Bug 56545 - Examples app security exceptions
Examples app security exceptions
Status: RESOLVED FIXED
Product: Tomcat 7
Classification: Unclassified
Component: Catalina
7.0.54
PC All
: P2 normal (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2014-05-19 20:37 UTC by Konstantin Kolinko
Modified: 2014-05-26 14:16 UTC (History)
0 users



Attachments
(1) localhost.2014-05-20.log (8.02 KB, text/plain)
2014-05-19 20:37 UTC, Konstantin Kolinko
Details
(2) localhost.2014-05-20.log (20.01 KB, text/plain)
2014-05-19 20:52 UTC, Konstantin Kolinko
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2014-05-19 20:37:45 UTC
Created attachment 31637 [details]
(1) localhost.2014-05-20.log

Testing examples web application in 8.0.8 release candidate running with Security Manager enabled, with NIO connector, JDK 7u55 32-bit, Win7, I see several issues.

Steps to reproduce (1).

1. Edit conf/tomcat-users.xml  and uncomment sample roles there.
2. Start bin/catalina.bat start -security

3. Access the following page:
http://localhost:8080/examples/jsp/security/protected/index.jsp

Expected: Login page
Actual: Error 500
Access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.util.http.parser")

The stack trace is:

 java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.util.http.parser")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1525)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:305)
at java.lang.ClassLoader.loadClass(ClassLoader.java:412)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at org.apache.tomcat.util.http.parser.HttpParser.skipConstant(HttpParser.java:305)
at org.apache.tomcat.util.http.parser.HttpParser.parseMediaType(HttpParser.java:192)
at org.apache.tomcat.util.http.parser.MediaTypeCache.parse(MediaTypeCache.java:54)
at org.apache.catalina.connector.Response.setContentType(Response.java:712)
at org.apache.jsp.jsp.security.protected_.login_jsp._jspService(login_jsp.java:52)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)

See attached "(1) localhost.2014-05-20.log" for the full stack trace.
Comment 1 Konstantin Kolinko 2014-05-19 20:44:40 UTC
The workaround for the issue in Comment 0 is to add the following class to the value of classesToInitialize attribute of JreMemoryLeakPreventionListener in server.xml. E.g.:

<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"
classesToInitialize="org.apache.tomcat.util.http.parser.HttpParser$SkipConstantResult" />
Comment 2 Konstantin Kolinko 2014-05-19 20:51:16 UTC
4. On the login page, enter a username (role1) and password (see tomcat-users.xml). Press "Login" button.
5. Look into logs/localhost.2014-05-20.log.
There is an exception thrown by Session attribute event listener.

org.apache.catalina.session.StandardSession.setAttribute Session attribute event listener threw exception
 java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.catalina.util")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1525)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:305)
at java.lang.ClassLoader.loadClass(ClassLoader.java:412)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
at org.apache.catalina.users.MemoryUser.toString(MemoryUser.java:312)
at javax.security.auth.Subject.toString(Subject.java:842)
at javax.security.auth.Subject.toString(Subject.java:825)
at java.lang.String.valueOf(String.java:2854)
at java.lang.StringBuilder.append(StringBuilder.java:128)
at listeners.SessionListener.attributeAdded(SessionListener.java:56)
at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1546)

6. Press logout link ("you can log off by clicking here.")
7. The same exception is thrown for "attributeRemoved" event.

From the stacktrace (at org.apache.catalina.users.MemoryUser.toString(MemoryUser.java:312)) my guess is that it ties to call static method RequestUtil.filter(username).
Comment 3 Konstantin Kolinko 2014-05-19 20:52:40 UTC
Created attachment 31638 [details]
(2) localhost.2014-05-20.log

Log file with exceptions for issue in Comment 2.
Comment 4 Konstantin Kolinko 2014-05-19 20:56:39 UTC
The workaround for issue in Comment 2 is to add "org.apache.catalina.util.RequestUtil" to the value of classesToInitialize attribute.

With the following configuration both issues are resolved:

  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"
   classesToInitialize=
   "org.apache.tomcat.util.http.parser.HttpParser$SkipConstantResult,
    org.apache.catalina.util.RequestUtil"
  />
Comment 5 Mark Thomas 2014-05-19 22:13:29 UTC
Update version now I have added 8.0.8 to the list of versions for 8.0.x
Comment 6 Mark Thomas 2014-05-20 11:26:14 UTC
These issues have been fixed in 8.0.x for 8.0.9 onwards.
Comment 7 Konstantin Kolinko 2014-05-21 13:34:10 UTC
The issue from Comment 0 is reproducible with 7.0.54 release candidate,
using JDK 7u55 and the same reproduction recipe.

The issue from Comment 2 does not happen.

The workaround is as documented above,

> The workaround for the issue in Comment 0 is to add the following class to
> the value of classesToInitialize attribute of
> JreMemoryLeakPreventionListener in server.xml. E.g.:

 <Listener
 className="org.apache.catalina.core.JreMemoryLeakPreventionListener"
 classesToInitialize="org.apache.tomcat.util.http.parser. HttpParser$SkipConstantResult" />


For a record, in 6.0.41 the issues do not happen.
Comment 8 Konstantin Kolinko 2014-05-26 14:16:19 UTC
Fixed in Tomcat 7 by r1597592 and will be in 7.0.55.

I did not backport r1596201.