Along the same lines with CR 29936, com.apache.catalina.startup.TldConfig.tldDigester has an issue with initialization. Basically, the TldConfig's parser can be initialized with the webapp's XML parser, which causes a security problem, since it has permission issues with reading files. This is caused by a similar scenario to CR 29936: 1) Remove all stock webapps that come with the standard installation. This includes the ones in server/webapps. Remember to remove the configurations in conf/Catalina. 2) Add a webapp that has a XML parser located in WEB-INF/lib. For instance, one from sourceforge or Apache Xerces. 3) Add a library containing a .tld file in META-INF like Spring. 4) In order to actually have a log containing the error, you need to enable logging. For example, by following the instructions laid out in http://tomcat.apache.org/tomcat-5.5-doc/logging.html. I used log4j. 5) Start the appserver in secure mode. You should see an error in the log similar to the following: ERROR main org.apache.catalina.startup.TldConfig - Exception processing TLD META-INF/spring-form.tld in JAR at resource path TOMCAT_PATH/webapps/MY_WAR/WEB-INF/lib/spring.jar in context /MY_WAR java.security.AccessControlException: access denied (java.io.FilePermission TOMCAT_PATH/common/lib/jsp-api.jar read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkRead(SecurityManager.java:871) at java.util.zip.ZipFile.<init>(ZipFile.java:109) at java.util.jar.JarFile.<init>(JarFile.java:133) at java.util.jar.JarFile.<init>(JarFile.java:70) at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:72) at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:48) at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:53) at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:104) at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:132) at java.net.URL.openStream(URL.java:1009) at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source) at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source) at org.apache.xerces.impl.XMLEntityManager.startDTDEntity(Unknown Source) at org.apache.xerces.impl.XMLDTDScannerImpl.setInputSource(Unknown Source) at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.DTDConfiguration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1562) at org.apache.catalina.startup.TldConfig.tldScanStream(TldConfig.java:514) at org.apache.catalina.startup.TldConfig.tldScanJar(TldConfig.java:472) at org.apache.catalina.startup.TldConfig.execute(TldConfig.java:307) at org.apache.catalina.core.StandardContext.processTlds(StandardContext.java:4307) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4144) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:122) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:144) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:738) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:831) at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:720) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1150) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022) at org.apache.catalina.core.StandardHost.start(StandardHost.java:736) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:448) at org.apache.catalina.core.StandardServer.start(StandardServer.java:700) at org.apache.catalina.startup.Catalina.start(Catalina.java:552) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433) Note that if you restart the appserver, you will need to remove the webapp's TLD cache located at "TOMCAT_PATH/work/Catalina/localhost/MY_WAR/tldCache.ser" to reproduce the error again.
Created attachment 22666 [details] Test webapp that demonstrates error
I am unable to reproduce this. Looking at your stack trace the security exception is caused when trying to read jsp-api.jar. This jar should never be scanned as it is on the exclude list so I don't understand how you can be seeing this error. Reviewing the code does show that there is an issue. Additionally, the XML validation settings of the first context precessed are used for all contexts. I can fix these issues based purely on code review but it would be nice to be able to confirm the fix with a test case.
Ignore my previous. I now have a test case. Thanks for the report. This has been fixed in trunk and proposed for 6.0.x and 5.5.x.
This has been fixed 6.0.x and will be included in 6.0.19 onwards.
*** Bug 46549 has been marked as a duplicate of this bug. ***
The patch has been applied to 5.5.x and will be included in 5.5.28 onwards.