65332 – AccessControlException when using Ant instead of ECJ to compile JSPs at runtime

Bug 65332 - AccessControlException when using Ant instead of ECJ to compile JSPs at runtime

Summary: AccessControlException when using Ant instead of ECJ to compile JSPs at runtime

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 9
Classification:	Unclassified
Component:	Jasper (show other bugs)
Version:	9.0.x
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	-----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-05-25 18:58 UTC by Coty Sutherland
Modified:	2021-06-08 11:16 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Coty Sutherland 2021-05-25 18:58:17 UTC

I have one user that doesn't have ECJ available for their Tomcat installation and uses Ant to compile JSPs at runtime. Upon switching over to Java 11 they found that they get access exceptions when trying to access their JSPs at runtime. You can reproduce this with a vanilla install (instructions below), but I don't think the fix I'm using is the best.

To reproduce:
1) Install Tomcat and Java 11 (or later)
2) Delete ecj*.jar from $CATALINA_HOME/lib/
3) Add ant.jar and ant-launcher.jar to your $CATALINA_HOME/bin/setenv.sh, per instructions at https://tomcat.apache.org/tomcat-9.0-doc/jasper-howto.html. Note that tools.jar was removed in Java 9, so you can't add it; the doc needs an amendment.
4) Start Tomcat with the Security Manager enabled using Java 11
5) Access localhost:8080/, which gets you the default ROOT/index.jsp and a HTTP Status of 500 with a stack trace and AccessControlException

I fixed the issue in their testing environment by adding the code block mentioned in the comments of https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8210274 to their security policy. I'm not the best with java security, so I thought I'd open an issue here and see if anyone has better or simpler ideas on how to make vanilla Tomcat with Ant to compile JSPs work out of the box like it does with ECJ.

Comment 1 Mark Thomas 2021-05-26 16:55:52 UTC

I don't see a better way of doing what you did.

The existing Tomcat security policy uses java.security.AllPermission for trusted code so your solution is arguably better as it only grants the permissions required.

I looked into adding something to $CATALINA_BASE/conf/catalina.policy but the using the jrt protocol with Java 8 triggers a series of exceptions when Tomcat starts. They aren't fatal but it isn't a good look.

The best solution I have right now is a commented out section in catalina.policy for using javac with Java 9+. Better suggestions welcome.

Comment 2 Mark Thomas 2021-06-08 08:41:19 UTC

Comment added in
- 10.1.x for 10.1.0-M1 onwards
- 10.0.x for 10.0.7 onwards
- 9.0.x for 9.0.47 onwards
- 8.5.x for 8.5.67 onwards

Comment 3 Coty Sutherland 2021-06-08 11:16:32 UTC

Thanks Mark! Sorry for the delayed reply, it was on my todo list to resolve today :)