Created attachment 34884 [details] localhost.2017-03-28.log Noted when smoke-testing 8.5.13 RC, but this is reproducible with released 8.5.12 as well, so it is not a regression. Steps to reproduce: 1. Start Tomcat 8.5 with security manager enabled catalina.bat start -security 2. Access the root page, http://localhost:8080/ It fails with error 500. Stacktrace from 8.5.13: javax.el.PropertyNotFoundException: Property 'serverInfo' not found on type org.apache.catalina.core.ApplicationContextFacade at javax.el.BeanELResolver$BeanProperties.get(BeanELResolver.java:259) at javax.el.BeanELResolver$BeanProperties.access$300(BeanELResolver.java:212) at javax.el.BeanELResolver.property(BeanELResolver.java:346) at javax.el.BeanELResolver.getValue(BeanELResolver.java:92) at org.apache.jasper.el.JasperELResolver.getValue(JasperELResolver.java:110) at org.apache.el.parser.AstValue.getValue(AstValue.java:169) at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:184) at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:944) at org.apache.jsp.index_jsp._jspService(index_jsp.java:155) See attached file with full stacktrace. Notes: 1. This does not happen when running without SecurityManager. 2. This does not depends on version of java (occurs both with 7u80 and 8u121). I have seen similar errors when we were fixing CVE-2014-7810 (see thread from 2014-11-17), but it should have been fixed by r1644017 that improved javax.el.BeanELResolver.
Tomcat 8.5.11 does not have this issue. The root page displays successfully.
I think that this is triggered by the change in r1784768, that changed inheritance hierarchy in ApplicationContextFacade and the cause is that the solution implemented in r1644017 is incomplete: method BeanELResolver.populateFromInterfaces() does not enumerate parent interfaces of an interface.
For a record: There exists a working temporary workaround for this issue: grant permission to access the "core" package. E.g. for this test scenario (the ROOT web application), adding the following lines to catalina.policy file is sufficient: grant codeBase "file:${catalina.base}/webapps/ROOT/-" { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.core"; };
To state the obvious, that work-around exposes a lot of Tomcat's internals to the web application. Fixed in: - trunk for 9.0.0.M20 onwards - 8.5.x for 8.5.14 onwards - 8.0.x for 8.0.44 onwards - 7.0.x for 7.0.78 onwards