Bug 1347835

Summary: The security manager doesn't work correctly (JSPs cannot be compiled)
Product: [Fedora] Fedora Reporter: Coty Sutherland <csutherl>
Component: tomcatAssignee: Coty Sutherland <csutherl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: alee, coolsvap, csutherl, ivan.afonichev, java-sig-commits, krzysztof.daniel, tomcat-qe, trick
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tomcat-8.0.36-2.fc25 tomcat-8.0.36-2.fc24 tomcat-8.0.36-2.fc23 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1347774
: 1347838 (view as bug list) Environment:
Last Closed: 2016-09-01 13:38:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 927930, 1347774    
Bug Blocks: 1347778, 1347838    

Description Coty Sutherland 2016-06-17 18:53:25 UTC 
+++ This bug was initially created as a clone of Bug #1347774 +++

Description of problem:
When using the security manager for the tomcat service, JSPs are inaccessible (they won't compile) because of access permissions.

+++
HTTP Status 500 - access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper")

type Exception report

message access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper")

description The server encountered an internal error that prevented it from fulfilling this request.

exception

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper")
	java.security.AccessControlContext.checkPermission(AccessControlContext.java:474)
	java.security.AccessController.checkPermission(AccessController.java:685)
	java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1525)
	sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:305)
	java.lang.ClassLoader.loadClass(ClassLoader.java:412)
	java.lang.ClassLoader.loadClass(ClassLoader.java:358)
	org.apache.jasper.servlet.JspServletWrapper.<init>(JspServletWrapper.java:120)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:382)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:606)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
	java.security.AccessController.doPrivileged(Native Method)
	javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
	org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
	java.security.AccessController.doPrivileged(Native Method)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:606)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
	java.security.AccessController.doPrivileged(Native Method)
	javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
	org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
+++

Version-Release number of selected component (if applicable):
tomcat-8.0.32-5.fc23.noarch

How reproducible:
Every time :(

Steps to Reproduce:
1. yum install tomcat
2. echo "SECURITY_MANAGER=\"true\"" >> /etc/sysconfig/tomcat
3. cp reproducer.tar /usr/share/tomcat/webapps/
4. service tomcat start
5. curl -is http://localhost:8080/reproducer/

Actual results:
JSP compilation fails and an error is observed

Expected results:
JSP compiles and displays correctly.

Additional info:
It looks like the java policy in use (catalina.policy) doesn't allow for use of jars from /usr/share/java
Comment 1 Coty Sutherland 2016-06-17 18:54:35 UTC 
In order to get this to work I added the following to my catalina.policy to allow access to the /usr/share/java jars that the symlinks point to:

+++
grant codeBase "file:/usr/share/java/apache-commons-collections.jar" {
        permission java.security.AllPermission;
};
grant codeBase "file:/usr/share/java/apache-commons-dbcp.jar" {
        permission java.security.AllPermission;
};
grant codeBase "file:/usr/share/java/apache-commons-pool.jar" {
        permission java.security.AllPermission;
};
grant codeBase "file:/usr/share/java/ecj.jar" {
        permission java.security.AllPermission;
};
grant codeBase "file:/usr/share/java/tomcat-el-3.0-api.jar" {
        permission java.security.AllPermission;
};
grant codeBase "file:/usr/share/java/tomcat-jsp-2.3-api.jar" {
        permission java.security.AllPermission;
};
grant codeBase "file:/usr/share/java/tomcat-servlet-3.1-api.jar" {
        permission java.security.AllPermission;
};
+++

Adding this and restarting resolves the issue and allows JSPs to compile again.
Comment 2 Coty Sutherland 2016-07-01 18:15:16 UTC 
https://github.com/csutherl/fedora-tomcat/commit/a9b04eb
Comment 3 Coty Sutherland 2016-08-08 20:06:13 UTC 
https://pkgs.fedoraproject.org/cgit/rpms/tomcat.git/commit/?id=4dc51a6
Comment 4 Fedora Update System 2016-08-11 18:50:10 UTC 
tomcat-8.0.36-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a4dccdd23
Comment 5 Fedora Update System 2016-08-11 18:50:54 UTC 
tomcat-8.0.36-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2b0c16fd82
Comment 6 Fedora Update System 2016-08-11 18:51:35 UTC 
tomcat-8.0.36-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f4a443888b
Comment 7 Fedora Update System 2016-08-12 14:28:23 UTC 
tomcat-8.0.36-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f4a443888b
Comment 8 Fedora Update System 2016-08-12 20:53:10 UTC 
tomcat-8.0.36-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a4dccdd23
Comment 9 Fedora Update System 2016-08-12 20:53:12 UTC 
tomcat-8.0.36-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2b0c16fd82
Comment 10 Fedora Update System 2016-09-01 13:37:16 UTC 
tomcat-8.0.36-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-09-01 16:55:51 UTC 
tomcat-8.0.36-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2016-09-01 18:53:19 UTC 
tomcat-8.0.36-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.