DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6660>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6660 Catalina with SecurityManager is possibly broken. Summary: Catalina with SecurityManager is possibly broken. Product: Tomcat 4 Version: 4.0.2 Final Platform: PC OS/Version: Linux Status: NEW Severity: Critical Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Hi all, I found what I suppose to be a serious bug for whomever relays on running Catalina with a Security Manager. It's not a vulnerability but it has the potencial to break several applications like O'reilly's cos.jar ( upload ) and JSSE. Description: security manager rules are not applied correctly to classes on /lib directory Here are the steps to reproduce: Create 2 classes: -------------------- import java.io.*; public class WriteFile { public void write() throws IOException { FileWriter fw = new FileWriter("/home/client/write_area/test.txt"); PrintWriter pw = new PrintWriter(fw); pw.println("Testing security manager..."); pw.close(); fw.close(); } } -------------------- ( create a jar: jar -cvf WriteFile.jar WriteFile.class ) -------------------- import java.io.*; import javax.servlet.*; import javax.servlet.http.*; import WriteFile; public class SecManagerTest extends HttpServlet { public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { res.setContentType("text/html"); PrintWriter out = res.getWriter(); WriteFile wf = new WriteFile(); wf.write(); out.println("<HTML>"); out.println("<BODY>"); out.println("Security Manager works!!"); out.println("</BODY>"); out.println("</HTML>"); } } -------------------- Insert these lines after the catalina.policy file grant codeBase "file:/home/client/-" { permission java.io.FilePermission "/home/client/-", "read,write,delete"; permission java.util.PropertyPermission "*", "read"; }; Start catalina with: ./catalina.sh start -security ***** NOW THE TESTS ************ First test. Put WriteFile.class and SecManagerTest.class on /WEB-INF/classes Try to execute the servlet. It works !!! Second test. Put WriteFile.jar on /WEB-INF/lib ( and remove WriteFile.class from /classes ! ). Restart Catalina. Try to access the servlet: java.security.AccessControlException: access denied (java.io.FilePermission /home/client/write_area/teste.txt write) at java.security.AccessControlContext.checkPermission (AccessControlContext.java:272) at java.security.AccessController.checkPermission (AccessController.java:399) at java.lang.SecurityManager.checkPermission(SecurityManager.java:545) at java.lang.SecurityManager.checkWrite(SecurityManager.java:978) at java.io.FileOutputStream.(FileOutputStream.java:96) at java.io.FileOutputStream.(FileOutputStream.java:62) at java.io.FileWriter.(FileWriter.java:38) at WriteFile.write(WriteFile.java:7) at SecManagerTest.doGet(SecManagerTest.java:13) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) (...) In Tomcat 3.3 beta 1, it works perfectly. There is definitely something wrong with the Security Manager in Catalina. Webhost companies that depends on the security manager cannot fully use Catalina ( again, everything works pretty well with Tomcat 3.3 ). -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>