65577 – Intermittent AccessControlException using NIO2 with security manager enabled

Bug 65577 - Intermittent AccessControlException using NIO2 with security manager enabled

Summary: Intermittent AccessControlException using NIO2 with security manager enabled

Status:	RESOLVED FIXED

Alias:	None

Product:	Tomcat 8
Classification:	Unclassified
Component:	Connectors (show other bugs)
Version:	8.5.70
Hardware:	PC All

Importance:	P2 normal (vote)
Target Milestone:	----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-09-16 19:51 UTC by David
Modified:	2021-09-17 13:26 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David 2021-09-16 19:51:13 UTC

We are doing some testing prior to upgrading from 8.5.66 to 8.5.70. When we configure a SSL/TLS connector using Nio2 and run Tomcat with Security Manger enabled we are getting intermittent java.security.AccessControlException errors when accessing the default Tomcat root, e.g. https://hostname:8443/

We have observed the issue using Oracle Java 1.8.0_251, 1.8.0_301 and 11.0.8 2020-07-14 LTS on Windows Server 2019 and RedHat Linux 7.

When we change the connector configuration to use org.apache.coyote.http11.Http11NioProtocol the errors are not present.

Example connector configuration
----------------

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="I:\tomcat-win\8.5.70\apache-tomcat-8.5.70\cert\tomcat.jks"
                         certificateKeystorePassword="xxxxx"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

The catalina.policy is the default one which comes with the 8.5.70 release

Startup command:

.\catalina.bat start -security

Example error message
--------------------

16-Sep-2021 12:38:11.824 SEVERE [https-jsse-nio2-8443-exec-4] org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun Error running socket processor
        java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.util.net")
                at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
                at java.security.AccessController.checkPermission(AccessController.java:886)
                at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
                at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
                at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)
                at java.lang.ClassLoader.loadClass(ClassLoader.java:405)
                at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
                at org.apache.tomcat.util.net.SecureNio2Channel.processSNI(SecureNio2Channel.java:387)
                at org.apache.tomcat.util.net.SecureNio2Channel.handshakeInternal(SecureNio2Channel.java:231)
                at org.apache.tomcat.util.net.SecureNio2Channel.handshake(SecureNio2Channel.java:222)
                at org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1593)
                at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
                at org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1111)
                at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:104)
                at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:97)
                at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
                at sun.nio.ch.Invoker$2.run(Invoker.java:218)
                at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
                at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
                at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
                at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
                at java.lang.Thread.run(Thread.java:748)

Example Java security debug output
-------------

access: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.util.net")
java.lang.Exception: Stack trace
        at java.base/java.lang.Thread.dumpStack(Thread.java:1387)
        at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:462)
        at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
        at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
        at java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1290)
        at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:174)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:575)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
        at org.apache.tomcat.util.net.SecureNio2Channel.processSNI(SecureNio2Channel.java:387)
        at org.apache.tomcat.util.net.SecureNio2Channel.handshakeInternal(SecureNio2Channel.java:231)
        at org.apache.tomcat.util.net.SecureNio2Channel.handshake(SecureNio2Channel.java:222)
        at org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1593)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1111)
        at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:104)
        at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:97)
        at java.base/sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:127)
        at java.base/sun.nio.ch.Invoker$2.run(Invoker.java:219)
        at java.base/sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:834)
access: domain that failed ProtectionDomain  null
 null
 <no principals>
 null

Comment 1 Mark Thomas 2021-09-16 20:14:12 UTC

We'll tale a look but given that the long term future of the Java security manager doesn't look good you might want to look at why you want to run under a security manager and what alternative solutions are available.

Comment 2 Mark Thomas 2021-09-17 07:03:20 UTC

Fixed in:
- 10.1.x for 10.1.0-M6 onwards
- 10.0.x for 10.0.12 onwards
- 9.0.x for 9.0.54 onwards
- 8.5.x for 8.5.72 onwards

Comment 3 David 2021-09-17 13:26:17 UTC

Thanks for the quick turnaround Mark. We will look into migrating off of security manager.