Bug 48580

Summary: 6.0.24: AccessControlException in ProtectedFunctionMapper on first access to certain JSP
Product: Tomcat 5 Reporter: Konstantin Kolinko <knst.kolinko>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: Nightly Build   
Target Milestone: ---   
Hardware: PC   
OS: Windows XP   
Attachments: localhost.2010-01-20.log
localhost.2010-03-06.log from tomcat 5.5.x
2010-03-06_tc55_bug48580.patch -- backport of r915070

Description Konstantin Kolinko 2010-01-20 11:54:45 UTC 
Steps to reproduce:
1. Download and install 6.0.24 release candidate
2. Run  catalina start -security
3. Access  http://localhost:8080/examples/jsp/jsp2/el/implicit-objects.jsp?foo=bar
4. Observe error page, with a stacktrace

java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.security)
  java.security.AccessControlContext.checkPermission(Unknown Source)
  java.security.AccessController.checkPermission(Unknown Source)
  java.lang.SecurityManager.checkPermission(Unknown Source)
  java.lang.SecurityManager.checkPackageAccess(Unknown Source)
  sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
  java.lang.ClassLoader.loadClass(Unknown Source)
  java.lang.ClassLoader.loadClass(Unknown Source)
  java.lang.ClassLoader.loadClassInternal(Unknown Source)
org.apache.jasper.runtime.ProtectedFunctionMapper.getMapForFunction(ProtectedFunctionMapper.java:145)
  org.apache.jsp.jsp.jsp2.el.implicit_002dobjects_jsp.<clinit>(implicit_002dobjects_jsp.java:13)
...

This issues does not occur if the following JSP page is accessed before the one where it is observed:
http://localhost:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp

OS: Windows XP, 32-bit,  JRE version:
java version "1.6.0_17"
Java(TM) SE Runtime Environment (build 1.6.0_17-b04)
Java HotSpot(TM) Client VM (build 14.3-b01, mixed mode, sharing)
Comment 1 Konstantin Kolinko 2010-01-20 12:02:34 UTC 
*** Bug 48438 has been marked as a duplicate of this bug. ***
Comment 2 Konstantin Kolinko 2010-01-20 12:09:18 UTC 
Created attachment 24866 [details]
localhost.2010-01-20.log

The stack trace with an AccessControlException and with NoClassDefFoundError errors when trying to refresh that failing page.
Comment 3 Konstantin Kolinko 2010-01-20 13:43:29 UTC 
Reproduced in 6.0.24 with 6u18 and 6u16 JREs.
Reproduced in 6.0.20 with 6u18 and 6u17 JREs and catalina.policy file from 6.0.24. So, technically, it is not a regression.
Comment 4 Mark Thomas 2010-02-16 09:29:49 UTC 
This has been fixed in 7.0.x and proposed for 6.0.x
Comment 5 Mark Thomas 2010-02-22 21:19:01 UTC 
This has been fixed in 6.0.x and will be included in 6.0.25 onwards.
Comment 6 Konstantin Kolinko 2010-03-05 21:45:40 UTC 
Observing this issue with the current tc5.5.x of revision 919529
at the following pages of jsp-examples webapp:

http://localhost:8080/jsp-examples/jsp2/el/implicit-objects.jsp?foo=bar

http://localhost:8080/jsp-examples/jsp2/el/functions.jsp?foo=JSP+2.0
Comment 7 Konstantin Kolinko 2010-03-05 21:49:45 UTC 
Created attachment 25089 [details]
localhost.2010-03-06.log from tomcat 5.5.x
Comment 8 Konstantin Kolinko 2010-03-06 14:18:14 UTC 
Created attachment 25094 [details]
2010-03-06_tc55_bug48580.patch -- backport of r915070

TC 5.5 patch for the issue. It is a backport of r915070.
Comment 9 Mark Thomas 2010-04-11 08:30:30 UTC 
This has been fixed in 5.5.x and will be included in 5.5.30 onwards.