If I run "catalina.bat start -security" with the latest tc6.0.x as of rev.881628, it fails with the following exception: 18.11.2009 4:36:16 org.apache.catalina.loader.WebappClassLoader findClass WARNING: WebappClassLoader.findClassInternal(chat.ChatServlet) security exception: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina) java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512) at java.lang.ClassLoader$1.run(ClassLoader.java:331) at java.security.AccessController.doPrivileged(Native Method) at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:329) at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:621) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:124) at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1956) at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:913) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1387) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1266) at org.apache.catalina.startup.WebAnnotationSet.loadApplicationServletAnnotations(WebAnnotationSet.java:108) at org.apache.catalina.startup.WebAnnotationSet.loadApplicationAnnotations(WebAnnotationSet.java:58) at org.apache.catalina.startup.ContextConfig.applicationAnnotationsConfig(ContextConfig.java:297) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:1069) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:261) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4339) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:123) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:769) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:989) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:912) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:495) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1225) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:314) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:583) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) Apparently the cause of it is that the chat.ChatServlet class of the examples webapp fails to load the following classes: org.apache.catalina.CometEvent; org.apache.catalina.CometProcessor; This issue is observable in 6.0.20, but manifests itself silently: the following URL [1] works when running without security manager and fails with Error 500 (java.lang.ClassNotFoundException: chat.ChatServlet) when running with security manager. [1] http://localhost:8080/examples/jsp/chat/chat I mean that the statement that prints out the exception was added in revision 832373 and 6.0.20 just swallows it. I wonder a) whether we should preload those Comet API classes, b) why do we have them directly in "org.apache.catalina", c) whether there is another way to fix it, e.g. like Servlet API classes do not throw such exception though they are not preloaded
Access is controlled per package so the Comet API really needs to be in a separate package (like the Servlet API). This was done for trunk in r833510 but it is an API breaking change so a straight back-port to 6.0.x is not possible. Given the circumstances, I leaning towards won't fix for this issue.
Thought about this some more and there is no easy fix for 6.0.x that doesn't break the API. Note this has been fixed for 7.0.x but is a WONTFIX for 6.0.x.
Created attachment 25379 [details] 2010-04-30_tc6_bug48218.patch - patch for catalina.policy Attaching a patch for catalina.policy. For reference: RuntimePermission matching rules are described in its JavaDoc: http://java.sun.com/javase/6/docs/api/java/lang/RuntimePermission.html I will not propose this patch for TC6. Granting this permission by default is too risky because it provides access to Server API. Granting it to the examples app, as the patch does, is better, but will confuse those who do not have the examples app installed. This issue remains as WONTFIX. We can add a note to the RELEASE-NOTES, though.
*** Bug 49212 has been marked as a duplicate of this bug. ***