Bug 62350 - AccessControlException: "org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE", "read"
Summary: AccessControlException: "org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZ...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Jasper (show other bugs)
Version: 8.5.31
Hardware: PC All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-05-04 09:04 UTC by Konstantin Kolinko
Modified: 2018-05-06 22:08 UTC (History)
0 users



Attachments
localhost.2018-05-04.log (29.13 KB, text/plain)
2018-05-04 10:03 UTC, Konstantin Kolinko
Details
localhost_access_log.2018-05-04.txt (438 bytes, text/plain)
2018-05-04 10:03 UTC, Konstantin Kolinko
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2018-05-04 09:04:41 UTC
Smoke-testing Tomcat 8.5.31 + Java 8 + Security Manager.

All OK, but the following two pages fail with error 500:

http://localhost:8080/examples/jsp/jsp2/jspattribute/jspattribute.jsp
http://localhost:8080/examples/jsp/simpletag/foo.jsp

The first request fail with root cause

java.security.AccessControlException: access denied ("java.util.PropertyPermission" "org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE" "read")

The second request fails with

java.lang.NoClassDefFoundError: Could not initialize class org.apache.jasper.runtime.BodyContentImpl


Looking into the source code, o.a.j.r.BodyContentImpl.BUFFER_SIZE is a new system property, added in r1821364 - fix for bug 43925 - in Tomcat 8.5.27 onwards.


This issue is fixed by adding the following permission into conf/catalina.policy:

    permission java.util.PropertyPermission
     "org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE", "read";

next to existing permission to read "BodyContentImpl.LIMIT_BUFFER".
Comment 1 Remy Maucherat 2018-05-04 09:18:04 UTC
From the comment in the policy, I don't remember why preloading BodyContentImpl isn't enough for precompiled JSPs, but I suppose that's still the case.
Comment 2 Konstantin Kolinko 2018-05-04 09:50:08 UTC
(In reply to Remy Maucherat from comment #1)

Good question.

Looking into org.apache.jasper.security.SecurityClassLoad class in 8.5, it preloads some runtime classes, but BodyContentImpl class is not preloaded.

I think adding it to the preload list looks better in the long term. No need for downstream packagers to change their policy files.


Permission in catalina.policy is the only way when java source generated for a jsp page does explicit reading of this property. I have not looked for historic use of LIMIT_BUFFER, but I am sure that for BUFFER_SIZE there are no such reads.
Comment 3 Konstantin Kolinko 2018-05-04 10:03:13 UTC
Created attachment 35909 [details]
localhost.2018-05-04.log

The localhost log for the issue.
Comment 4 Konstantin Kolinko 2018-05-04 10:03:56 UTC
Created attachment 35910 [details]
localhost_access_log.2018-05-04.txt

Access Log.
Comment 5 Konstantin Kolinko 2018-05-05 15:33:40 UTC
(In reply to Remy Maucherat from comment #1)
> From the comment in the policy, I don't remember why preloading
> BodyContentImpl isn't enough for precompiled JSPs, but I suppose that's
> still the case.

(In reply to Konstantin Kolinko from comment #2)
> 
> Looking into org.apache.jasper.security.SecurityClassLoad class in 8.5, it
> preloads some runtime classes, but BodyContentImpl class is not preloaded.
> 

I tried to do the preloading of BodyContentImpl class (in SecurityClassLoad). It does not fix this issue.

So I am back to updating the catalina.policy file.
Comment 6 Konstantin Kolinko 2018-05-05 16:34:30 UTC
Fixed by adding a permission into catalina.policy.

The fix will be in 9.0.9, 8.5.32, 8.0.53 and 7.0.88.
Comment 7 Mark Thomas 2018-05-05 18:14:08 UTC
Loading the class won't trigger the static initializer. Class.forName(String,boolean,ClassLoader) would work.

I was planning on going through the default security policy to see how many entries I could remove by initialising rather than just loading the appropriate classes.
Comment 8 Mark Thomas 2018-05-05 19:15:31 UTC
An alternative, and arguably better approach, would be to use a privileged block. It is probably more code but it should allow for easier re-use.
Comment 9 Konstantin Kolinko 2018-05-06 08:47:44 UTC
(In reply to Mark Thomas from comment #8)
> An alternative, and arguably better approach, would be to use a privileged
> block. It is probably more code but it should allow for easier re-use.

Good.
Your fix (in trunk r1831000) works.

I was afraid that the new inner classes have to be preloaded when running with Security Manager. The preloading is not required as web application has the right to load those classes, thanks to

permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
Comment 10 Konstantin Kolinko 2018-05-06 22:08:43 UTC
(In reply to Konstantin Kolinko from comment #9)
> (In reply to Mark Thomas from comment #8)
> > An alternative, and arguably better approach, would be to use a privileged
> > block. It is probably more code but it should allow for easier re-use.
> 
> Good.
> Your fix (in trunk r1831000) works.

I backported r1831000. It will be in 9.0.9, 8.5.32, 8.0.53 and 7.0.88.