Bug 899300
| Summary: | EWS - tomcat cannot start with the default catalina.policy and security manager (rpm installation) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Web Server 2 | Reporter: | Aleksandar Kostadinov <akostadinov> | ||||||||
| Component: | unspecified | Assignee: | David Knox <dknox> | ||||||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | |||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | high | ||||||||||
| Version: | 2.0.0 | CC: | akostadinov, dknox, jclere, jlanik, pcheung, pskopek, rebecca.jboss | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | 2.0.0 | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| URL: | http://jira.jboss.org/jira/browse/JBEWS-88 | ||||||||||
| Whiteboard: | ews tomcat | ||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | JBEWS-88 | Environment: |
RHEL rpm
|
||||||||
| Last Closed: | 2012-04-11 04:07:00 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Aleksandar Kostadinov
2010-08-11 19:28:44 UTC
Link: Added: This issue related JBPAPP-3644 Attachment: Added: tomcat5.log Steps to Reproduce: Added: 1. install EWS 2. run tomcat with security manager enabled 2.1. tomcat 6 run as tomcat user: /usr/sbin/dtomcat6 start-security 2.2. tomcat 5 run as tomcat user: /usr/sbin/dtomcat5 start -security Attachment: Added: tomcat6.log Permaine are you waiting on something from someone here? Please specify and assign the JIRA to the person that should provide the fix, please. Investigate for 1.0.2 Release Notes Docs Status: Added: Not Yet Documented Writer: Added: rebecca_newton Dave, please investigate. Thanks! Release Notes Docs Status: Removed: Not Yet Documented Added: Documented as Known Issue Release Notes Text: Added: Running tomcat 5 or 6 with security manager enabled fails to start with the default catalina.policy. Link: Added: This issue is related to JBPAPP-6133 Marking this as resolved since JBPAPP-6133 and JBPAPP-3644 are resolved in EWS 1.0.2 CR2. Will reopen if necessary. Similar to what I see in JBPAPP-6133 on RHEL5 RPM installation tomcat cannot start with security manager and default catalina.policy
tomcat 5:
{code}java.security.AccessControlException: access denied (java.security.SecurityPermission getProperty.package.definition)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.security.Security.getProperty(Security.java:725)
at org.apache.catalina.security.SecurityConfig.setSecurityProperty(SecurityConfig.java:117)
at org.apache.catalina.security.SecurityConfig.setPackageDefinition(SecurityConfig.java:106)
at org.apache.catalina.startup.Embedded.setSecurityProtection(Embedded.java:991)
at org.apache.catalina.startup.Embedded.<init>(Embedded.java:130)
at org.apache.catalina.startup.Embedded.<init>(Embedded.java:115)
at org.apache.catalina.startup.Catalina.<init>(Catalina.java:58)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:225)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:410)
{code}
tomcat6:{code}
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: org.apache.juli.logging.LogConfigurationException: java.security.AccessControlException: access denied (ja
va.util.logging.LoggingPermission control) (Caused by java.security.AccessControlException: access denied (java.util.
logging.LoggingPermission control))
at org.apache.juli.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:630)
at org.apache.juli.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:336)
at org.apache.juli.logging.LogFactory.getLog(LogFactory.java:704)
at org.apache.catalina.core.ContainerBase.getLogger(ContainerBase.java:395)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1037)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:840)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:463)
at org.apache.catalina.core.StandardService.start(StandardService.java:525)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:754)
at org.apache.catalina.startup.Catalina.start(Catalina.java:595){code}
Dave, we're leaving this one to be documented, right? If so, please update the JIRA. Thanks! The release notes should say that this issue exists only on RHEL4. Other platforms have been fixed. Planned for the next release cycle This issue exists only on tomcat5-5.5.33.ep5.el4. It will be tested on RHEL-4 and fixed. Hi Rebecca, Please document and reassign to me for fixing. Release Notes Text: Removed: Running tomcat 5 or 6 with security manager enabled fails to start with the default catalina.policy. Added: Running tomcat 5 on Red Hat Enterprise Linux 4 with security manager enabled fails to start with the default catalina.policy. Hi David, have changed the RN text: Running tomcat 5 on Red Hat Enterprise Linux 4 with security manager enabled fails to start with the default catalina.policy. and am reassigning to you for next release cycle. I'm watching this issue, so just comment and let me know if anything needs to change :) Labels: Added: ews tomcat Please see [Pavel Janousek's comment here|https://issues.jboss.org/browse/JBPAPP-3644?focusedCommentId=12607385&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-12607385] for a root cause analysis. Attachment: Added: policy_debug.log this issue also occurs on rhel 4 The same problem exists on EWS-1.0.2.CR4 rpm distribution RHEL6. with other bz and jiras now out of the way, I'll come back to this when I have jbpapp-3900 resolved; in a day or two. This one (and related) are the priority now. Release Notes Text: Removed: Running tomcat 5 on Red Hat Enterprise Linux 4 with security manager enabled fails to start with the default catalina.policy. Added: Package includes a replacement for catalina.policy that takes advantage of JBoss signed jars. The required public key (RSA) has been added to the tomcat package. Directions for configuration are in the header of catalina.policy. I'm reopening this issue. Not sure why it is in resolved state while comments do not indicate the problem to be fixed. Moreover I'm seeing the problem with EWS 1.0.2 and RHEL6 tomcat5-5.5.33-15_patch_04.ep5.el6.noarch tomcat6-6.0.32-14_patch_03.ep5.el6.noarch There's no reason to reopen this issues: tomcat6-6.0.32-14_patch_03.ep5.el6.noarch - from Jun 13 2011 is prior to the solution being applied in Sep 15 2011 (tomcat6-6.0.32-17_patch_04). JBPAPP-4873 is cited in the change log. I've tested my most current rev (tomcat6-6.0.32-23_patch_07.ep5.el6) following the directions in catalina.policy and setting SECURITY_MANAGER=true. Tomcat starts without error. tomcat5-5.5.33-15_patch_04.ep5.el6.noarch - Also fixed in Sep 2011. I conducted the same test on tomcat5.5.33-28_patch_07 and got the same positive results. 4873 is cited in the changelog. tomcat6/RHEL-6 doesn't use signed jars so if there is a problem, it's not the same cause. I'll have to test that separately. Writer: Removed: rebecca_newton Added: mhusnain Release Notes Text: Removed: Package includes a replacement for catalina.policy that takes advantage of JBoss signed jars. The required public key (RSA) has been added to the tomcat package. Directions for configuration are in the header of catalina.policy. Added: For the Red Hat Enterprise Linux RPM installation of JBoss Enterprise Web Server, running tomcat5 or tomcat6 with a security manager results in a failed start with the default catalina.policy. This problem occurred because of symbolic links in the RPMs, while catalina.policy contains full links, permission to access the correct directory was denied. This problem is resolved in JBoss Enterprise Web Server 2.0. Release Notes Docs Status: Removed: Documented as Known Issue Added: Documented as Resolved Issue Release Notes Docs Status: Removed: Documented as Resolved Issue Writer: Removed: mhusnain Release Notes Text: Removed: For the Red Hat Enterprise Linux RPM installation of JBoss Enterprise Web Server, running tomcat5 or tomcat6 with a security manager results in a failed start with the default catalina.policy. This problem occurred because of symbolic links in the RPMs, while catalina.policy contains full links, permission to access the correct directory was denied. This problem is resolved in JBoss Enterprise Web Server 2.0. |