1363653 – Tomcat security manager Error [EWS-2.1.1]

Bug 1363653 - Tomcat security manager Error [EWS-2.1.1]

Summary: Tomcat security manager Error [EWS-2.1.1]

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Web Server 2
Classification:	JBoss
Component:	tomcat7
Sub Component:
Version:	2.1.1
Hardware:	Unspecified
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	2.1.1
Assignee:	Coty Sutherland
QA Contact:	Bogdan Sikora
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-03 09:39 UTC by Bogdan Sikora
Modified:	2017-05-09 18:32 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-05-09 18:32:21 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
catalina log (9.67 KB, text/plain) 2016-08-03 09:39 UTC, Bogdan Sikora	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Apache Bugzilla	57906	0	None	None	None	2016-08-03 09:50:36 UTC

Description Bogdan Sikora 2016-08-03 09:39:10 UTC

Created attachment 1186994 [details]
catalina log

Description of problem:
Tomcat catalina log is filled with an exception java.security.AccessControlException: access denied
after start.

Tomcat7 with JDK1.6

How reproducible:
Always

Steps to Reproduce:
1. Start tomcat with security manager (Tomcat7 with JDK1.6)

Actual results:
Exception in catalina log

Expected results:
No exception in catalina log

Additional info:

EWS 2.1.0 works fine (Regression)

Comment 1 Coty Sutherland 2016-08-03 12:28:49 UTC

I'm unable to reproduce this on Fedora with Java6. I tested in EWS 2.1.0 and the 2.1.1 CR1 candidate. Did you make a request that yielded this stack? If so, what was it? Does it only affect Windows?

The build that was tested for EWS_2.1.1 is the same source code (the build number was bumped because I had to build for win/sol) that was tested for the one-off to fix CVE-2015-5174 (which also included CVEs CVE-2014-7810 and CVE-2014-0230); the bug for that is https://bugzilla.redhat.com/show_bug.cgi?id=1273410. The only explanation that I have for this issue is that it was missed when build 21 was tested for the one-off. Can you try the one-off build and see if you can reproduce it there?

Also, according to the upstream ASFBZ that was attached here, this is purely a cosmetic issue; the fix was to change the INFO log message to DEBUG. I don't think we should rebuild to resolve this, but we can if anyone deems it necessary.

Comment 2 Bogdan Sikora 2016-08-03 12:55:49 UTC

One need to reproduce it send a request to welcome page



Was able to reproduce it with patched [1] EWS-2.1.0. It was missed. Rebuilding is not really necessary in my opinion, but it should be present in release notes as one can get scared.


[1] https://access.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=39183&product=webserver&version=2.1.0&downloadType=securityPatches

Comment 3 Betty Prioux 2016-08-04 18:12:05 UTC

From Betty Prioux, Content Strategist for EAP:
*Please consider requires_doc_text set to + for this BZ.*

I do not yet have ecs permissions to change this BZ value.
The change is critical to let Coty work on the doc text ASAP.

Comment 6 Coty Sutherland 2017-05-09 18:32:21 UTC

Fixed in JWS 3.1.0. Since it's just a cosmetic problem, I'm closing this wontfix.

Note You need to log in before you can comment on or make changes to this bug.