There is a report on StackOverflow that Spring Boot (1.1.6) application fails on Tomcat 7.0.52 when running with SecurityManager enabled. https://stackoverflow.com/questions/27189047/springboot-webapp-under-java-securitymanager-throws-exceptions-when-granted-allp The error is [[[ java.lang.IllegalAccessException: Class org.apache.catalina.security.SecurityUtil$1 can not access a member of class org.springframework.boot.context.web.ErrorPageFilter with modifiers "public" at sun.reflect.Reflection.ensureMemberAccess(Reflection.java:109) ~[na:1.7.0_65] at java.lang.reflect.AccessibleObject.slowCheckMemberAccess(AccessibleObject.java:261) ~[na:1.7.0_65] at java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:253) ~[na:1.7.0_65] at java.lang.reflect.Method.invoke(Method.java:599) ~[na:1.7.0_65] at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) ~[catalina.jar:7.0.52] at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) ~[catalina.jar:7.0.52] at java.security.AccessController.doPrivileged(Native Method) ~[na:1.7.0_65] at javax.security.auth.Subject.doAsPrivileged(Subject.java:536) ~[na:1.7.0_65] at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) ~[catalina.jar:7.0.52] at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) ~[catalina.jar:7.0.52] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) ~[catalina.jar:7.0.52] at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) ~[catalina.jar:7.0.52] at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) ~[catalina.jar:7.0.52] at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) ~[catalina.jar:7.0.52] at java.security.AccessController.doPrivileged(Native Method) ~[na:1.7.0_65] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) ~[catalina.jar:7.0.52] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) ~[catalina.jar:7.0.52] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) [catalina.jar:7.0.52] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501) [catalina.jar:7.0.52] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) [catalina.jar:7.0.52] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) [catalina.jar:7.0.52] at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683) [catalina.jar:7.0.52] at ch.qos.logback.access.tomcat.LogbackValve.invoke(LogbackValve.java:178) [logback-access-1.0.13.jar:na] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) [catalina.jar:7.0.52] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) [catalina.jar:7.0.52] at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040) [tomcat-coyote.jar:7.0.52] at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607) [tomcat-coyote.jar:7.0.52] at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:313) [tomcat-coyote.jar:7.0.52] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_65] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_65] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_65] ]]] Looking at the current sources of Spring Boot, the org.springframework.boot.context.web.ErrorPageFilter class is not public, but package-visible. Reflection call fails, as Java Language rules prohibit access to that class. Such filter cannot be configured via web.xml (as its constructor is not accessible), but can be configured programmatically via ServletContext.addFilter(String, Filter). It is a rare situation, but I think that it is a valid one. My idea of the fix is that method lookup in catalina SecurityUtil shall not use targetObject.getClass().getMethod(..), but Filter.class.getMethod(). My expectation is that it will be allowed to invoke java.lang.reflect.Method declared by javax.servlet.Filter class on the targetObject object regardless of accessibility of targetObject class, but testing is needed. A bonus point is that the method cache shall become smaller.
Trivial test case to reproduce: https://github.com/markt-asf/tomcat-bug57281 I'm moving on to testing the proposed fix.
I can confirm that the proposed fix works. I'll commit it once the svn server comes back to life.
Proposed fix: https://github.com/markt-asf/tomcat/commit/fd145607a4782359e3b12711f3817fe195b0601f
Fixed in trunk, 8.0.x (for 8.0.16 onwards) and 7.0.x (for 7.0.38 onwards).
Unfortunately the fix for this issue caused a regression with Comet servlets, I opened a new bug with all the details and proposed patch https://bz.apache.org/bugzilla/show_bug.cgi?id=58116