https://bz.apache.org/bugzilla/show_bug.cgi?id=65714
Bug ID: 65714
Summary: HTTPS connection error using NIO2 with security
manager enabled
Product: Tomcat 8
Version: 8.5.73
Hardware: Other
OS: Linux
Status: NEW
Severity: blocker
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: u632...@gmail.com
Target Milestone: ----
We found a problem with 8.5.73, 8.5.72, 9.0.55, 9.0.54 when we configure a
SSL/TLS connector using Nio2 with Java Security Manger enabled, we are getting
connection error 500 when accessing the default Tomcat root, (e.g.
https://hostname:8443/) with log message: SEVERE
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor errors.
We are using Java 8 (e.g. 1.8.0.212b31).
We have tested this on Windows Server 2019 and RedHat Linux 7.
When we change the connector configuration to use
org.apache.coyote.http11.Http11NioProtocol the errors are not present.
Example connector configuration
--------------------------------
<Connector
port="8082"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="150"
scheme="https"
SSLEnabled="true">
<SSLHostConfig>
<Certificate
certificateKeystoreFile="tomcat.jks"
certificateKeystorePassword="xxxxx"
type="RSA" />
</SSLHostConfig>
</Connector>
The catalina.policy is the default one which comes with the 8.5.73 release
Example Startup command
------------------------
# Note the environment variables CATALINA_HOME and CATALINA_BASE are custom to
our environment
export JAVA_OPTS="-Djava.awt.headless=true -Djava.security.manager
-Djava.security.policy=${CATALINA_BASE}/conf/catalina.policy
-XX:+HeapDumpOnOutOfMemoryError -Xms512M -Xmx1024M -XX:MetaspaceSize=512m
-XX:MaxMetaspaceSize=2048m"
${CATALINA_HOME}/bin/startup.sh
Test command
-------------
curl -k -i https://hostname:8082
Returns:
HTTP/1.1 500
Transfer-Encoding: chunked
Date: Tue, 30 Nov 2021 11:52:50 GMT
Connection: close
Sometime I get
curl: (35) Encountered end of file
or via browser
returns error 500
Error message in logs from 8.5.52 and 8.5.53
--------------------------------------------
(via curl and browser)
2021-11-30T11:45:12.977Z SEVERE
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor doRun Error running
socket processor
java.security.AccessControlException: access denied
("java.lang.RuntimePermission"
"accessClassInPackage.org.apache.tomcat.util.net")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:329)
at java.lang.ClassLoader.loadClass(ClassLoader.java:411)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at
org.apache.tomcat.util.net.SecureNio2Channel.processSNI(SecureNio2Channel.java:406)
at
org.apache.tomcat.util.net.SecureNio2Channel.handshakeInternal(SecureNio2Channel.java:231)
at
org.apache.tomcat.util.net.SecureNio2Channel.handshake(SecureNio2Channel.java:222)
at
org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun(Nio2Endpoint.java:1616)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
org.apache.tomcat.util.net.AbstractEndpoint.processSocket(AbstractEndpoint.java:1125)
at
org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:104)
at
org.apache.tomcat.util.net.SecureNio2Channel$HandshakeReadCompletionHandler.completed(SecureNio2Channel.java:97)
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
at sun.nio.ch.Invoker$2.run(Invoker.java:218)
at
sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
Error message in logs from 9.0.54 and 9.0.55
--------------------------------------------
(via curl)
2021-11-30T11:32:46.775Z SEVERE org.apache.tomcat.util.net.Nio2Endpoint
setSocketOptions Error setting socket options
java.security.AccessControlException: access denied
("java.lang.RuntimePermission"
"accessClassInPackage.org.apache.tomcat.util.net")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:329)
at java.lang.ClassLoader.loadClass(ClassLoader.java:411)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at
org.apache.tomcat.util.net.Nio2Endpoint.setSocketOptions(Nio2Endpoint.java:309)
at
org.apache.tomcat.util.net.Nio2Endpoint$Nio2Acceptor.completed(Nio2Endpoint.java:451)
at
org.apache.tomcat.util.net.Nio2Endpoint$Nio2Acceptor.completed(Nio2Endpoint.java:387)
at sun.nio.ch.Invoker.invokeUnchecked(Invoker.java:126)
at sun.nio.ch.Invoker$2.run(Invoker.java:218)
at
sun.nio.ch.AsynchronousChannelGroupImpl$1.run(AsynchronousChannelGroupImpl.java:112)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
(via Browser)
2021-11-30T11:40:12.471Z SEVERE
org.apache.tomcat.util.net.Nio2Endpoint$Nio2Acceptor failed Socket accept
failed
java.security.AccessControlException: access denied
("java.net.SocketPermission" "10.13.149.73:54048" "accept,resolve")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkAccept(SecurityManager.java:1167)
at
sun.nio.ch.UnixAsynchronousServerSocketChannelImpl$1.run(UnixAsynchronousServerSocketChannelImpl.java:223)
at
sun.nio.ch.UnixAsynchronousServerSocketChannelImpl$1.run(UnixAsynchronousServerSocketChannelImpl.java:219)
at java.security.AccessController.doPrivileged(Native Method)
at
sun.nio.ch.UnixAsynchronousServerSocketChannelImpl.finishAccept(UnixAsynchronousServerSocketChannelImpl.java:219)
at
sun.nio.ch.UnixAsynchronousServerSocketChannelImpl.onEvent(UnixAsynchronousServerSocketChannelImpl.java:167)
at sun.nio.ch.EPollPort$EventHandlerTask.run(EPollPort.java:293)
at java.lang.Thread.run(Thread.java:748)
at sun.misc.InnocuousThread.run(InnocuousThread.java:106)
There is a similar bugzillar reference
https://bz.apache.org/bugzilla/show_bug.cgi?id=65577 with 8.5.70 with the same
error “org.apache.tomcat.util.net.Nio2Endpoint$SocketProcessor.doRun Error
running socket processor”. The reply from Mark was fixed in 8.5.72, but it
seems to be there still.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
