Bug 48438 - RC2 of 6.0.21: java.security.AccessControlException on Error 500 page
Summary: RC2 of 6.0.21: java.security.AccessControlException on Error 500 page
Status: RESOLVED DUPLICATE of bug 48580
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Jasper (show other bugs)
Version: 6.0.20
Hardware: PC Windows XP
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2009-12-23 05:26 UTC by Konstantin Kolinko
Modified: 2010-01-20 12:02 UTC (History)
0 users

/webapps/examples/jsp/tagplugin/if.jsp (1.62 KB, application/octet-stream)
2009-12-23 05:26 UTC, Konstantin Kolinko
localhost.2009-12-23.log that contains the full stack trace (3.84 KB, text/plain)
2009-12-23 05:28 UTC, Konstantin Kolinko
localhost.2009-12-23.log for Comment 2 (37.01 KB, text/plain)
2009-12-23 06:08 UTC, Konstantin Kolinko

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2009-12-23 05:26:17 UTC
Created attachment 24753 [details]

Steps to reproduce:
1. Download and install 6.0.21 release candidate "try2"
2. Replace /webapps/examples/jsp/tagplugin/if.jsp with the file attacted to this bug report. It has a few lines added to reproduce bug 48112.
3. Run  catalina start -security
4. Access http://localhost:8080/examples/jsp/tagplugin/if.jsp
5. Observe Error 500 page with java.security.AccessControlException

java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.security)
	java.security.AccessControlContext.checkPermission(Unknown Source)
	java.security.AccessController.checkPermission(Unknown Source)
	java.lang.SecurityManager.checkPermission(Unknown Source)
	java.lang.SecurityManager.checkPackageAccess(Unknown Source)
	sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
	java.lang.ClassLoader.loadClass(Unknown Source)
	java.lang.ClassLoader.loadClass(Unknown Source)
	java.lang.ClassLoader.loadClassInternal(Unknown Source)

The full stack trace will be in an attachment.

6. If run without Security manager, the error report as described in bug 48112 is observed, that is
org.apache.el.parser.ParseException: Encountered " <ILLEGAL_CHARACTER> "\' ""
at line 1, column 11.

5. is the unexpected result, 6. is the expected result
Comment 1 Konstantin Kolinko 2009-12-23 05:28:43 UTC
Created attachment 24754 [details]
localhost.2009-12-23.log that contains the full stack trace
Comment 2 Konstantin Kolinko 2009-12-23 06:01:26 UTC
Retrying to reproduce this with

If I add the following four lines to the end of the file:
    <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
    <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
    <c:out value="${fn:trim('{world}')}"/>

When running with Security Manager I observe three different behaviors:

A). The proper error report from bug 48112
org.apache.el.parser.ParseException: Encountered " <ILLEGAL_CHARACTER> "\' ""
at line 1, column 11.

To reproduce:
1. Clear the working directory
2. Start Tomcat
3. Remove added lines from basic-arithmetic.jsp, so that it becomes valid
4. Browse http://localhost:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp
5. Add the lines to basic-arithmetic.jsp
6. Reload the page in the browser
7. Observe the error

B). AccessControlException

To reproduce:
1. Clear the working directory
2. Start Tomcat
3. Add the lines to basic-arithmetic.jsp
4. Browse http://localhost:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp
5. Observe the error

C). NoClassDefFoundError

To reproduce:
1. Run A) or B)
2. Stop Tomcat and do *not* clear the working directory
3. Start Tomcat
4. Browse http://localhost:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp
5. Observe the error

java.lang.NoClassDefFoundError: Could not initialize class org.apache.jsp.jsp.jsp2.el.basic_002darithmetic_jsp
	sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
	sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
	java.lang.reflect.Constructor.newInstance(Unknown Source)
	java.lang.Class.newInstance0(Unknown Source)
	java.lang.Class.newInstance(Unknown Source)

I observe the following oddity:
1. Run B)
2. In the working folder both java and class file for the page are present:

So, how does it produce a class file when java file generation should have failed with an exception?
Comment 3 Konstantin Kolinko 2009-12-23 06:08:21 UTC
Created attachment 24755 [details]
localhost.2009-12-23.log for Comment 2
Comment 4 Konstantin Kolinko 2009-12-23 06:15:23 UTC
Additional observation for A):

That org.apache.el.parser.ParseException: occurs at run time, not at compile time!

It explains why the class file is generated.

You can see the stacktrace for this case in attachment 24755 [details].

It is
 at org.apache.el.parser.ELParser.generateParseException(ELParser.java:2142)
 at org.apache.el.parser.ELParser.jj_consume_token(ELParser.java:2024)
 (.. a dozen of ELParser methods)
 (.. a pair of ExpressionBuilder methods)
 at org.apache.el.ExpressionFactoryImpl.createValueExpression(ExpressionFactoryImpl.java:68)
 at org.apache.jasper.runtime.PageContextImpl$13.run(PageContextImpl.java:919)
 at java.security.AccessController.doPrivileged(Native Method)
 at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:913)
 at org.apache.jsp.jsp.jsp2.el.basic_002darithmetic_jsp._jspx_meth_c_005fout_005f0(basic_002darithmetic_jsp.java:205)
 at org.apache.jsp.jsp.jsp2.el.basic_002darithmetic_jsp._jspService(basic_002darithmetic_jsp.java:179)

So it occurs in _jspService() of a running page, when it calls PageContextImpl.proprietaryEvaluate to evaluate an EL expression.
Comment 5 Konstantin Kolinko 2010-01-20 12:02:34 UTC
It is a duplicate of bug 48580.

That this page would fail without SecurityManager is just a coincidence.
With a SecurityManager it does not initialize (fails in its <clinit>), and that happens earlier than any EL evaluation takes place.

*** This bug has been marked as a duplicate of bug 48580 ***