Bug 50854 - Additional catalina.policy entries for when Security Manager enabled, for session display functionality
Summary: Additional catalina.policy entries for when Security Manager enabled, for ses...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Manager application (show other bugs)
Version: 6.0.32
Hardware: All All
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-02 10:06 UTC by Neale Rudd
Modified: 2011-06-14 11:27 UTC (History)
0 users



Attachments
Patch for tc6.0.x (1.43 KB, patch)
2011-03-10 07:16 UTC, Mark Thomas
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Neale Rudd 2011-03-02 10:06:46 UTC
When running under a security manager, in 7.0.x (and also around 6.0.29+), the Sessions List options in the Tomcat Manager may display an error under certain conditions.

CONDITION 1:

APR enabled, catalina.base == catalina.home:

- Encountered exception org.apache.jasper.JasperException: javax.servlet.ServletException: java.lang.NoClassDefFoundError: org/apache/catalina/ha/session/DeltaSession

This permission is required:
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.*";

CONDITION 2:

Regardless of APR, if catalina.base != catalina.home and catalina.home is the location of the webapps/manager application, this error displays:

FAIL - Encountered exception org.apache.jasper.JasperException: An exception occurred processing JSP page /WEB-INF/jsp/sessionsList.jsp at line 99

96: 			<tbody>
97: <% Iterator iter = activeSessions.iterator();
98:    while (iter.hasNext()) {
99:    	Session currentSession = (Session) iter.next();
100:    	String currentSessionId = JspHelper.escapeXml(currentSession.getId());
101: %>
102: 				<tr>

This is because the policy file assumes there is a per-instance webapps/manager application in catalina.base, as opposed to a shared one in catalina.home.

Suggested fix, in catalina.policy, replace ...

// The Manager application needs access to the following packages to support the
// session display functionality
grant codeBase "file:${catalina.base}/webapps/manager/-" {
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.*";
};

... with ...

// The Manager application needs access to the following packages to support the
// session display functionality
grant codeBase "file:${catalina.home}/webapps/manager/-" {
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.*";
};

// If using a per instance webapps directory, i.e. ${catalina.base}/webapps,
// then the following permission will need to be uncommented
// grant codeBase "file:${catalina.base}/webapps/manager/-" {
//     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
//     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
//     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
//     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.*";
// };

* In the above, I've used the same commented-out approach as the one for the "file:${catalina.base}/lib/-" permissions for consistency, but the catalina.base permissions could also be left uncommented if most installations copy the default webapps folder into each instance and use it from there, to make larger deployments easier.

Best Regards,
Neale Rudd
Comment 1 Mark Thomas 2011-03-09 06:39:22 UTC
Thanks for the report.

This has been fixed in trunk and will be included in 7.0.11 onwards.
Comment 2 Mark Thomas 2011-03-10 07:16:26 UTC
Created attachment 26758 [details]
Patch for tc6.0.x

Issue 1 can not occur in 6.0.x - the relevant changes were never pack-ported from 7.0.x

Patch that covers issue 2 is attached and has been proposed for 6.0.x
Comment 3 Mark Thomas 2011-06-14 11:27:52 UTC
Fixed in 6.0.x and will be included in 6.0.33 onwards.