Should we include a Tomcat policy file as a sample in the distro?
Gary
On Wed, Oct 15, 2014 at 2:09 AM, Ralph Goers <ralph.go...@dslextreme.com>
wrote:
> Well this is downright interesting. I started Tomcat 7 using
> “./startup.sh -security” and both manager and host-manager failed to start,
> although not with access control or security exceptions. The web app with
> Log4j did fail to start but it failed differently. In this case I think we
> would need to require that the catalina policy file be updated as not being
> able to get a ClassLoader is going to break everything. I do notice that
> catalina.policy has a bunch of permissions for JULI, including
> setContextClassLoader.
>
> I think we need to document what permissions we require.
>
> Ralph
>
> SEVERE: ContainerBase.addChild: start:
> org.apache.catalina.LifecycleException: Failed to start component
> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/eztax]]
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
> at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)
> at
> org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1083)
> at
> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1880)
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.ExceptionInInitializerError
> at
> org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:55)
> at
> org.apache.logging.log4j.web.Log4jServletContainerInitializer.<clinit>(Log4jServletContainerInitializer.java:37)
> at java.lang.Class.forName0(Native Method)
> at java.lang.Class.forName(Class.java:270)
> at
> org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLoader.java:187)
> at
> org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:152)
> at
> org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1546)
> at
> org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1268)
> at
> org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:876)
> at
> org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:374)
> at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
> at
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
> at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5378)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> ... 14 more
> Caused by: java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
> at
> java.security.AccessController.checkPermission(AccessController.java:559)
> at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at
> java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1561)
> at
> java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1480)
> at
> org.apache.logging.log4j.util.LoaderUtil.findUrlResources(LoaderUtil.java:192)
> at
> org.apache.logging.log4j.util.LoaderUtil.findResources(LoaderUtil.java:183)
> at
> org.apache.logging.log4j.util.PropertiesUtil.<init>(PropertiesUtil.java:90)
> at
> org.apache.logging.log4j.util.PropertiesUtil.<clinit>(PropertiesUtil.java:36)
> ... 28 more
>
>
>
>
>
> On Oct 14, 2014, at 10:07 PM, Ralph Goers <ralph.go...@dslextreme.com>
> wrote:
>
> See the javadoc for Executors.privilegedThreadFactory(). It is documented
> as checking for that permission and throwing an AccessControlException.
> Since it is called in the constructor of DefaultShutdownCallbackRegistry it
> definitely has the potential for throwing an exception, which then causes
> log4j initialization to fail. That just isn’t acceptable.
>
> Ralph
>
>
> On Oct 14, 2014, at 9:45 PM, Matt Sicker <boa...@gmail.com> wrote:
>
> We never use setContextClassLoader though. I'm not sure why that security
> exception appears. I don't think there's any harm in fixing that.
>
> On 14 October 2014 22:59, Ralph Goers <ralph.go...@dslextreme.com> wrote:
>
>> Well darn. Matt put an Assert.requiredNonNull on the Registry in
>> Log4jContextFactory. So even if the exception is caught it can’t be
>> ignored. Unless I can find a way around this that commit is going to have
>> to be reverted.
>>
>> Ralph
>>
>> On Oct 14, 2014, at 7:57 PM, ralph.goers @dslextreme.com <
>> ralph.go...@dslextreme.com> wrote:
>>
>> I have an app that I was able to run successfully on a vanilla Tomcat. I
>> need to check the security settings on te server. Regardless, this should
>> not cause initialization to fail.
>>
>> Ralph
>>
>> On Tuesday, October 14, 2014, Gary Gregory <garydgreg...@gmail.com>
>> wrote:
>>
>>> IIRC, it looks something Matt was working on recently and he did mention
>>> working through security issues. Hopefully he will see this message and can
>>> help out.
>>>
>>> It sounds like we need at last one integration tests for Tomcat...
>>>
>>> Gary
>>>
>>> On Tue, Oct 14, 2014 at 8:30 PM, Ralph Goers <ralph.go...@dslextreme.com
>>> > wrote:
>>>
>>>> I am having a bit of trouble with the latest code. Log4j won’t start
>>>> in tomcat due to a security violation. I am not going to go forward with
>>>> the release until I can determine what the problem is and fix it.
>>>>
>>>> Ralph
>>>>
>>>> ERROR StatusLogger Unable to create class
>>>> org.apache.logging.log4j.core.impl.Log4jContextFactory specified in
>>>> jar:file:/usr/local/jakarta-tomcat/webapps/NextivaDriveBilling/WEB-INF/lib/log4j-core-2.1-SNAPSHOT.jar!/META-INF/log4j-provider.properties
>>>> java.security.AccessControlException: access denied
>>>> (java.lang.RuntimePermission setContextClassLoader)
>>>> at
>>>> java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
>>>> at
>>>> java.util.concurrent.Executors$PrivilegedThreadFactory.<init>(Executors.java:563)
>>>> at
>>>> java.util.concurrent.Executors.privilegedThreadFactory(Executors.java:321)
>>>> at
>>>> org.apache.logging.log4j.core.util.DefaultShutdownCallbackRegistry.<init>(DefaultShutdownCallbackRegistry.java:54)
>>>> at
>>>> org.apache.logging.log4j.core.impl.Log4jContextFactory.createShutdownCallbackRegistry(Log4jContextFactory.java:117)
>>>> at
>>>> org.apache.logging.log4j.core.impl.Log4jContextFactory.<init>(Log4jContextFactory.java:54)
>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>> Method)
>>>> at
>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
>>>> at
>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>>>> at java.lang.Class.newInstance0(Class.java:357)
>>>> at java.lang.Class.newInstance(Class.java:310)
>>>> at org.apache.logging.log4j.LogManager.<clinit>(LogManager.java:96)
>>>> at
>>>> org.apache.logging.log4j.core.config.Configurator.getFactory(Configurator.java:154)
>>>> at
>>>> org.apache.logging.log4j.core.config.Configurator.initialize(Configurator.java:109)
>>>> at
>>>> org.apache.logging.log4j.web.Log4jWebInitializerImpl.initializeNonJndi(Log4jWebInitializerImpl.java:157)
>>>> at
>>>> org.apache.logging.log4j.web.Log4jWebInitializerImpl.start(Log4jWebInitializerImpl.java:107)
>>>> at
>>>> org.apache.logging.log4j.web.Log4jServletContextListener.contextInitialized(Log4jServletContextListener.java:45)
>>>> at
>>>> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3795)
>>>> at
>>>> org.apache.catalina.core.StandardContext.start(StandardContext.java:4252)
>>>> at
>>>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
>>>> at
>>>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
>>>> at
>>>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
>>>> at
>>>> org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:884)
>>>> at
>>>> org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:737)
>>>> at
>>>> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:498)
>>>> at
>>>> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1203)
>>>> at
>>>> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:319)
>>>> at
>>>> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
>>>> at
>>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
>>>> at
>>>> org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
>>>> at
>>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
>>>> at
>>>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>>>> at
>>>> org.apache.catalina.core.StandardService.start(StandardService.java:448)
>>>> at
>>>> org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
>>>> at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> at
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>> at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
>>>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
>>>>
>>>> ERROR StatusLogger Log4j2 could not find a logging implementation. Please
>>>> add log4j-core to the classpath. Using SimpleLogger to log to the
>>>> console...
>>>> ERROR StatusLogger LogManager returned an instance of
>>>> org.apache.logging.log4j.simple.SimpleLoggerContextFactory which does not
>>>> implement org.apache.logging.log4j.core.impl.Log4jContextFactory. Unable
>>>> to initialize Log4j.
>>>>
>>>>
>>>>
>>>>
>>>> On Oct 14, 2014, at 9:16 AM, Matt Sicker <boa...@gmail.com> wrote:
>>>>
>>>> Oh crap, you're right.
>>>>
>>>> On 14 October 2014 11:05, Gary Gregory <garydgreg...@gmail.com> wrote:
>>>>
>>>>> Don't you have to login to Nexus to release though?
>>>>>
>>>>> Gary
>>>>>
>>>>> On Tue, Oct 14, 2014 at 11:34 AM, Matt Sicker <boa...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Question: if I start the release process with everything signed, can
>>>>>> someone else complete it when the vote is done?
>>>>>>
>>>>>> On 13 October 2014 22:26, Ralph Goers <rgo...@apache.org> wrote:
>>>>>>
>>>>>>> Matt can't do it so I will. It will be in the next couple of days.
>>>>>>>
>>>>>>> Sent from my iPad
>>>>>>>
>>>>>>> On Oct 13, 2014, at 7:22 PM, Gary Gregory <garydgreg...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi All:
>>>>>>>
>>>>>>> I'm sure we are all busy (I am!) but do we have a plan for cutting
>>>>>>> what will hopefully be the last 2.1 RC?
>>>>>>>
>>>>>>> Gary
>>>>>>>
>>>>>>> --
>>>>>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
>>>>>>> Java Persistence with Hibernate, Second Edition
>>>>>>> <http://www.manning.com/bauer3/>
>>>>>>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
>>>>>>> Spring Batch in Action <http://www.manning.com/templier/>
>>>>>>> Blog: http://garygregory.wordpress.com
>>>>>>> Home: http://garygregory.com/
>>>>>>> Tweet! http://twitter.com/GaryGregory
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Matt Sicker <boa...@gmail.com>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
>>>>> Java Persistence with Hibernate, Second Edition
>>>>> <http://www.manning.com/bauer3/>
>>>>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
>>>>> Spring Batch in Action <http://www.manning.com/templier/>
>>>>> Blog: http://garygregory.wordpress.com
>>>>> Home: http://garygregory.com/
>>>>> Tweet! http://twitter.com/GaryGregory
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Matt Sicker <boa...@gmail.com>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
>>> Java Persistence with Hibernate, Second Edition
>>> <http://www.manning.com/bauer3/>
>>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
>>> Spring Batch in Action <http://www.manning.com/templier/>
>>> Blog: http://garygregory.wordpress.com
>>> Home: http://garygregory.com/
>>> Tweet! http://twitter.com/GaryGregory
>>>
>>
>>
>
>
> --
> Matt Sicker <boa...@gmail.com>
>
>
>
>
--
E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
