Bug 49178 - Running tomcat/6.0.26 with security manager generates ORACLE jdbc error
Summary: Running tomcat/6.0.26 with security manager generates ORACLE jdbc error
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.26
Hardware: PC Windows XP
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-23 12:54 UTC by Suresh T
Modified: 2010-06-14 13:04 UTC (History)
0 users



Attachments
Error log file (8.54 KB, text/plain)
2010-04-26 13:51 UTC, Suresh T
Details
Bug49178PermissionUrlTest.java - sample code to check Java API behaviour (1.96 KB, text/plain)
2010-04-27 08:43 UTC, Konstantin Kolinko
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Suresh T 2010-04-23 12:54:50 UTC
java.lang.ArrayIndexOutOfBoundsException: -1
        oracle.jdbc.driver.T4CTTIoauthenticate.setSessionFields(T4CTTIoauthenticate.java:942)
        oracle.jdbc.driver.T4CTTIoauthenticate.<init>(T4CTTIoauthenticate.java:221)
        oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:358)
        oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:508)
        oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:203)
        oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:33)
        oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:510)
        oracle.jdbc.pool.OracleDataSource.getPhysicalConnection(OracleDataSource.java:275)
        oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:206)
        xxx.yyy.CPC.data.DAOUtil.getConnection(Unknown Source)
        xxx.yyy.CPC.logging.LogDAO.createLog(Unknown Source)
        xxx.yyy.CPC.logging.DBLogger.db(Unknown Source)
        org.apache.jsp.CPC.Default_jsp._jspService(Default_jsp.java:90)
        org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377)
        org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
        org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
        javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        java.lang.reflect.Method.invoke(Method.java:597)
        org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:269)
        java.security.AccessController.doPrivileged(Native Method)
        javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
        org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:301)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162) 


When  I enabled  -Djava.security.debug=access,failure I see The problem was with oracle jar in file:${catalina.base}\lib dir was getting called with \ at the start. The problem was that there was attempt to access \file:${catalina.base}\lib\ojdbc6.jar rather than file:\${catalina.base}\lib\ojdbc6.jar. When I added the AllProperty policy rule for that \file:${catalina.base}\lib\- . this error went away.
Comment 1 Mark Thomas 2010-04-23 19:44:27 UTC
That looks rather odd. Could you please provide:
- the full security failure from the logs that prompted you to make this change
- the exact entry you added to the policy file

Thanks.
Comment 2 Suresh T 2010-04-26 13:51:54 UTC
Created attachment 25356 [details]
Error log file
Comment 3 Suresh T 2010-04-26 13:54:32 UTC
(In reply to comment #1)
> That looks rather odd. Could you please provide:
> - the full security failure from the logs that prompted you to make this change
> - the exact entry you added to the policy file
> 
> Thanks.

hi Mark
   When I run the Tomcat with -security option and if the following policy 

grant codeBase "file:\${catalina.base}\lib\-" {
  permission java.security.AllPermission;
};

  is not entered in the log, I see the following error come up in the stdout

access: access denied (java.io.FilePermission \C:\javaaps\apache-tomcat-6.0.26\a
pache-tomcat-6.0.26\lib\ojdbc6.jar read)
java.lang.Exception: Stack trace
        at java.lang.Thread.dumpStack(Thread.java:1206)
        at java.security.AccessControlContext.checkPermission(AccessControlConte
xt.java:313)
        at java.security.AccessController.checkPermission(AccessController.java:
546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at sun.misc.URLClassPath.check(URLClassPath.java:408)
        at sun.misc.URLClassPath.checkURL(URLClassPath.java:388)
        at java.net.URLClassLoader.findResource(URLClassLoader.java:366)
        at java.lang.ClassLoader.getResource(ClassLoader.java:977)
        at java.lang.Class.getResource(Class.java:2074)
        at oracle.sql.ConverterArchive.readObj(ConverterArchive.java:398)
        at oracle.sql.converter.CharacterConverterJDBC.getInstance(CharacterConv
erterJDBC.java:143)
        at oracle.sql.converter.CharacterConverterFactoryJDBC.make(CharacterConv
erterFactoryJDBC.java:45)
        at oracle.sql.CharacterSetWithConverter.getInstance(CharacterSetWithConv
erter.java:95)
        at oracle.sql.CharacterSetFactoryThin.make(CharacterSetFactoryThin.java:
126)
        at oracle.sql.CharacterSet.make(CharacterSet.java:448)
        at oracle.jdbc.driver.DBConversion.init(DBConversion.java:150)
        at oracle.jdbc.driver.DBConversion.<init>(DBConversion.java:111)
        at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1007)
        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:292)
        at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:
508)
        at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:203)
        at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtensio
n.java:33)
        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:510)
        at oracle.jdbc.pool.OracleDataSource.getPhysicalConnection(OracleDataSou
rce.java:275)
        at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java
:206)
        at edu.utmb.CPC.data.DAOUtil.getConnection(Unknown Source)
        at edu.utmb.CPC.logging.LogDAO.createLog(Unknown Source)
        at edu.utmb.CPC.logging.DBLogger.db(Unknown Source)
        at org.apache.jsp.CPC.Default_jsp._jspService(Default_jsp.java:90)
        at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper
.java:377)
        at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3
13)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:269
)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:3
01)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.
java:162)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:283)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicatio
nFilterChain.java:56)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilt
erChain.java:189)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:185)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:191)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:465)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:298)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:852)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
ss(Http11Protocol.java:588)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:48
9)
        at java.lang.Thread.run(Thread.java:619)



Apr 26, 2010 12:46:35 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet jsp threw exception
java.lang.ArrayIndexOutOfBoundsException: -1
	at oracle.jdbc.driver.T4CTTIoauthenticate.setSessionFields(T4CTTIoauthenticate.java:942)
	at oracle.jdbc.driver.T4CTTIoauthenticate.<init>(T4CTTIoauthenticate.java:221)
	at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:358)
	at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:508)
	at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:203)
	at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:33)
	at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:510)
	at oracle.jdbc.pool.OracleDataSource.getPhysicalConnection(OracleDataSource.java:275)
	at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:206)
	at edu.utmb.CPC.data.DAOUtil.getConnection(Unknown Source)
	at edu.utmb.CPC.logging.LogDAO.createLog(Unknown Source)
	at edu.utmb.CPC.logging.DBLogger.db(Unknown Source)
	at org.apache.jsp.CPC.Default_jsp._jspService(Default_jsp.java:90)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:269)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:301)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:283)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Thread.java:619)


However, once I added the policy and restarted the error went away.
Comment 4 Konstantin Kolinko 2010-04-27 08:43:08 UTC
Created attachment 25362 [details]
Bug49178PermissionUrlTest.java - sample code to check Java API behaviour

The preceding slash in the permission is how Java behaves. It is not specific to Tomcat.

I am attaching a sample class that demonstrates Java API behaviour. When I am running it on Windows XP with Sun JRE 6u20 as
 "java -cp . Bug49178PermissionUrlTest c:\projects\sample.txt"
it prints:

// File:
C:\PROJECTS\sample.txt
// URL:
file:/C:/PROJECTS/sample.txt
// URL.getPath():
/C:/PROJECTS/sample.txt
// URLConnection.getPermission():
(java.io.FilePermission \C:\PROJECTS\sample.txt read)
// File(url.getPath()).getCanonicalPath()
C:\PROJECTS\sample.txt
// FilePermission.equals()
true

The Permission is printed with preceding slash, but that does not matter, because the FilePermissions are compared by canonical paths, and the canonical path is constructed correctly regardless of that slash.

Suresh,  are you running with separate CATALINA_HOME and CATALINA_BASE? The classes mentioned in the "access denied" stacktrace -- where their jars are located?
Comment 5 Mark Thomas 2010-06-02 11:30:32 UTC
It looks like this is a catalina home/base issue.

I have added an additional permission (commented out) to the policy file that folks can use in this situation.

The change has been applied to trunk for 7.0.0 onwards and proposed for 6.0.x

It would be good to get some confirmation that home/base was indeed the issue. If no confirmation is forthcoming, I will assume that was the root cause.
Comment 6 Mark Thomas 2010-06-14 13:04:47 UTC
The additional permission has been added (as a comment) to catalina.policy and will be included in 6.0.27 onwards.

If you still see this issue, feel free to re-open this bug report but you will need to include the exact, complete (and simplest) set of steps to reproduce this on a clean install of the latest stable 6.0.x release.