[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #13 from Remy Maucherat --- It was fixed shortly after in 8.5.63. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #12 from Jiri Novak --- Any chance it will be fixed to 8.5? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #11 from Mark Thomas --- Fixed in: - 10.0.x for 10.0.2 onwards - 9.0.x for 9.0.43 onwards -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #10 from Remy Maucherat --- (In reply to Mark Thomas from comment #9) > The best I can up with is if path starts with "file:/" or "://" > the code jumps directly to the URI handling. I'll work on a patch. I'm > wondering how far to go optimizing the code. I'm thinking not far. Ok. Yes, I don't think it needs to be super fast since this is for loading configuration resources. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #9 from Mark Thomas --- The best I can up with is if path starts with "file:/" or "://" the code jumps directly to the URI handling. I'll work on a patch. I'm wondering how far to go optimizing the code. I'm thinking not far. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #8 from Mark Thomas --- Hmm. Thinking... -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106
--- Comment #7 from Remy Maucherat ---
(In reply to Mark Thomas from comment #5)
> Rémy, what if we added a
>
> if ("name.startsWith("file:/") {
>
> }
> block around the File and classloader case? Essentially short circuit to URI
> in that case for getResource() and getURI(). Does that help?
I think that would work for the reporter but still fail for other URLs. This
security check is annoying ...
Maybe detect a URL scheme, like if there's ':' in the path and no '/' before it
?
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #6 from Mark Thomas --- That should be: if (*!*name... -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106
--- Comment #5 from Mark Thomas ---
Rémy, what if we added a
if ("name.startsWith("file:/") {
}
block around the File and classloader case? Essentially short circuit to URI in
that case for getResource() and getURI(). Does that help?
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106
--- Comment #4 from Jiri Novak ---
Caused by: java.io.IOException: Failed to load keystore type [JKS] with path
[file:/C:/tmp/120/key.jks] due to [access denied ("java.io.FilePermission"
"C:\tmp\120\a\catalina\file:\C:\tmp\120\key.jks" "read")]
at
org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:227)
I have not found any way how to write such path to policy file so
SecurityManager can accept it.
permission java.io.FilePermission "file:${catalina.base}", "read";
permission java.io.FilePermission "${catalina.base}", "read";
permission java.io.FilePermission "file:${catalina.base}/", "read";
permission java.io.FilePermission "${catalina.base}/", "read";
permission java.io.FilePermission "file:${catalina.base}/-", "read";
permission java.io.FilePermission "${catalina.base}/-", "read";
permission java.io.FilePermission "file:${catalina.base}/*", "read";
permission java.io.FilePermission "${catalina.base}/*", "read";
permission java.io.FilePermission "C:/tmp/120/a/catalina", "read";
permission java.io.FilePermission "C:/tmp/120/a/catalina/", "read";
permission java.io.FilePermission "C:/tmp/120/a/catalina/-", "read";
permission java.io.FilePermission "C:/tmp/120/a/catalina/*", "read";
permission java.io.FilePermission
"C:/tmp/120/a/catalina/file:/C:/tmp/120/key.jks", "read";
permission java.io.FilePermission
"C:/tmp/120/a/catalina/file://C:/tmp/120/key.jks", "read";
permission java.io.FilePermission
"C:/tmp/120/a/catalina/file:///C:/tmp/120/key.jks", "read";
permission java.io.FilePermission
"C:\\tmp\\120\\a\\catalina\\file:\\C:\\tmp\\120\\key.jks", "read";
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #3 from Remy Maucherat --- I am inching towards a WONTFIX, since the only real solution is to use URLs only. It would mean absolute file paths won't work, I believe, and this is not possible. The rest would be fine. I don't understand why "And it is impossible to create such a policy for SecurityManager", can you explain a bit more ? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 --- Comment #2 from Jiri Novak --- I understand but the current state is that tomcat won't start. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65106] ConfigFileLoader cannot properly handle file url running with SecurityManager on openjdk 1.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=65106 Remy Maucherat changed: What|Removed |Added OS||All --- Comment #1 from Remy Maucherat --- Ok, after checking the javadoc, I can see that isAbsolute is a safe call (no security check) but isFile is not. Wrapping with a try/catch could be reasonable, however it would also hide the exception when it is legitimate and useful to have. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
