61581 – SecurityException trying to access JNI classes in Drawboard example when running with SecurityManager

Bug 61581 - SecurityException trying to access JNI classes in Drawboard example when running with SecurityManager

Summary: SecurityException trying to access JNI classes in Drawboard example when runn...

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 7
Classification:	Unclassified
Component:	WebSocket (show other bugs)
Version:	7.0.82
Hardware:	PC All

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-10-02 11:40 UTC by Konstantin Kolinko
Modified:	2017-10-06 12:00 UTC (History)
CC List:	0 users

Attachments
catalina.2017-10-02.log (12.35 KB, application/octet-stream) 2017-10-02 11:40 UTC, Konstantin Kolinko	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Konstantin Kolinko 2017-10-02 11:40:05 UTC

Created attachment 35393 [details]
catalina.2017-10-02.log

Smoke-testing release candidate of Tomcat 7.0.82.

Java 8u144, Windows, running with APR connector

Steps to reproduce:
1. Start Tomcat
2. Access
http://localhost:8080/examples/websocket/drawboard.xhtml
3. Actual result:
- At client: the page fails to complete loading. It displays some parts of the page, but no drawboard area.
- At server: java.security.AccessControlException is logged

[[[
SEVERE: Unexpected exception: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.jni")
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.jni")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.security.AccessController.checkPermission(AccessController.java:884)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:315)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:411)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	at org.apache.coyote.http11.upgrade.AprServletOutputStream.doWriteInternal(AprServletOutputStream.java:135)
]]]

I am attaching catalina.2017-10-02.log file.

Comment 1 Konstantin Kolinko 2017-10-03 11:51:06 UTC

AprServletOutputStream.java:135 is

  if (Status.APR_STATUS_IS_EAGAIN(-written)) {

APR_STATUS_IS_EAGAIN is a method, not a constant, and thus Java tries to load the class.

If I preload the Status class the issue does not happen.


This is: to work-around this issue, add the following attribute to JreMemoryLeakPreventionListener configured in conf/server.xml:

[[[
    classesToInitialize="org.apache.tomcat.jni.Status"
]]]

Comment 2 Mark Thomas 2017-10-06 12:00:00 UTC

Fixed in 7.0.x for 7.0.83 onwards.