Encountered while testing Tomcat-Native 1.2.1 release candidate with current Tomcat 9 trunk (at revision 1712593) For some reason this issue does not happen with http://localhost:8080/, but it does happen with https://localhost:8443/ I am on Windows 7 using Java 8u66 32-bit Steps to reproduce: 1. Copy tcnative-1.dll into ${catalina.home}/bin 2. Copy the following files from source directory test\org\apache\tomcat\util\net\ into ${catalina.home}/conf: localhost-cert.pem localhost-key.pem 3. In conf/server.xml configure the following connector <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> <SSLHostConfig honorCipherOrder="false" > <Certificate certificateKeyFile="conf/localhost-key.pem" certificateFile="conf/localhost-cert.pem" type="RSA" /> </SSLHostConfig> </Connector> (It is the same as commented example, but certificateKeyFile and certificateFile are updated to match file names, s/-rsa-/-/ ) 4. Set JAVA_HOME and start Tomcat with SecurityManager enabled. cd bin catalina.bat start -security 5. Access https://localhost:8443/ I am using Firefox 41.0.2 The page fails with error 500 during execution of JSP page. java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.util.buf") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:311) at java.lang.ClassLoader.loadClass(ClassLoader.java:411) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at org.apache.catalina.connector.OutputBuffer.setConverter(OutputBuffer.java:561) at org.apache.catalina.connector.OutputBuffer.checkConverter(OutputBuffer.java:546) at org.apache.catalina.connector.Response.getWriter(Response.java:598) at org.apache.catalina.connector.ResponseFacade.getWriter(ResponseFacade.java:211) at org.apache.jasper.runtime.JspWriterImpl.initOut(JspWriterImpl.java:115) at org.apache.jasper.runtime.JspWriterImpl.flushBuffer(JspWriterImpl.java:108) at org.apache.jasper.runtime.JspWriterImpl.write(JspWriterImpl.java:326) at java.io.Writer.write(Writer.java:157) at org.apache.jsp.index_jsp._jspService(index_jsp.java:322) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) If I refresh the page, it shows up successfully. If I restart Tomcat, the first access to https://localhost:8443/ fails as well, so JSP compilation does not affect it. If the first access is via https://localhost:8080/, it shows up successfully.
Further testing, with HTTP, The following page (A Servlet 4.0 push example) fails as well http://localhost:8080/examples/servlets/serverpush/simpleimage java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.catalina.core") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:311) at java.lang.ClassLoader.loadClass(ClassLoader.java:411) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at org.apache.catalina.connector.Request.getPushBuilder(Request.java:1832) at org.apache.catalina.connector.RequestFacade.getPushBuilder(RequestFacade.java:1125) at http2.SimpleImagePush.doGet(SimpleImagePush.java:36) at javax.servlet.http.HttpServlet.service(HttpServlet.java:622) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
Created attachment 33257 [details] localhost.2015-11-04.log with full stacktrace for Comment 0
Created attachment 33258 [details] localhost.2015-11-04.log with full stacktrace for Comment 1 For issue in Comment 1 refreshing the page does not help, access is still denied.
Thanks. Fixed, along with a couple of others thsat emerged once these were fixed.