I think we should. I don’t think that is a blocker for a release though.
I have taken Matt’s suggestion and changed to use defaultThreadPool(). It seems
to work fine in my limited testing. It allowed the Tomcat that was failing to
start up to now start logging correctly. My Tomcat webapp in my test VM also
started and shutdown correctly - although it just uses the default Tomcat
configuration which, I believe, has no security manager.
Hopefully I can get the release started tonight after work. That depends on
how the day goes though.
Ralph
On Oct 15, 2014, at 7:49 AM, Gary Gregory <garydgreg...@gmail.com> wrote:
> Should we include a Tomcat policy file as a sample in the distro?
>
> Gary
>
> On Wed, Oct 15, 2014 at 2:09 AM, Ralph Goers <ralph.go...@dslextreme.com>
> wrote:
> Well this is downright interesting. I started Tomcat 7 using “./startup.sh
> -security” and both manager and host-manager failed to start, although not
> with access control or security exceptions. The web app with Log4j did fail
> to start but it failed differently. In this case I think we would need to
> require that the catalina policy file be updated as not being able to get a
> ClassLoader is going to break everything. I do notice that catalina.policy
> has a bunch of permissions for JULI, including setContextClassLoader.
>
> I think we need to document what permissions we require.
>
> Ralph
>
> SEVERE: ContainerBase.addChild: start:
> org.apache.catalina.LifecycleException: Failed to start component
> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/eztax]]
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
> at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
> at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)
> at
> org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1083)
> at
> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1880)
> at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
> at java.util.concurrent.FutureTask.run(FutureTask.java:262)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.ExceptionInInitializerError
> at
> org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:55)
> at
> org.apache.logging.log4j.web.Log4jServletContainerInitializer.<clinit>(Log4jServletContainerInitializer.java:37)
> at java.lang.Class.forName0(Native Method)
> at java.lang.Class.forName(Class.java:270)
> at
> org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLoader.java:187)
> at
> org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:152)
> at
> org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1546)
> at
> org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1268)
> at
> org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:876)
> at
> org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:374)
> at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
> at
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
> at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5378)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> ... 14 more
> Caused by: java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
> at
> java.security.AccessController.checkPermission(AccessController.java:559)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at
> java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1561)
> at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1480)
> at
> org.apache.logging.log4j.util.LoaderUtil.findUrlResources(LoaderUtil.java:192)
> at
> org.apache.logging.log4j.util.LoaderUtil.findResources(LoaderUtil.java:183)
> at
> org.apache.logging.log4j.util.PropertiesUtil.<init>(PropertiesUtil.java:90)
> at
> org.apache.logging.log4j.util.PropertiesUtil.<clinit>(PropertiesUtil.java:36)
> ... 28 more
>
>
>
>
>
> On Oct 14, 2014, at 10:07 PM, Ralph Goers <ralph.go...@dslextreme.com> wrote:
>
>> See the javadoc for Executors.privilegedThreadFactory(). It is documented as
>> checking for that permission and throwing an AccessControlException. Since
>> it is called in the constructor of DefaultShutdownCallbackRegistry it
>> definitely has the potential for throwing an exception, which then causes
>> log4j initialization to fail. That just isn’t acceptable.
>>
>> Ralph
>>
>>
>> On Oct 14, 2014, at 9:45 PM, Matt Sicker <boa...@gmail.com> wrote:
>>
>>> We never use setContextClassLoader though. I'm not sure why that security
>>> exception appears. I don't think there's any harm in fixing that.
>>>
>>> On 14 October 2014 22:59, Ralph Goers <ralph.go...@dslextreme.com> wrote:
>>> Well darn. Matt put an Assert.requiredNonNull on the Registry in
>>> Log4jContextFactory. So even if the exception is caught it can’t be
>>> ignored. Unless I can find a way around this that commit is going to have
>>> to be reverted.
>>>
>>> Ralph
>>>
>>> On Oct 14, 2014, at 7:57 PM, ralph.goers @dslextreme.com
>>> <ralph.go...@dslextreme.com> wrote:
>>>
>>>> I have an app that I was able to run successfully on a vanilla Tomcat. I
>>>> need to check the security settings on te server. Regardless, this should
>>>> not cause initialization to fail.
>>>>
>>>> Ralph
>>>>
>>>> On Tuesday, October 14, 2014, Gary Gregory <garydgreg...@gmail.com> wrote:
>>>> IIRC, it looks something Matt was working on recently and he did mention
>>>> working through security issues. Hopefully he will see this message and
>>>> can help out.
>>>>
>>>> It sounds like we need at last one integration tests for Tomcat...
>>>>
>>>> Gary
>>>>
>>>> On Tue, Oct 14, 2014 at 8:30 PM, Ralph Goers <ralph.go...@dslextreme.com>
>>>> wrote:
>>>> I am having a bit of trouble with the latest code. Log4j won’t start in
>>>> tomcat due to a security violation. I am not going to go forward with the
>>>> release until I can determine what the problem is and fix it.
>>>>
>>>> Ralph
>>>>
>>>> ERROR StatusLogger Unable to create class
>>>> org.apache.logging.log4j.core.impl.Log4jContextFactory specified in
>>>> jar:file:/usr/local/jakarta-tomcat/webapps/NextivaDriveBilling/WEB-INF/lib/log4j-core-2.1-SNAPSHOT.jar!/META-INF/log4j-provider.properties
>>>> java.security.AccessControlException: access denied
>>>> (java.lang.RuntimePermission setContextClassLoader)
>>>> at
>>>> java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
>>>> at
>>>> java.util.concurrent.Executors$PrivilegedThreadFactory.<init>(Executors.java:563)
>>>> at
>>>> java.util.concurrent.Executors.privilegedThreadFactory(Executors.java:321)
>>>> at
>>>> org.apache.logging.log4j.core.util.DefaultShutdownCallbackRegistry.<init>(DefaultShutdownCallbackRegistry.java:54)
>>>> at
>>>> org.apache.logging.log4j.core.impl.Log4jContextFactory.createShutdownCallbackRegistry(Log4jContextFactory.java:117)
>>>> at
>>>> org.apache.logging.log4j.core.impl.Log4jContextFactory.<init>(Log4jContextFactory.java:54)
>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>> Method)
>>>> at
>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
>>>> at
>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>>>> at java.lang.Class.newInstance0(Class.java:357)
>>>> at java.lang.Class.newInstance(Class.java:310)
>>>> at org.apache.logging.log4j.LogManager.<clinit>(LogManager.java:96)
>>>> at
>>>> org.apache.logging.log4j.core.config.Configurator.getFactory(Configurator.java:154)
>>>> at
>>>> org.apache.logging.log4j.core.config.Configurator.initialize(Configurator.java:109)
>>>> at
>>>> org.apache.logging.log4j.web.Log4jWebInitializerImpl.initializeNonJndi(Log4jWebInitializerImpl.java:157)
>>>> at
>>>> org.apache.logging.log4j.web.Log4jWebInitializerImpl.start(Log4jWebInitializerImpl.java:107)
>>>> at
>>>> org.apache.logging.log4j.web.Log4jServletContextListener.contextInitialized(Log4jServletContextListener.java:45)
>>>> at
>>>> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3795)
>>>> at
>>>> org.apache.catalina.core.StandardContext.start(StandardContext.java:4252)
>>>> at
>>>> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
>>>> at
>>>> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
>>>> at
>>>> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
>>>> at
>>>> org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:884)
>>>> at
>>>> org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:737)
>>>> at
>>>> org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:498)
>>>> at
>>>> org.apache.catalina.startup.HostConfig.start(HostConfig.java:1203)
>>>> at
>>>> org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:319)
>>>> at
>>>> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
>>>> at
>>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
>>>> at
>>>> org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
>>>> at
>>>> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
>>>> at
>>>> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>>>> at
>>>> org.apache.catalina.core.StandardService.start(StandardService.java:448)
>>>> at
>>>> org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
>>>> at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> at
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>> at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
>>>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
>>>>
>>>> ERROR StatusLogger Log4j2 could not find a logging implementation. Please
>>>> add log4j-core to the classpath. Using SimpleLogger to log to the
>>>> console...
>>>> ERROR StatusLogger LogManager returned an instance of
>>>> org.apache.logging.log4j.simple.SimpleLoggerContextFactory which does not
>>>> implement org.apache.logging.log4j.core.impl.Log4jContextFactory. Unable
>>>> to initialize Log4j.
>>>>
>>>>
>>>>
>>>> On Oct 14, 2014, at 9:16 AM, Matt Sicker <boa...@gmail.com> wrote:
>>>>
>>>>> Oh crap, you're right.
>>>>>
>>>>> On 14 October 2014 11:05, Gary Gregory <garydgreg...@gmail.com> wrote:
>>>>> Don't you have to login to Nexus to release though?
>>>>>
>>>>> Gary
>>>>>
>>>>> On Tue, Oct 14, 2014 at 11:34 AM, Matt Sicker <boa...@gmail.com> wrote:
>>>>> Question: if I start the release process with everything signed, can
>>>>> someone else complete it when the vote is done?
>>>>>
>>>>> On 13 October 2014 22:26, Ralph Goers <rgo...@apache.org> wrote:
>>>>> Matt can't do it so I will. It will be in the next couple of days.
>>>>>
>>>>> Sent from my iPad
>>>>>
>>>>> On Oct 13, 2014, at 7:22 PM, Gary Gregory <garydgreg...@gmail.com> wrote:
>>>>>
>>>>>> Hi All:
>>>>>>
>>>>>> I'm sure we are all busy (I am!) but do we have a plan for cutting what
>>>>>> will hopefully be the last 2.1 RC?
>>>>>>
>>>>>> Gary
>>>>>>
>>>>>> --
>>>>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
>>>>>> Java Persistence with Hibernate, Second Edition
>>>>>> JUnit in Action, Second Edition
>>>>>> Spring Batch in Action
>>>>>> Blog: http://garygregory.wordpress.com
>>>>>> Home: http://garygregory.com/
>>>>>> Tweet! http://twitter.com/GaryGregory
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Matt Sicker <boa...@gmail.com>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
>>>>> Java Persistence with Hibernate, Second Edition
>>>>> JUnit in Action, Second Edition
>>>>> Spring Batch in Action
>>>>> Blog: http://garygregory.wordpress.com
>>>>> Home: http://garygregory.com/
>>>>> Tweet! http://twitter.com/GaryGregory
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Matt Sicker <boa...@gmail.com>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
>>>> Java Persistence with Hibernate, Second Edition
>>>> JUnit in Action, Second Edition
>>>> Spring Batch in Action
>>>> Blog: http://garygregory.wordpress.com
>>>> Home: http://garygregory.com/
>>>> Tweet! http://twitter.com/GaryGregory
>>>
>>>
>>>
>>>
>>> --
>>> Matt Sicker <boa...@gmail.com>
>>
>
>
>
>
> --
> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org
> Java Persistence with Hibernate, Second Edition
> JUnit in Action, Second Edition
> Spring Batch in Action
> Blog: http://garygregory.wordpress.com
> Home: http://garygregory.com/
> Tweet! http://twitter.com/GaryGregory
