Tomcat 8.0.24, Java 1.8u45. Run Tomcat is run with a Java security manager, and a ppolicy file containing a grant to a principal class, as in: grant principal javax.management.remote.JMXPrincipal "jmx" { permission java.security.AllPermission; }; On a thread with an implied Subject containing at least one Principal, perform an action which requires a Java permission check. The Java Policy file implementation will attempt to load the principal class from the policy file. The tomcat WebAppClassLoaderBase.loadClass method will check for a system class using getResource on the system loader. This will in turn trigger another permission check which will then attempt to load the principal class again, triggering the ClassCircularityError. Here's a stack trace extract showing the error: Class<T>.forName(String, boolean, ClassLoader) line: 348 PolicyFile.addPermissions(Permissions, CodeSource, Principal[], PolicyFile$PolicyEntry) line: 1357 PolicyFile.getPermissions(Permissions, CodeSource, Principal[]) line: 1228 PolicyFile.getPermissions(Permissions, ProtectionDomain) line: 1191 PolicyFile.getPermissions(ProtectionDomain) line: 1132 PolicyFile.implies(ProtectionDomain, Permission) line: 1086 ProtectionDomain.implies(Permission) line: 272 AccessControlContext.checkPermission(Permission) line: 435 AccessController.checkPermission(Permission) line: 884 SecurityManager.checkPermission(Permission) line: 549 URLClassPath.check(URL) line: 607 URLClassPath$JarLoader.checkResource(String, boolean, JarEntry) line: 924 URLClassPath$JarLoader.getResource(String, boolean) line: 1007 URLClassPath.getResource(String, boolean) line: 212 URLClassPath.getResource(String) line: 265 ClassLoader.getBootstrapResource(String) line: 1261 Launcher$ExtClassLoader(ClassLoader).getResource(String) line: 1090 WebappClassLoader(WebappClassLoaderBase).loadClass(String, boolean) line: 1230 WebappClassLoader(WebappClassLoaderBase).loadClass(String) line: 1164 Class<T>.forName0(String, boolean, ClassLoader, Class<?>) line: not available [native method] Class<T>.forName(String, boolean, ClassLoader) line: 348 PolicyFile.addPermissions(Permissions, CodeSource, Principal[], PolicyFile$PolicyEntry) line: 1357 PolicyFile.getPermissions(Permissions, CodeSource, Principal[]) line: 1228 PolicyFile.getPermissions(Permissions, ProtectionDomain) line: 1191 PolicyFile.getPermissions(ProtectionDomain) line: 1132 PolicyFile.implies(ProtectionDomain, Permission) line: 1086 ProtectionDomain.implies(Permission) line: 272 AccessControlContext.checkPermission(Permission) line: 435 AccessController.checkPermission(Permission) line: 884 SecurityManager.checkPermission(Permission) line: 549 SecurityManager.checkRead(String) line: 888
Created attachment 32897 [details] Hand crafted test case which provokes similar error
Created attachment 32898 [details] Java policy file for use with test
Run test with: $ java -Djava.security.manager -Djava.security.policy==all.policy rde.tests.security.perm
Thanks for the report. This has been fixed in trunk and 8.0.x for 8.0.25 onwards. 7.0.x does not use getResource() to avoid the CNFE so is not affected by this bug.
*** Bug 58199 has been marked as a duplicate of this bug. ***