Bug 1347774 – The security manager doesn't work correctly (JSPs cannot be compiled)

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1347774 - The security manager doesn't work correctly (JSPs cannot be compiled)

Summary:	The security manager doesn't work correctly (JSPs cannot be compiled)

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	tomcat (Show other bugs)
Sub Component:
Version:	7.2
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Coty Sutherland
QA Contact:	fgoldefu
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:	927930
Blocks:	1298191 1347142 1347144 1347146 1347778 1347835 1347838
	Show dependency tree / graph

Reported:	2016-06-17 11:29 EDT by Coty Sutherland
Modified:	2016-11-03 17:13 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Clones:	1347778 1347835 (view as bug list)
Environment:
Last Closed:	2016-11-03 17:13:45 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
test war to reproduce the issue (193 bytes, application/zip) 2016-06-17 11:29 EDT, Coty Sutherland	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
JBoss Issue Tracker	JWS-472	Critical	Closed	The security manager doesn't work correctly	2017-06-29 05:08 EDT
Red Hat Product Errata	RHSA-2016:2599	normal	SHIPPED_LIVE	Moderate: tomcat security, bug fix, and enhancement update	2016-11-03 08:12:12 EDT

Groups: None (edit)

Description Coty Sutherland 2016-06-17 11:29:21 EDT

Created attachment 1169152 [details]
test war to reproduce the issue

Description of problem:
When using the security manager for the tomcat service, JSPs are inaccessible (they won't compile) because of access permissions.

+++
HTTP Status 500 - access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper")

type Exception report

message access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper")

description The server encountered an internal error that prevented it from fulfilling this request.

exception

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper")
	java.security.AccessControlContext.checkPermission(AccessControlContext.java:474)
	java.security.AccessController.checkPermission(AccessController.java:685)
	java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1525)
	sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:305)
	java.lang.ClassLoader.loadClass(ClassLoader.java:412)
	java.lang.ClassLoader.loadClass(ClassLoader.java:358)
	org.apache.jasper.servlet.JspServletWrapper.<init>(JspServletWrapper.java:120)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:382)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:606)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
	java.security.AccessController.doPrivileged(Native Method)
	javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
	org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
	java.security.AccessController.doPrivileged(Native Method)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:606)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
	java.security.AccessController.doPrivileged(Native Method)
	javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
	org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
+++

Version-Release number of selected component (if applicable):
tomcat-7.0.54-2.el7_1.noarch

How reproducible:
Every time :(

Steps to Reproduce:
1. yum install tomcat
2. echo "SECURITY_MANAGER=\"true\"" >> /etc/sysconfig/tomcat
3. cp reproducer.tar /usr/share/tomcat/webapps/
4. service tomcat start
5. curl -is http://localhost:8080/reproducer/

Actual results:
JSP compilation fails and an error is observed

Expected results:
JSP compiles and displays correctly.

Additional info:
It looks like the java policy in use (catalina.policy) doesn't allow for use of jars from /usr/share/java

Comment 3 JBoss JIRA Server 2016-07-11 16:28:35 EDT

Coty Sutherland <csutherl@redhat.com> updated the status of jira JWS-472 to Resolved

Comment 6 errata-xmlrpc 2016-11-03 17:13:45 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2599.html

Note You need to log in before you can comment on or make changes to this bug.