Bug 60925 - Running with SecurityManager - Property 'serverInfo' not found on type org.apache.catalina.core.ApplicationContextFacade
Summary: Running with SecurityManager - Property 'serverInfo' not found on type org.ap...
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: EL (show other bugs)
Version: 8.5.12
Hardware: PC All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2017-03-27 23:01 UTC by Konstantin Kolinko
Modified: 2017-03-29 18:21 UTC (History)
0 users

localhost.2017-03-28.log (5.95 KB, text/plain)
2017-03-27 23:01 UTC, Konstantin Kolinko

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2017-03-27 23:01:30 UTC
Created attachment 34884 [details]

Noted when smoke-testing 8.5.13 RC, but this is reproducible with released 8.5.12 as well, so it is not a regression.

Steps to reproduce:
1. Start Tomcat 8.5 with security manager enabled
catalina.bat start -security

2. Access the root page,

It fails with error 500.
Stacktrace from 8.5.13:

javax.el.PropertyNotFoundException: Property 'serverInfo' not found on type org.apache.catalina.core.ApplicationContextFacade
 at javax.el.BeanELResolver$BeanProperties.get(BeanELResolver.java:259)
 at javax.el.BeanELResolver$BeanProperties.access$300(BeanELResolver.java:212)
 at javax.el.BeanELResolver.property(BeanELResolver.java:346)
 at javax.el.BeanELResolver.getValue(BeanELResolver.java:92)
 at org.apache.jasper.el.JasperELResolver.getValue(JasperELResolver.java:110)
 at org.apache.el.parser.AstValue.getValue(AstValue.java:169)
 at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:184)
 at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:944)
 at org.apache.jsp.index_jsp._jspService(index_jsp.java:155)

See attached file with full stacktrace.

1. This does not happen when running without SecurityManager.
2. This does not depends on version of java (occurs both with 7u80 and 8u121).

I have seen similar errors when we were fixing CVE-2014-7810
(see thread from 2014-11-17), but it should have been fixed by r1644017
that improved javax.el.BeanELResolver.
Comment 1 Konstantin Kolinko 2017-03-27 23:12:49 UTC
Tomcat 8.5.11 does not have this issue. The root page displays successfully.
Comment 2 Konstantin Kolinko 2017-03-27 23:32:29 UTC
I think that this is triggered by the change in r1784768,
that changed inheritance hierarchy in ApplicationContextFacade

and the cause is that the solution implemented in r1644017 is incomplete:
method BeanELResolver.populateFromInterfaces() does not enumerate parent interfaces of an interface.
Comment 3 Konstantin Kolinko 2017-03-29 13:07:58 UTC
For a record:
There exists a working temporary workaround for this issue:
grant permission to access the "core" package.

E.g. for this test scenario (the ROOT web application),
adding the following lines to catalina.policy file is sufficient:

grant codeBase "file:${catalina.base}/webapps/ROOT/-" {
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.core";
Comment 4 Mark Thomas 2017-03-29 18:21:41 UTC
To state the obvious, that work-around exposes a lot of Tomcat's internals to the web application.

Fixed in:
- trunk for 9.0.0.M20 onwards
- 8.5.x for 8.5.14 onwards
- 8.0.x for 8.0.44 onwards
- 7.0.x for 7.0.78 onwards