Summary: | [Security Manager] InnocuousThread raises SecurityException on HTTP requests | ||
---|---|---|---|
Product: | Tomcat 8 | Reporter: | 1ax |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 8.5.20 | ||
Target Milestone: | ---- | ||
Hardware: | PC | ||
OS: | Linux |
Description
1ax
2017-09-27 14:56:00 UTC
InnocuousThread is hard-coded to throw a SecurityException if you try and set the context class loader. I can reproduce this with a clean 8.5.x build configured to use NIO2, a SecurityManager and JMeter running 100 threads POSTing data to one of the example servlets. Looking at fix options now... I had no idea about that weird behavior ... Catch the exception and ignore maybe, or get the thread name and avoid calling it for that "Innocuous" ? You moved the code there for performance reasons originally. The ultimate aim of the code is to make sure that any thread doesn't end up with the web application class loader as its context class loader. Rather than setting the class loader for the current thread that is then picked up by the new thread, I went for setting it on the new thread. That should meet the overall objective and avoid the issue with InnocuousThread. Fixed in: - trunk for 9.0.2 onwards - 8.5.x for 8.5.24 onwards - 8.0.x for 8.0.48 onwards |