58116 – [PATCH] Running with SecurityManager: CometProcessor servlets throw NoSuchMethodException

Bug 58116 - [PATCH] Running with SecurityManager: CometProcessor servlets throw NoSuchMethodException

Summary: [PATCH] Running with SecurityManager: CometProcessor servlets throw NoSuchMet...

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 8
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	8.0.x-trunk
Hardware:	All All

Importance:	P2 regression with 5 votes (vote)
Target Milestone:	----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-07-08 20:47 UTC by Johno Crawford
Modified:	2015-07-29 18:06 UTC (History)
CC List:	1 user (show)

Attachments
CometProcessor servlets must not be cached as Servlet or NoSuchMethodException will be thrown. (2.39 KB, patch) 2015-07-08 20:47 UTC, Johno Crawford	Details \| Diff
Comet SecurityManager patch (3.69 KB, patch) 2015-07-29 18:05 UTC, Johno Crawford	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johno Crawford 2015-07-08 20:47:49 UTC

Created attachment 32892 [details]
CometProcessor servlets must not be cached as Servlet or NoSuchMethodException will be thrown.

The fix for https://bz.apache.org/bugzilla/show_bug.cgi?id=57281 caused a regression with Tomcat running with a SecurityManager, CometProcessor servlets throw an exception when serving a request.

Please find proposed fix in patch file.

Comment 1 Johno Crawford 2015-07-08 23:12:52 UTC

javax.servlet.ServletException: Servlet execution threw an exception
        java.security.AccessController.doPrivileged(Native Method)
        org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:218)
        org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333)
        org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
        org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
        org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)
        org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1753)
        org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1712)
        java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        java.lang.Thread.run(Thread.java:745)
root cause
 
java.lang.NoSuchMethodException: javax.servlet.Servlet.event(org.apache.catalina.comet.CometEvent)
        java.lang.Class.getMethod(Class.java:1670)
        org.apache.catalina.security.SecurityUtil.createMethodAndCacheIt(SecurityUtil.java:380)
        org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:161)
        java.security.AccessController.doPrivileged(Native Method)
        org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:218)
        org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333)
        org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
        org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
        org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)
        org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1753)
        org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1712)
        java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        java.lang.Thread.run(Thread.java:745)

Comment 2 Johno Crawford 2015-07-10 08:06:53 UTC

Would be nice if the fix could be backported to Tomcat 7.

Comment 3 Konstantin Kolinko 2015-07-27 20:38:49 UTC

1. This is reproducible with examples webapp (comet chat example)

2. I think the same issue exists with Filter and CometFilter. I do not have an example though. It needs a fix.

3. The patch looks as a working one (as CometProcessor extends Servlet interface)

But I wonder whether there is a better fix. It is known what methods belong to Servlet interface and what belong to CometProcessor.  The same with Filter and CometFilter.

Note: Tomcat trunk is not affected, as Comet API has been removed from Tomcat 9 onwards.

Comment 4 Mark Thomas 2015-07-29 17:35:32 UTC

I agree it certainly looks as if a better fix should be possible but having looked at this for a little while I don't see anything obvious. A cleaner final solution may be possible with a more invasive refactoring but given that Comet has been removed from Tomcat 9 onwards I think the proposed patch is the way to go (with a similar solution for filters).

Comment 5 Mark Thomas 2015-07-29 17:55:24 UTC

Thanks for the patch. It has been applied (with a minor tweak for more specific generics and an extension for CometFilter) to 8.0.x (for4 8.0.25 onwards) and 7.0.x (for 7.0.64 onwards).

Comment 6 Johno Crawford 2015-07-29 18:05:06 UTC

Created attachment 32944 [details]
Comet SecurityManager patch

Attaching new patch which addresses the same problem with CometFilter.

Comment 7 Johno Crawford 2015-07-29 18:06:13 UTC

Beat me to it, thanks a lot Konstantin and Mark!