Bug 61581

Summary: SecurityException trying to access JNI classes in Drawboard example when running with SecurityManager
Product: Tomcat 7 Reporter: Konstantin Kolinko <knst.kolinko>
Component: WebSocketAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 7.0.82   
Target Milestone: ---   
Hardware: PC   
OS: All   
Attachments: catalina.2017-10-02.log

Description Konstantin Kolinko 2017-10-02 11:40:05 UTC 
Created attachment 35393 [details]
catalina.2017-10-02.log

Smoke-testing release candidate of Tomcat 7.0.82.

Java 8u144, Windows, running with APR connector

Steps to reproduce:
1. Start Tomcat
2. Access
http://localhost:8080/examples/websocket/drawboard.xhtml
3. Actual result:
- At client: the page fails to complete loading. It displays some parts of the page, but no drawboard area.
- At server: java.security.AccessControlException is logged

[[[
SEVERE: Unexpected exception: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.jni")
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.jni")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.security.AccessController.checkPermission(AccessController.java:884)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:315)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:411)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	at org.apache.coyote.http11.upgrade.AprServletOutputStream.doWriteInternal(AprServletOutputStream.java:135)
]]]

I am attaching catalina.2017-10-02.log file.
Comment 1 Konstantin Kolinko 2017-10-03 11:51:06 UTC 
AprServletOutputStream.java:135 is

  if (Status.APR_STATUS_IS_EAGAIN(-written)) {

APR_STATUS_IS_EAGAIN is a method, not a constant, and thus Java tries to load the class.

If I preload the Status class the issue does not happen.


This is: to work-around this issue, add the following attribute to JreMemoryLeakPreventionListener configured in conf/server.xml:

[[[
    classesToInitialize="org.apache.tomcat.jni.Status"
]]]
Comment 2 Mark Thomas 2017-10-06 12:00:00 UTC 
Fixed in 7.0.x for 7.0.83 onwards.