contextInitialized(Log4jServletContextListener.java:45)
>>> at
>>> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3795)
>>> at
>>> org.apache.catalina.core.StandardContext.start(StandardContext.java:4252)
>>> at
>>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
>>> at
>>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
>>> at
>>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
>>> at
>>> org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:884)
>>> at
>>> org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:737)
>>> at
>>> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:498)
>>> at
>>> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1203)
>>> at
>>> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:319)
>>> at
>>> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
>>> at
>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
>>> at
>>> org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
>>> at
>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
>>> at
>>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>>> at
>>> org.apache.catalina.core.StandardService.start(StandardService.java:448)
>>> at
>>> org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
>>> at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
>>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
>>>
>>> ERROR StatusLogger Log4j2 could not find a logging implementation. Please
>>> add log4j-core to the classpath. Using SimpleLogger to log to the console...
>>> ERROR StatusLogger LogManager returned an instance of
>>> org.apache.logging.log4j.simple.SimpleLoggerContextFactory which does not
>>> implement org.apache.logging.log4j.core.impl.Log4jContextFactory. Unable to
>>> initialize Log4j.
>>>
>>>
>>>
>>> On Oct 14, 2014, at 9:16 AM, Matt Sicker <boa...@gmail.com> wrote:
>>>
>>>> Oh crap, you're right.
>>>>
>>>> On 14 October 2014 11:05, Gary Gregory <garydgreg...@gmail.com> wrote:
>>>> Don't you have to login to Nexus to release though?
>>>>
>>>> Gary
>>>>
>>>> On Tue, Oct 14, 2014 at 11:34 AM, Matt Sicker <boa...@gmail.com> wrote:
>>>> Question: if I start the release process with everything signed, can
>>>> someone else complete it when the vote is done?
>>>>
>>>> On 13 October 2014 22:26, Ralph Goers <rgo...@apache.org> wrote:
>>>> Matt can't do it so I will. It will be in the next couple of days.
>>>>
>>>> Sent from my iPad
>>>>
>>>> On Oct 13, 2014, at 7:22 PM, Gary Gregory <garydgreg...@gmail.com> wrote:
>>>>
>>>>> Hi All:
>>>>>
>>>>> I'm sure we are all busy (I am!) but do we have a plan for cutting what
>>>>> will hopefully be the last 2.1 RC?
>>>>>
>>>>> Gary
>>>>>
>>>>> --
>>>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
>>>>> Java Persistence with Hibernate, Second Edition
>>>>> JUnit in Action, Second Edition
>>>>> Spring Batch in Action
>>>>> Blog: http://garygregory.wordpress.com
>>>>> Home: http://garygregory.com/
>>>>> Tweet! http://twitter.com/GaryGregory
>>>>
>>>>
>>>>
>>>> --
>>>> Matt Sicker <boa...@gmail.com>
>>>>
>>>>
>>>>
>>>> --
>>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
>>>> Java Persistence with Hibernate, Second Edition
>>>> JUnit in Action, Second Edition
>>>> Spring Batch in Action
>>>> Blog: http://garygregory.wordpress.com
>>>> Home: http://garygregory.com/
>>>> Tweet! http://twitter.com/GaryGregory
>>>>
>>>>
>>>>
>>>> --
>>>> Matt Sicker <boa...@gmail.com>
>>>
>>>
>>>
>>>
>>> --
>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
>>> Java Persistence with Hibernate, Second Edition
>>> JUnit in Action, Second Edition
>>> Spring Batch in Action
>>> Blog: http://garygregory.wordpress.com
>>> Home: http://garygregory.com/
>>> Tweet! http://twitter.com/GaryGregory
>>
>>
>>
>>
>> --
>> Matt Sicker <boa...@gmail.com>
>
