Bug 61150 - One of the session attributes on the [host-]manager application is disallowed by the Security Manager
Summary: One of the session attributes on the [host-]manager application is disallowed...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.0.x-trunk
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-02 18:50 UTC by Coty Sutherland
Modified: 2017-06-11 17:05 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Coty Sutherland 2017-06-02 18:50:40 UTC
To reproduce:

1) Configure tomcat user for testing (conf/tomcat-users.xml):

    <user username="tomcat" password="tomcat" roles="admin-gui,manager-gui"/>

2) Start Tomcat

    bin/catalina.sh start

3) Create a session

    $ curl -is http://tomcat:tomcat@localhost:8080/manager/html | egrep '(HTTP|JSESSIONID)'
    HTTP/1.1 200 OK
    Set-Cookie: JSESSIONID=DAF81E606AED325CB2E5C2773DB866CE; Path=/manager; HttpOnly

4) Stop Tomcat so that the session are serialized

    bin/catalina.sh stop

5) Start Tomcat with Security Manager to deserialize the sessions

    bin/catalina.sh start -security

6) Check log for exception after startup:

02-Jun-2017 14:16:46.114 SEVERE [localhost-startStop-1] org.apache.catalina.session.StandardManager.startInternal Exception loading sessions from persistent storage
 java.io.InvalidClassException: The class [org.apache.catalina.filters.CsrfPreventionFilter$LruCache] did not match the regular expression [java\.lang\.(?:Boolean|Integer|Long|Number|String)] for classes allowed to be deserialized
    at org.apache.catalina.util.CustomObjectInputStream.resolveClass(CustomObjectInputStream.java:146)
    at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1612)
    at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1517)
    at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1771)
    at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350)
    at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
    at org.apache.catalina.session.StandardSession.doReadObject(StandardSession.java:1624)
    at org.apache.catalina.session.StandardSession.readObjectData(StandardSession.java:1090)
    at org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:218)
    at org.apache.catalina.session.StandardManager$PrivilegedDoLoad.run(StandardManager.java:74)
    at org.apache.catalina.session.StandardManager$PrivilegedDoLoad.run(StandardManager.java:65)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.session.StandardManager.load(StandardManager.java:149)
    at org.apache.catalina.session.StandardManager.startInternal(StandardManager.java:356)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5331)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:753)
    at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)
    at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)
    at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:727)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
    at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)
    at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
    at java.util.concurrent.FutureTask.run(FutureTask.java:262)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
Comment 1 Mark Thomas 2017-06-11 17:05:03 UTC
Switching from no security manager to using a security manager makes this worse (stack trace). If a security manager is in use on shutdown then a warning is logged.

I've fixed this by configuring the web applications to permit the (de-)serialization of the CSRFPreventionFilter related attributes.

Fixed in:
- trunk for 9.0.0.M22 onwards
- 8.5.x for 8.5.16 onwards
- 8.0.x for 8.0.45 onwards
- 7.0.x for 7.0.79 onwards