Bug 58585 - Tomcat 9.0.0-dev (@r1712593) AccessControlException on first access via HTTPS
Summary: Tomcat 9.0.0-dev (@r1712593) AccessControlException on first access via HTTPS
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-11-04 17:52 UTC by Konstantin Kolinko
Modified: 2015-11-05 21:06 UTC (History)
0 users


Attachments
localhost.2015-11-04.log with full stacktrace for Comment 0 (6.75 KB, text/plain)
2015-11-04 18:04 UTC, Konstantin Kolinko 		Details
localhost.2015-11-04.log with full stacktrace for Comment 1 (20.34 KB, text/plain)
2015-11-04 18:07 UTC, Konstantin Kolinko 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2015-11-04 17:52:20 UTC 
Encountered while testing Tomcat-Native 1.2.1 release candidate with current Tomcat 9 trunk (at revision 1712593)

For some reason this issue does not happen with http://localhost:8080/, but it does happen with https://localhost:8443/

I am on Windows 7 using Java 8u66 32-bit

Steps to reproduce:
1. Copy tcnative-1.dll into ${catalina.home}/bin
2. Copy the following files from source directory test\org\apache\tomcat\util\net\  into ${catalina.home}/conf:

localhost-cert.pem
localhost-key.pem

3. In conf/server.xml configure the following connector

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig honorCipherOrder="false" >
            <Certificate certificateKeyFile="conf/localhost-key.pem"
                         certificateFile="conf/localhost-cert.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

(It is the same as commented example, but certificateKeyFile and certificateFile are updated to match file names, s/-rsa-/-/ )

4. Set JAVA_HOME and start Tomcat with SecurityManager enabled.
cd bin
catalina.bat start -security

5. Access https://localhost:8443/
I am using Firefox 41.0.2

The page fails with error 500 during execution of JSP page.

 java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.util.buf")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.security.AccessController.checkPermission(AccessController.java:884)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:311)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:411)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	at org.apache.catalina.connector.OutputBuffer.setConverter(OutputBuffer.java:561)
	at org.apache.catalina.connector.OutputBuffer.checkConverter(OutputBuffer.java:546)
	at org.apache.catalina.connector.Response.getWriter(Response.java:598)
	at org.apache.catalina.connector.ResponseFacade.getWriter(ResponseFacade.java:211)
	at org.apache.jasper.runtime.JspWriterImpl.initOut(JspWriterImpl.java:115)
	at org.apache.jasper.runtime.JspWriterImpl.flushBuffer(JspWriterImpl.java:108)
	at org.apache.jasper.runtime.JspWriterImpl.write(JspWriterImpl.java:326)
	at java.io.Writer.write(Writer.java:157)
	at org.apache.jsp.index_jsp._jspService(index_jsp.java:322)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:438)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)


If I refresh the page, it shows up successfully.

If I restart Tomcat, the first access to https://localhost:8443/ fails as well, so JSP compilation does not affect it.

If the first access is via https://localhost:8080/, it shows up successfully.
Comment 1 Konstantin Kolinko 2015-11-04 18:03:15 UTC 
Further testing, with HTTP,

The following page (A Servlet 4.0 push example) fails as well
http://localhost:8080/examples/servlets/serverpush/simpleimage

 java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.catalina.core")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.security.AccessController.checkPermission(AccessController.java:884)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:311)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:411)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	at org.apache.catalina.connector.Request.getPushBuilder(Request.java:1832)
	at org.apache.catalina.connector.RequestFacade.getPushBuilder(RequestFacade.java:1125)
	at http2.SimpleImagePush.doGet(SimpleImagePush.java:36)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
Comment 2 Konstantin Kolinko 2015-11-04 18:04:38 UTC 
Created attachment 33257 [details]
localhost.2015-11-04.log with full stacktrace for Comment 0
Comment 3 Konstantin Kolinko 2015-11-04 18:07:07 UTC 
Created attachment 33258 [details]
localhost.2015-11-04.log with full stacktrace for Comment 1

For issue in Comment 1 refreshing the page does not help, access is still denied.
Comment 4 Mark Thomas 2015-11-05 21:06:20 UTC 
Thanks. Fixed, along with a couple of others thsat emerged once these were fixed.