https://bz.apache.org/bugzilla/show_bug.cgi?id=60683
Bug ID: 60683
Summary: Using the IBM JDK with the security manager results in
a NullPointerException for requests to some JSPs
Product: Tomcat 8
Version: 8.0.x-trunk
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ----
When using the IBM JDK (version 7) and the security manager requests to some
JSPs return a 500 status and an NPE is logged. The odd thing is that you can
make numerous requests to / and get a 500 every time, but after you make a
request to /examples/jsp/dates/date.jsp, everything works fine. I'm not exactly
sure what's causing that, but IBM JDK is weird so...
Steps to reproduce:
1. ./catalina.sh start -security
2. Make a request:
$ curl -I http://localhost:8080/ | head -n1
HTTP/1.1 500 Internal Server Error
3. Check the catalina.out log for the following:
java.lang.NullPointerException
at
org.apache.catalina.connector.OutputBuffer.realWriteChars(OutputBuffer.java:464)
at org.apache.tomcat.util.buf.CharChunk.flushBuffer(CharChunk.java:393)
at
org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:279)
....
Additional information:
I narrowed down the problem to an unexpected access denial exception being
returned from OutputBuffer:583:
583 conv = encoders.get(enc);
584 if (conv == null) {
585 if (Globals.IS_SECURITY_ENABLED){
I added a try/catch and e.printStackTrace() and found the following exception
happens within the encoders.get() call on line 583 ONLY when using IBM JDK:
java.security.AccessControlException: Access denied
("java.lang.RuntimePermission"
"accessClassInPackage.org.apache.tomcat.util.buf")
at java.security.AccessController.throwACE(AccessController.java:121)
at
java.security.AccessController.checkPermission(AccessController.java:230)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:563)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1617)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:323)
at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:778)
at java.lang.ClassLoader.loadClass(ClassLoader.java:760)
at java.lang.ClassLoader.loadClass(ClassLoader.java:741)
at
org.apache.catalina.connector.OutputBuffer.setConverter(OutputBuffer.java:586)
....
Knowing the exception it was pretty easy to fix with a policy update, but I'm
opening this bug because I don't know if this is feasible or not (I don't know
the security policy well enough). Changing the catalina.policy's
RuntimePermissions on the org.apache.tomcat package from:
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat";
to either:
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.*";
or (and more targeted to the issue):
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.util.buf";
works well. Are either of these suggestions a feasible solution?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]