Bug 65332 - AccessControlException when using Ant instead of ECJ to compile JSPs at runtime
Summary: AccessControlException when using Ant instead of ECJ to compile JSPs at runtime
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Jasper (show other bugs)
Version: 9.0.x
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2021-05-25 18:58 UTC by Coty Sutherland
Modified: 2021-06-08 11:16 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Coty Sutherland 2021-05-25 18:58:17 UTC
I have one user that doesn't have ECJ available for their Tomcat installation and uses Ant to compile JSPs at runtime. Upon switching over to Java 11 they found that they get access exceptions when trying to access their JSPs at runtime. You can reproduce this with a vanilla install (instructions below), but I don't think the fix I'm using is the best.

To reproduce:
1) Install Tomcat and Java 11 (or later)
2) Delete ecj*.jar from $CATALINA_HOME/lib/
3) Add ant.jar and ant-launcher.jar to your $CATALINA_HOME/bin/setenv.sh, per instructions at https://tomcat.apache.org/tomcat-9.0-doc/jasper-howto.html. Note that tools.jar was removed in Java 9, so you can't add it; the doc needs an amendment.
4) Start Tomcat with the Security Manager enabled using Java 11
5) Access localhost:8080/, which gets you the default ROOT/index.jsp and a HTTP Status of 500 with a stack trace and AccessControlException

I fixed the issue in their testing environment by adding the code block mentioned in the comments of https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8210274 to their security policy. I'm not the best with java security, so I thought I'd open an issue here and see if anyone has better or simpler ideas on how to make vanilla Tomcat with Ant to compile JSPs work out of the box like it does with ECJ.
Comment 1 Mark Thomas 2021-05-26 16:55:52 UTC
I don't see a better way of doing what you did.

The existing Tomcat security policy uses java.security.AllPermission for trusted code so your solution is arguably better as it only grants the permissions required.

I looked into adding something to $CATALINA_BASE/conf/catalina.policy but the using the jrt protocol with Java 8 triggers a series of exceptions when Tomcat starts. They aren't fatal but it isn't a good look.

The best solution I have right now is a commented out section in catalina.policy for using javac with Java 9+. Better suggestions welcome.
Comment 2 Mark Thomas 2021-06-08 08:41:19 UTC
Comment added in
- 10.1.x for 10.1.0-M1 onwards
- 10.0.x for 10.0.7 onwards
- 9.0.x for 9.0.47 onwards
- 8.5.x for 8.5.67 onwards
Comment 3 Coty Sutherland 2021-06-08 11:16:32 UTC
Thanks Mark! Sorry for the delayed reply, it was on my todo list to resolve today :)