[Bug 56545] Examples app security exceptions
https://issues.apache.org/bugzilla/show_bug.cgi?id=56545 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --- Comment #8 from Konstantin Kolinko knst.koli...@gmail.com --- Fixed in Tomcat 7 by r1597592 and will be in 7.0.55. I did not backport r1596201. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56545] Examples app security exceptions
https://issues.apache.org/bugzilla/show_bug.cgi?id=56545 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED |--- --- Comment #7 from Konstantin Kolinko knst.koli...@gmail.com --- The issue from Comment 0 is reproducible with 7.0.54 release candidate, using JDK 7u55 and the same reproduction recipe. The issue from Comment 2 does not happen. The workaround is as documented above, The workaround for the issue in Comment 0 is to add the following class to the value of classesToInitialize attribute of JreMemoryLeakPreventionListener in server.xml. E.g.: Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener classesToInitialize=org.apache.tomcat.util.http.parser. HttpParser$SkipConstantResult / For a record, in 6.0.41 the issues do not happen. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56545] Examples app security exceptions
https://issues.apache.org/bugzilla/show_bug.cgi?id=56545 Mark Thomas ma...@apache.org changed: What|Removed |Added Component|Examples|Catalina Version|8.0.8 |7.0.54 Product|Tomcat 8|Tomcat 7 Target Milestone||--- -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56545] Examples app security exceptions
https://issues.apache.org/bugzilla/show_bug.cgi?id=56545 Mark Thomas ma...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #6 from Mark Thomas ma...@apache.org --- These issues have been fixed in 8.0.x for 8.0.9 onwards. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56545] Examples app security exceptions (8.0.8 release candidate)
https://issues.apache.org/bugzilla/show_bug.cgi?id=56545 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added OS||All --- Comment #1 from Konstantin Kolinko knst.koli...@gmail.com --- The workaround for the issue in Comment 0 is to add the following class to the value of classesToInitialize attribute of JreMemoryLeakPreventionListener in server.xml. E.g.: Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener classesToInitialize=org.apache.tomcat.util.http.parser.HttpParser$SkipConstantResult / -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56545] Examples app security exceptions (8.0.8 release candidate)
https://issues.apache.org/bugzilla/show_bug.cgi?id=56545 --- Comment #2 from Konstantin Kolinko knst.koli...@gmail.com --- 4. On the login page, enter a username (role1) and password (see tomcat-users.xml). Press Login button. 5. Look into logs/localhost.2014-05-20.log. There is an exception thrown by Session attribute event listener. org.apache.catalina.session.StandardSession.setAttribute Session attribute event listener threw exception java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1525) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:305) at java.lang.ClassLoader.loadClass(ClassLoader.java:412) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at org.apache.catalina.users.MemoryUser.toString(MemoryUser.java:312) at javax.security.auth.Subject.toString(Subject.java:842) at javax.security.auth.Subject.toString(Subject.java:825) at java.lang.String.valueOf(String.java:2854) at java.lang.StringBuilder.append(StringBuilder.java:128) at listeners.SessionListener.attributeAdded(SessionListener.java:56) at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1546) 6. Press logout link (you can log off by clicking here.) 7. The same exception is thrown for attributeRemoved event. From the stacktrace (at org.apache.catalina.users.MemoryUser.toString(MemoryUser.java:312)) my guess is that it ties to call static method RequestUtil.filter(username). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56545] Examples app security exceptions (8.0.8 release candidate)
https://issues.apache.org/bugzilla/show_bug.cgi?id=56545 --- Comment #3 from Konstantin Kolinko knst.koli...@gmail.com --- Created attachment 31638 -- https://issues.apache.org/bugzilla/attachment.cgi?id=31638action=edit (2) localhost.2014-05-20.log Log file with exceptions for issue in Comment 2. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56545] Examples app security exceptions (8.0.8 release candidate)
https://issues.apache.org/bugzilla/show_bug.cgi?id=56545 --- Comment #4 from Konstantin Kolinko knst.koli...@gmail.com --- The workaround for issue in Comment 2 is to add org.apache.catalina.util.RequestUtil to the value of classesToInitialize attribute. With the following configuration both issues are resolved: Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener classesToInitialize= org.apache.tomcat.util.http.parser.HttpParser$SkipConstantResult, org.apache.catalina.util.RequestUtil / -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56545] Examples app security exceptions
https://issues.apache.org/bugzilla/show_bug.cgi?id=56545 Mark Thomas ma...@apache.org changed: What|Removed |Added Version|8.0.5 |8.0.8 Summary|Examples app security |Examples app security |exceptions (8.0.8 release |exceptions |candidate) | --- Comment #5 from Mark Thomas ma...@apache.org --- Update version now I have added 8.0.8 to the list of versions for 8.0.x -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org