Bug 1347838 - The security manager doesn't work correctly (JSPs cannot be compiled)
Summary: The security manager doesn't work correctly (JSPs cannot be compiled)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: tomcat
Version: el6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Coty Sutherland
QA Contact: Michal Karm Babacek
URL:
Whiteboard:
Depends On: 927930 1347774 1347835
Blocks: 1347778
TreeView+ depends on / blocked
 
Reported: 2016-06-17 19:16 UTC by Coty Sutherland
Modified: 2016-09-02 09:22 UTC (History)
10 users (show)

Fixed In Version: tomcat-7.0.70-2.el6
Clone Of: 1347835
Environment:
Last Closed: 2016-09-02 09:22:49 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
policy patch proposal (1.38 KB, patch)
2016-07-07 20:34 UTC, Coty Sutherland 		no flags Details | Diff
View All

Description Coty Sutherland 2016-06-17 19:16:15 UTC 
+++ This bug was initially created as a clone of Bug #1347835 +++

+++ This bug was initially created as a clone of Bug #1347774 +++

Description of problem:
When using the security manager for the tomcat service, JSPs are inaccessible (they won't compile) because of access permissions.

+++
HTTP Status 500 - access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper")

type Exception report

message access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper")

description The server encountered an internal error that prevented it from fulfilling this request.

exception

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper")
	java.security.AccessControlContext.checkPermission(AccessControlContext.java:474)
	java.security.AccessController.checkPermission(AccessController.java:685)
	java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1525)
	sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:305)
	java.lang.ClassLoader.loadClass(ClassLoader.java:412)
	java.lang.ClassLoader.loadClass(ClassLoader.java:358)
	org.apache.jasper.servlet.JspServletWrapper.<init>(JspServletWrapper.java:120)
	org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:382)
	org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:606)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
	java.security.AccessController.doPrivileged(Native Method)
	javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
	org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:169)
	java.security.AccessController.doPrivileged(Native Method)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:606)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:274)
	java.security.AccessController.doPrivileged(Native Method)
	javax.security.auth.Subject.doAsPrivileged(Subject.java:536)
	org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:249)
+++

Version-Release number of selected component (if applicable):
tomcat-7.0.69-1.el6.noarch

How reproducible:
Every time :(

Steps to Reproduce:
1. yum install tomcat
2. echo "SECURITY_MANAGER=\"true\"" >> /etc/sysconfig/tomcat
3. cp reproducer.tar /usr/share/tomcat/webapps/
4. service tomcat start
5. curl -is http://localhost:8080/reproducer/

Actual results:
JSP compilation fails and an error is observed

Expected results:
JSP compiles and displays correctly.

Additional info:
It looks like the java policy in use (catalina.policy) doesn't allow for use of jars from /usr/share/java
Comment 1 Coty Sutherland 2016-07-07 20:34:19 UTC 
Created attachment 1177448 [details]
policy patch proposal

This policy update resolves the issue for me when using epel tomcat.
Comment 2 Coty Sutherland 2016-08-05 13:44:16 UTC 
https://pkgs.fedoraproject.org/cgit/rpms/tomcat.git/commit/?h=el6&id=b225805
Comment 3 Coty Sutherland 2016-08-05 13:47:31 UTC 
https://pkgs.fedoraproject.org/cgit/rpms/tomcat.git/commit/?h=el6&id=aa5454a
Comment 4 Fedora Update System 2016-08-05 20:11:01 UTC 
tomcat-7.0.70-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-3ff1f4485b
Comment 5 Fedora Update System 2016-08-09 02:18:07 UTC 
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-3ff1f4485b
Comment 6 Fedora Update System 2016-09-01 16:20:21 UTC 
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2016-09-02 09:22:11 UTC 
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.