https://bz.apache.org/bugzilla/show_bug.cgi?id=65714
Bug ID: 65714 Summary: HTTPS connection error using NIO2 with security manager enabled Product: Tomcat 8 Version: 8.5.73 Hardware: Other OS: Linux Status: NEW Severity: blocker Priority: P2 Component: Connectors Assignee: dev@tomcat.apache.org Reporter: u632...@gmail.com Target Milestone: ---- We found a problem with 8.5.73, 8.5.72, 9.0.55, 9.0.54 when we configure a SSL/TLS connector using Nio2 with Java Security Manger enabled, we are getting connection error 500 when accessing the default Tomcat root, (e.g. https://hostname:8443/) with log message: SEVERE org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor errors. We are using Java 8 (e.g. 1.8.0.212b31). We have tested this on Windows Server 2019 and RedHat Linux 7. When we change the connector configuration to use org.apache.coyote.http11.Http11NioProtocol the errors are not present. Example connector configuration -------------------------------- <Connector port="8082" protocol="org.apache.coyote.http11.Http11Nio2Protocol" maxThreads="150" scheme="https" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="tomcat.jks" certificateKeystorePassword="xxxxx" type="RSA" /> </SSLHostConfig> </Connector> The catalina.policy is the default one which comes with the 8.5.73 release Example Startup command ------------------------ # Note the environment variables CATALINA_HOME and CATALINA_BASE are custom to our environment export JAVA_OPTS="-Djava.awt.headless=true -Djava.security.manager -Djava.security.policy=${CATALINA_BASE}/conf/catalina.policy -XX:+HeapDumpOnOutOfMemoryError -Xms512M -Xmx1024M -XX:MetaspaceSize=512m -XX:MaxMetaspaceSize=2048m" ${CATALINA_HOME}/bin/startup.sh Test command ------------- curl -k -i https://hostname:8082 Returns: HTTP/1.1 500 Transfer-Encoding: chunked Date: Tue, 30 Nov 2021 11:52:50 GMT Connection: close Sometime I get curl: (35) Encountered end of file or via browser returns error 500 Error message in logs from 8.5.52 and 8.5.53 -------------------------------------------- (via curl and browser) 2021-11-30T11:45:12.977Z SEVERE org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor doRun Error running socket processor java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.util.net") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:329) at java.lang.ClassLoader.loadClass(ClassLoader.java:411) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at org.apache.tomcat.util.net.SecureNio2Channel.processSNI(SecureNio2Channel.java:406) at org.apache.tomcat.util.net.SecureNio2Channel.handshakeInternal(SecureNio2Channel.java:231) at org.apache.tomcat.util.net.SecureNio2Channel.handshake(SecureNio2Channel.java:222) at org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1616) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1125) at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:104) at org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:97) at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126) at sun.nio.ch.Invoker$2.run(Invoker.java:218) at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) Error message in logs from 9.0.54 and 9.0.55 -------------------------------------------- (via curl) 2021-11-30T11:32:46.775Z SEVERE org.apache.tomcat.util.net.Nio2Endpoint setSocketOptions Error setting socket options java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.util.net") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:329) at java.lang.ClassLoader.loadClass(ClassLoader.java:411) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at org.apache.tomcat.util.net.Nio2Endpoint.setSocketOptions(Nio2Endpoint.java:309) at org.apache.tomcat.util.net.Nio2Endpoint$Nio2Acceptor.completed(Nio2Endpoint.java:451) at org.apache.tomcat.util.net.Nio2Endpoint$Nio2Acceptor.completed(Nio2Endpoint.java:387) at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126) at sun.nio.ch.Invoker$2.run(Invoker.java:218) at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112) at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) (via Browser) 2021-11-30T11:40:12.471Z SEVERE org.apache.tomcat.util.net.Nio2Endpoint$Nio2Acceptor failed Socket accept failed java.security.AccessControlException: access denied ("java.net.SocketPermission" "10.13.149.73:54048" "accept,resolve") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkAccept(SecurityManager.java:1167) at sun.nio.ch.UnixAsynchronousServerSocketChannelImpl$1.run(UnixAsynchronousServerSocketChannelImpl.java:223) at sun.nio.ch.UnixAsynchronousServerSocketChannelImpl$1.run(UnixAsynchronousServerSocketChannelImpl.java:219) at java.security.AccessController.doPrivileged(Native Method) at sun.nio.ch.UnixAsynchronousServerSocketChannelImpl.finishAccept(UnixAsynchronousServerSocketChannelImpl.java:219) at sun.nio.ch.UnixAsynchronousServerSocketChannelImpl.onEvent(UnixAsynchronousServerSocketChannelImpl.java:167) at sun.nio.ch.EPollPort$EventHandlerTask.run(EPollPort.java:293) at java.lang.Thread.run(Thread.java:748) at sun.misc.InnocuousThread.run(InnocuousThread.java:106) There is a similar bugzillar reference https://bz.apache.org/bugzilla/show_bug.cgi?id=65577 with 8.5.70 with the same error “org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun Error running socket processor”. The reply from Mark was fixed in 8.5.72, but it seems to be there still. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org