+++ This bug was initially created as a clone of Bug #1347774 +++ Description of problem: When using the security manager for the tomcat service, JSPs are inaccessible (they won't compile) because of access permissions. +++ HTTP Status 500 - access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper") type Exception report message access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper") description The server encountered an internal error that prevented it from fulfilling this request. exception java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper") java.security.AccessControlContext.checkPermission(AccessControlContext.java:474) java.security.AccessController.checkPermission(AccessController.java:685) java.lang.SecurityManager.checkPermission(SecurityManager.java:549) java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1525) sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:305) java.lang.ClassLoader.loadClass(ClassLoader.java:412) java.lang.ClassLoader.loadClass(ClassLoader.java:358) org.apache.jasper.servlet.JspServletWrapper.<init>(JspServletWrapper.java:120) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:382) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334) javax.servlet.http.HttpServlet.service(HttpServlet.java:727) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:606) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:536) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169) java.security.AccessController.doPrivileged(Native Method) org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) java.lang.reflect.Method.invoke(Method.java:606) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:536) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249) +++ Version-Release number of selected component (if applicable): tomcat-8.0.32-5.fc23.noarch How reproducible: Every time :( Steps to Reproduce: 1. yum install tomcat 2. echo "SECURITY_MANAGER=\"true\"" >> /etc/sysconfig/tomcat 3. cp reproducer.tar /usr/share/tomcat/webapps/ 4. service tomcat start 5. curl -is http://localhost:8080/reproducer/ Actual results: JSP compilation fails and an error is observed Expected results: JSP compiles and displays correctly. Additional info: It looks like the java policy in use (catalina.policy) doesn't allow for use of jars from /usr/share/java
In order to get this to work I added the following to my catalina.policy to allow access to the /usr/share/java jars that the symlinks point to: +++ grant codeBase "file:/usr/share/java/apache-commons-collections.jar" { permission java.security.AllPermission; }; grant codeBase "file:/usr/share/java/apache-commons-dbcp.jar" { permission java.security.AllPermission; }; grant codeBase "file:/usr/share/java/apache-commons-pool.jar" { permission java.security.AllPermission; }; grant codeBase "file:/usr/share/java/ecj.jar" { permission java.security.AllPermission; }; grant codeBase "file:/usr/share/java/tomcat-el-3.0-api.jar" { permission java.security.AllPermission; }; grant codeBase "file:/usr/share/java/tomcat-jsp-2.3-api.jar" { permission java.security.AllPermission; }; grant codeBase "file:/usr/share/java/tomcat-servlet-3.1-api.jar" { permission java.security.AllPermission; }; +++ Adding this and restarting resolves the issue and allows JSPs to compile again.
https://github.com/csutherl/fedora-tomcat/commit/a9b04eb
https://pkgs.fedoraproject.org/cgit/rpms/tomcat.git/commit/?id=4dc51a6
tomcat-8.0.36-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a4dccdd23
tomcat-8.0.36-2.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2b0c16fd82
tomcat-8.0.36-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f4a443888b
tomcat-8.0.36-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f4a443888b
tomcat-8.0.36-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0a4dccdd23
tomcat-8.0.36-2.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-2b0c16fd82
tomcat-8.0.36-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
tomcat-8.0.36-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
tomcat-8.0.36-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.