Bug 64794

Summary: Missing PropertyPermission for "org.graalvm.nativeimage.imagecode"
Product: Tomcat 9 Reporter: Konstantin Kolinko <knst.kolinko>
Component: JasperAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 9.0.38   
Target Milestone: -----   
Hardware: PC   
OS: All   

Description Konstantin Kolinko 2020-10-07 16:40:39 UTC 
org.apache.jasper.runtime.JspRuntimeLibrary class fails to initialize when Tomcat is running under a Security Manager.

Steps to reproduce:
1. Set JAVA_HOME to a JDK. I use AdoptOpenJDK 11.0.8, on Windows.
2. Start "catalina.bat start -security"
3. Access http://localhost:8080/
The page fails fatally when it tries to render an EL expression in a JSP page.

[[[
HTTP Status 500 – Internal Server Error
...

org.apache.jasper.JasperException: An exception occurred processing [index.jsp] at line [38]

35:     <body>
36:         <div id="wrapper">
37:             <div id="navigation" class="curved container">
38:                 <span id="nav-home"><a href="${tomcatUrl}">Home</a></span>
39:                 <span id="nav-hosts"><a href="${tomcatDocUrl}">Documentation</a></span>
40:                 <span id="nav-config"><a href="${tomcatDocUrl}config/">Configuration</a></span>
41:                 <span id="nav-examples"><a href="${tomcatExamplesUrl}">Examples</a></span>


Stacktrace:
...

Root Cause:

java.security.AccessControlException: access denied ("java.util.PropertyPermission" "org.graalvm.nativeimage.imagecode" "read")
  java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
  java.base/java.security.AccessController.checkPermission(AccessController.java:897)
  java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
  java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066)
  java.base/java.lang.System.getProperty(System.java:816)
  org.apache.jasper.runtime.JspRuntimeLibrary.<clinit>(JspRuntimeLibrary.java:72)
  org.apache.jasper.el.JasperELResolver.<init>(JasperELResolver.java:70)
  ...
]]]

Looking at the code of JspRuntimeLibrary class, reading that property was added by commit 73288c6b3c979777054e4fc5baf0163c84bb2ac9 [1] on 2020-07-24.

[1] https://github.com/apache/tomcat/commit/73288c6b3c979777054e4fc5baf0163c84bb2ac9

Notes:

1. The issue is reproducible for Tomcat 9.0.39 (release candidate) and 9.0.38.

I have not tested 9.0.37 yet, but judging by the date of the commit, I think that version is not affected.


2. A workaround is to add a permission to the conf/catalina.policy file. A line to be added to the section of generic permissions ("grant {"):

[[[
    permission java.util.PropertyPermission "org.graalvm.nativeimage.imagecode", "read";
]]]


3. Looking at the commit [1], the change was added to 3 files.

4. Maybe document this property at
https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html
Comment 1 Remy Maucherat 2020-10-07 21:23:56 UTC 
That's a bit odd since JspRuntimeLibrary is in Jasper's SecurityClassLoad.

About 4, the system property is meant to be set automatically by Graal (eventually), and it is used in the Graal/AOT doc page. It has no other use.
Comment 2 Remy Maucherat 2020-10-08 07:13:16 UTC 
This will be in 10.0.0-M10 and 9.0.40.