Bug 36228

Summary: (request.getHeaders(key)).nextElement() needs additional Permissions
Product: Tomcat 5 Reporter: Gernot <gernot.pfingstl>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 5.5.9   
Target Milestone: ---   
Hardware: Other   
OS: other   

Description Gernot 2005-08-17 16:23:21 UTC
Running tomcat with security manager "(request.getHeaders(key)).nextElement()"
will cause following exception:

java.security.AccessControlException: access denied (java.lang.RuntimePermission
accessClassInPackage.org.apache.tomcat.util.buf)
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
        at java.security.AccessController.checkPermission(AccessController.java:427)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
        at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
        at org.apache.tomcat.util.buf.StringCache.toString(StringCache.java:282)
        at org.apache.tomcat.util.buf.ByteChunk.toString(ByteChunk.java:461)
        at org.apache.tomcat.util.buf.MessageBytes.toString(MessageBytes.java:209)
        at
org.apache.tomcat.util.http.ValuesEnumerator.nextElement(MimeHeaders.java:423)

To work properly you have to add
"accessClassInPackage.org.apache.tomcat.util.buf" RuntimePermission.
Using the core servlet api should not require that internal tomcat packages have
to be exposed to the webapp.
Comment 1 Remy Maucherat 2005-08-17 17:11:25 UTC
Ok.