Bug 927934

Summary: java.security.AccessControlException: access denied on tomcat6 rpm running with security manager
Product: Red Hat Enterprise Linux 6 Reporter: Michal Haško <mhasko>
Component: tomcat6Assignee: David Knox <dknox>
Status: CLOSED WONTFIX QA Contact: tomcat-qe
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4CC: jclere, jstefl, mhasko, pslavice
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 927930 Environment:
Last Closed: 2014-01-20 21:17:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 927930    
Bug Blocks:    

Description Michal Haško 2013-03-26 14:25:45 UTC 
+++ This bug was initially created as a clone of Bug #927930 +++

Created attachment 716541 [details]
reproducer app

Description of problem:
This issue was discovered while testing if security manager works properly on tomcat6 rpm. The test itself was denied runtime permissions.

Version-Release number of selected component (if applicable):
tomcat6-6.0.24-52.el6_4.noarch

How reproducible:
100%

Steps to Reproduce:
1. enable security manager (SECURITY_MANAGER=true in /etc/tomcat6/tomcat6.conf)
1. deploy app smtest (in attachment)
2. start tomcat # service tomcat6 start
3. visit http://$(hostname):8080/smtest/test.jsp
  
Actual results:
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper")
	java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
	java.security.AccessController.checkPermission(AccessController.java:560)
	java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529)
	sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:305)
	java.lang.ClassLoader.loadClass(ClassLoader.java:410)
	java.lang.ClassLoader.loadClass(ClassLoader.java:356)
	org.apache.jasper.servlet.JspServletWrapper.<init>(JspServletWrapper.java:98)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:305)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:601)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:270)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:268)
	java.security.AccessController.doPrivileged(Native Method)
	javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
	org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:302)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:163)

Expected results:
Security Manager Test Result = pass
If you can see this text. Your security manager setup works fine.
This, of course, doesn't mean you are safe for all kinds of misbehavior.
Comment 3 RHEL Program Management 2014-01-20 21:17:02 UTC 
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.