Created attachment 37718 [details] zip file with screens spring-boot 1.5.22 creates instance of Http11NioProtocol with certificate keystore file defined with file url. Images set-url.png, set-url2.png. When it reaches ConfigFileLoader, location is not absolute so it puts catalina_base before file url creating "c:/tmp/catalina/file:/c:/tmp/my.jks". Check if it is file throws AccessControlException (access denied ("java.io.FilePermission" "C:\tmp\120\a\catalina\file:\C:\tmp\120\key.jks" "read") ). And it is impossible to create such a policy for SecurityManager. - ConfigFileLoader.png - ConfigFileLoader.png - exception.png getInputStream method can handle file url but when using SecurityManager under zulu, correto. Oracle java 1.8 works correctly. SecurityManager has no complains about such weird path. Just openjdks have problem. Fails on - zulu openjdk newer - zulu8.42.0.23-ca-jdk8.0.232-win_x64 - correto 1.8.0_282 ``` public static InputStream getInputStream(String location) throws IOException { File f = new File(location); if (!f.isAbsolute()) { f = new File(CATALINA_BASE_FILE, location); } if (f.isFile()) { return new FileInputStream(f); } else { URI uri = getURI(location); try { URL url = uri.toURL(); return url.openConnection().getInputStream(); } catch (IllegalArgumentException var4) { throw new IOException(sm.getString("configFileLoader.cannotObtainURL", new Object[]{location}), var4); } } } ```
Ok, after checking the javadoc, I can see that isAbsolute is a safe call (no security check) but isFile is not. Wrapping with a try/catch could be reasonable, however it would also hide the exception when it is legitimate and useful to have.
I understand but the current state is that tomcat won't start.
I am inching towards a WONTFIX, since the only real solution is to use URLs only. It would mean absolute file paths won't work, I believe, and this is not possible. The rest would be fine. I don't understand why "And it is impossible to create such a policy for SecurityManager", can you explain a bit more ?
Caused by: java.io.IOException: Failed to load keystore type [JKS] with path [file:/C:/tmp/120/key.jks] due to [access denied ("java.io.FilePermission" "C:\tmp\120\a\catalina\file:\C:\tmp\120\key.jks" "read")] at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:227) I have not found any way how to write such path to policy file so SecurityManager can accept it. permission java.io.FilePermission "file:${catalina.base}", "read"; permission java.io.FilePermission "${catalina.base}", "read"; permission java.io.FilePermission "file:${catalina.base}/", "read"; permission java.io.FilePermission "${catalina.base}/", "read"; permission java.io.FilePermission "file:${catalina.base}/-", "read"; permission java.io.FilePermission "${catalina.base}/-", "read"; permission java.io.FilePermission "file:${catalina.base}/*", "read"; permission java.io.FilePermission "${catalina.base}/*", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina/", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina/-", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina/*", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina/file:/C:/tmp/120/key.jks", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina/file://C:/tmp/120/key.jks", "read"; permission java.io.FilePermission "C:/tmp/120/a/catalina/file:///C:/tmp/120/key.jks", "read"; permission java.io.FilePermission "C:\\tmp\\120\\a\\catalina\\file:\\C:\\tmp\\120\\key.jks", "read";
Rémy, what if we added a if ("name.startsWith("file:/") { .... } block around the File and classloader case? Essentially short circuit to URI in that case for getResource() and getURI(). Does that help?
That should be: if (*!*name...
(In reply to Mark Thomas from comment #5) > Rémy, what if we added a > > if ("name.startsWith("file:/") { > .... > } > block around the File and classloader case? Essentially short circuit to URI > in that case for getResource() and getURI(). Does that help? I think that would work for the reporter but still fail for other URLs. This security check is annoying ... Maybe detect a URL scheme, like if there's ':' in the path and no '/' before it ?
Hmm. Thinking...
The best I can up with is if path starts with "file:/" or "<protocol>://" the code jumps directly to the URI handling. I'll work on a patch. I'm wondering how far to go optimizing the code. I'm thinking not far.
(In reply to Mark Thomas from comment #9) > The best I can up with is if path starts with "file:/" or "<protocol>://" > the code jumps directly to the URI handling. I'll work on a patch. I'm > wondering how far to go optimizing the code. I'm thinking not far. Ok. Yes, I don't think it needs to be super fast since this is for loading configuration resources.
Fixed in: - 10.0.x for 10.0.2 onwards - 9.0.x for 9.0.43 onwards
Any chance it will be fixed to 8.5?
It was fixed shortly after in 8.5.63.