2014-07-22 20:04 GMT+04:00 George Sexton <geor...@mhsoftware.com>:
> I'm using Tomcat 7.0.54 with the security manager. I'm getting an exception
> I don't understand:
>
> 2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR
> org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]-
> Servlet.service() for servlet [jsp] in context with path [] threw exception
> [java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")] with root cause
> java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")
> at java.security.AccessControlContext.checkPermission(Unknown
> Source)
> at java.security.AccessController.checkPermission(Unknown Source)
> at java.lang.SecurityManager.checkPermission(Unknown Source)
> at java.lang.ClassLoader.checkClassLoaderPermission(Unknown Source)
> at java.lang.ClassLoader.getParent(Unknown Source)
> at
> org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295)
> at
> org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266)
> at
> org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144)
> at java.util.logging.LogManager.demandLogger(Unknown Source)
> at java.util.logging.Logger.demandLogger(Unknown Source)
> at java.util.logging.Logger.getLogger(Unknown Source)
> at com.sun.mail.util.MailLogger.<init>(MailLogger.java:115)
> at javax.mail.Session.initLogger(Session.java:226)
> at javax.mail.Session.<init>(Session.java:210)
> at javax.mail.Session.getInstance(Session.java:247)
> at com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470)
>
>
> Line 144 of ClassLoaderLogManager is the addLogger method trying to read the
> .level property for the logger being created.
>
> The catalina.policy is pretty much the stock one. I'm confused because the
> catalina.policy has:
>
> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
> permission java.lang.RuntimePermission "getClassLoader";
>
> The page in question that's erroring out is a JSP that's calling a
> per-context jar. The hierarchy looks something like:
>
> JSP ->
> context/WEB-INF/lib/jar Class File ->
> $CATALINA_BASE/lib/ MH Software.jar ->
> $CATALINA_BASE javax.mail.jar ->
> $CATALINA_HOME/bin/tomcat-juli.jar
>
> $CATALINA_BASE/lib, has the grant for java.security.AllPermission;
>
> I don't know if this makes a difference, but I'm using log4j, and following
> the instructions here:
>
> http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
>
> I've made $CATALINA_BASE/conf/logging.properties an empty file.
>
> Finally, it SEEMS to only be happening in JSP files. calls directly from
> classes in the context jar file don't seem to be failing.
>
> If anyone could point me in the right direction, I would really appreciate
> it.
I filed an issue for this into bugzilla:
https://issues.apache.org/bugzilla/show_bug.cgi?id=56776
> per-context jar. The hierarchy looks something like:
>
> JSP ->
> context/WEB-INF/lib/jar Class File ->
> $CATALINA_BASE/lib/ MH Software.jar ->
> $CATALINA_BASE javax.mail.jar ->
> $CATALINA_HOME/bin/tomcat-juli.jar
>
> $CATALINA_BASE/lib, has the grant for java.security.AllPermission;
>
Unless all classes in the call chain have the necessary permission
("java.lang.RuntimePermission" "getClassLoader") the call won't be
allowed.
A workaround is to grant that permission to web applications, but I
would not really recommend that as a long-term solution, as it makes
the system less secure. It should be possible to fix this at Tomcat
side, thus I filed the issue.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
