Bug 48580 - 6.0.24: AccessControlException in ProtectedFunctionMapper on first access to certain JSP
6.0.24: AccessControlException in ProtectedFunctionMapper on first access to ...
Product: Tomcat 5
Classification: Unclassified
Component: Catalina
Nightly Build
PC Windows XP
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
: 48438 (view as bug list)
Depends on:
  Show dependency tree
Reported: 2010-01-20 11:54 UTC by Konstantin Kolinko
Modified: 2010-04-11 08:30 UTC (History)
0 users

localhost.2010-01-20.log (15.78 KB, text/plain)
2010-01-20 12:09 UTC, Konstantin Kolinko
localhost.2010-03-06.log from tomcat 5.5.x (6.77 KB, text/plain)
2010-03-05 21:49 UTC, Konstantin Kolinko
2010-03-06_tc55_bug48580.patch -- backport of r915070 (664 bytes, patch)
2010-03-06 14:18 UTC, Konstantin Kolinko
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2010-01-20 11:54:45 UTC
Steps to reproduce:
1. Download and install 6.0.24 release candidate
2. Run  catalina start -security
3. Access  http://localhost:8080/examples/jsp/jsp2/el/implicit-objects.jsp?foo=bar
4. Observe error page, with a stacktrace

java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.security)
  java.security.AccessControlContext.checkPermission(Unknown Source)
  java.security.AccessController.checkPermission(Unknown Source)
  java.lang.SecurityManager.checkPermission(Unknown Source)
  java.lang.SecurityManager.checkPackageAccess(Unknown Source)
  sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
  java.lang.ClassLoader.loadClass(Unknown Source)
  java.lang.ClassLoader.loadClass(Unknown Source)
  java.lang.ClassLoader.loadClassInternal(Unknown Source)

This issues does not occur if the following JSP page is accessed before the one where it is observed:

OS: Windows XP, 32-bit,  JRE version:
java version "1.6.0_17"
Java(TM) SE Runtime Environment (build 1.6.0_17-b04)
Java HotSpot(TM) Client VM (build 14.3-b01, mixed mode, sharing)
Comment 1 Konstantin Kolinko 2010-01-20 12:02:34 UTC
*** Bug 48438 has been marked as a duplicate of this bug. ***
Comment 2 Konstantin Kolinko 2010-01-20 12:09:18 UTC
Created attachment 24866 [details]

The stack trace with an AccessControlException and with NoClassDefFoundError errors when trying to refresh that failing page.
Comment 3 Konstantin Kolinko 2010-01-20 13:43:29 UTC
Reproduced in 6.0.24 with 6u18 and 6u16 JREs.
Reproduced in 6.0.20 with 6u18 and 6u17 JREs and catalina.policy file from 6.0.24. So, technically, it is not a regression.
Comment 4 Mark Thomas 2010-02-16 09:29:49 UTC
This has been fixed in 7.0.x and proposed for 6.0.x
Comment 5 Mark Thomas 2010-02-22 21:19:01 UTC
This has been fixed in 6.0.x and will be included in 6.0.25 onwards.
Comment 6 Konstantin Kolinko 2010-03-05 21:45:40 UTC
Observing this issue with the current tc5.5.x of revision 919529
at the following pages of jsp-examples webapp:


Comment 7 Konstantin Kolinko 2010-03-05 21:49:45 UTC
Created attachment 25089 [details]
localhost.2010-03-06.log from tomcat 5.5.x
Comment 8 Konstantin Kolinko 2010-03-06 14:18:14 UTC
Created attachment 25094 [details]
2010-03-06_tc55_bug48580.patch -- backport of r915070

TC 5.5 patch for the issue. It is a backport of r915070.
Comment 9 Mark Thomas 2010-04-11 08:30:30 UTC
This has been fixed in 5.5.x and will be included in 5.5.30 onwards.