Hi
I think the problem here is that it is not clear what needs to be fixed.
Looking on the stack trace and in the code:
protected JspFactory getJspFactory()
{
if (jspFactory == null)
{
// TODO: this Class.forName will be removed when Tomcat fixes a
bug
// also, we should then be able to remove jasper.jar from the
deployment
try
{
Class.forName("org.apache.jasper.compiler.JspRuntimeContext");
}
catch (ClassNotFoundException e)
{
// ignore
}
catch (Exception ex)
{
log.log(Level.FINE, "An unexpected exception occured "
+ "while loading the JspRuntimeContext.", ex);
}
jspFactory = JspFactory.getDefaultFactory();
}
return jspFactory;
}
These lines are very old. Looking on the svn it comes from 1.2.x, see:
https://issues.apache.org/jira/browse/MYFACES-1693
Probably the solution could be catch a Throwable instead an Exception and
swallow it (just log but continue startup). I mean, this line looks like
something done by some reason long time ago by a bug in Tomcat.
It is clear the security manager is causing trouble in this case, but since
JSP was deprecated since JSF 2.0, should we worry about this one?
Please note there is a web config param called
org.apache.myfaces.FACES_INITIALIZER that allows you to bypass the default
initializer and provide a custom one (so you can copy the default
initializer and customize it to your needs), or set
org.apache.myfaces.SUPPORT_JSP_AND_FACES_EL disable JSP and uses
org.apache.myfaces.webapp.FaceletsInitilializer instead.
There are plenty of options to deal with this issue. Please try the options
I have described here and let us know if that works for you or not, so if
necessary we can fix the lines if necessary.
regards,
Leonardo Uribe
2016-03-30 11:40 GMT-05:00 Neil Richards <neilricha...@iname.com>:
> OK thanks :)
>
> -----Original Message-----
> From: Mike Kienenberger [mailto:mkien...@gmail.com]
> Sent: 30 March 2016 16:47
> To: MyFaces Discussion <users@myfaces.apache.org>
> Subject: Re: FW: Tomcat Security Exceptions on deployment of example war
> (reformatted)
>
> MyFaces is a project staffed by volunteers. While things are
> normally fixed rather quickly, it all depends on the various individuals
> involved with that particular area and their available free time.
>
> One thing that would greatly speed up the process is if you were to submit
> a unified diff patch fixing the problem.
>
> On Wed, Mar 30, 2016 at 11:28 AM, Neil Richards <neilricha...@iname.com>
> wrote:
> > Hi,
> >
> > As you can imagine this has become a bit of a showstopper for me. I've
> > added a bug report but as yet it has not been assigned or commented on
> > etc. Just wondering how long these issues take to fix? Assume we're
> talking months?
> > Need to have some idea to determine how to move forward.
> >
> > Many thanks,
> > Neil
> >
> > -----Original Message-----
> > From: Werner Punz [mailto:werner.p...@gmail.com]
> > Sent: 04 March 2016 07:36
> > To: users@myfaces.apache.org
> > Subject: Re: FW: Tomcat Security Exceptions on deployment of example
> > war
> > (reformatted)
> >
> > Hi this is clearly a bug.
> > Can you please put a bugreport on
> >
> > https://issues.apache.org/jira/browse/MYFACES
> >
> > Werner
> >
> >
> >
> > Am 02.03.16 um 23:12 schrieb Neil Richards:
> >> Hi,
> >>
> >> I've been having trouble deploying my MyFaces(2.2.9) app on Tomcat 8
> >> with the security manager enabled, so I then tried deploying the
> >> myfaces-example-simple-1.1.14.war and had the same problem. I need
> >> the security manager enabled as I am deploying in production on a
> >> shared
> > Tomcat
> >> instance and the hosts will not allow the RuntimePermissions on
> >> org.apache.catalina.core, org.apache.catalina.servlets or
> >> org.apache.jasper.compiler. These are the stack traces I get:
> >>
> >> 02-Mar-2016 22:08:54.902 INFO [localhost-startStop-1]
> >> org.apache.catalina.loader.WebappClassLoaderBase.loadClass Security
> >> Violation, attempt to use Re stricted Class:
> >> org.apache.catalina.servlets.DefaultServlet
> >> java.security.AccessControlException: access denied
> >> ("java.lang.RuntimePermission"
> >> "accessClassInPackage.org.apache.catalina.servlets")
> >> at
> >> java.security.AccessControlContext.checkPermission(AccessControlConte
> >> x
> >> t.java
> >> :472)
> >> at
> >>
> java.security.AccessController.checkPermission(AccessController.java:884)
> >> at
> >> java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> >> at
> >> java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
> >> at
> >> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClas
> >> s
> >> Loader
> >> Base.java:1243)
> >> at
> >> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClas
> >> s
> >> Loader
> >> Base.java:1142)
> >> at java.lang.Class.forName0(Native Method)
> >> at java.lang.Class.forName(Class.java:264)
> >> at
> >> org.apache.myfaces.ee6.MyFacesContainerInitializer.isDelegatedFacesSe
> >> r
> >> vlet(M
> >> yFacesContainerInitializer.java:280)
> >> at
> >> org.apache.myfaces.ee6.MyFacesContainerInitializer.onStartup(MyFacesC
> >> o
> >> ntaine
> >> rInitializer.java:150)
> >> at
> >>
> >
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:
> >> 5244)
> >> at
> >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
> >> at
> >> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.
> >> java:7
> >> 25)
> >> at
> >>
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)
> >> at
> >>
> >
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.
> >> java:153)
> >> at
> >>
> >
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.
> >> java:143)
> >> at java.security.AccessController.doPrivileged(Native Method)
> >> at
> >> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)
> >> at
> >> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
> >> at
> >> org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:939)
> >> at
> >>
> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1812)
> >> at
> >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> >> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> >> at
> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> >> j
> >> ava:11
> >> 42)
> >> at
> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
> >> java:6
> >> 17)
> >> at java.lang.Thread.run(Thread.java:745)
> >>
> >> 02-Mar-2016 22:08:59.435 INFO [localhost-startStop-1]
> >> org.apache.catalina.loader.WebappClassLoaderBase.loadClass Security
> >> Violation, attempt to use Re stricted Class:
> >> org.apache.jasper.compiler.JspRuntimeContext
> >> java.security.AccessControlException: access denied
> >> ("java.lang.RuntimePermission"
> >> "accessClassInPackage.org.apache.jasper.compiler")
> >> at
> >> java.security.AccessControlContext.checkPermission(AccessControlConte
> >> x
> >> t.java
> >> :472)
> >> at
> >>
> java.security.AccessController.checkPermission(AccessController.java:884)
> >> at
> >> java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> >> at
> >> java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
> >> at
> >> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClas
> >> s
> >> Loader
> >> Base.java:1243)
> >> at
> >> org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClas
> >> s
> >> Loader
> >> Base.java:1142)
> >> at java.lang.Class.forName0(Native Method)
> >> at java.lang.Class.forName(Class.java:264)
> >> at
> >> org.apache.myfaces.webapp.Jsp21FacesInitializer.getJspFactory(Jsp21Fa
> >> c
> >> esInit
> >> ializer.java:88)
> >> at
> >> org.apache.myfaces.webapp.Jsp21FacesInitializer.initContainerIntegrat
> >> i
> >> on(Jsp
> >> 21FacesInitializer.java:62)
> >> at
> >> org.apache.myfaces.webapp.AbstractFacesInitializer.initFaces(Abstract
> >> F
> >> acesIn
> >> itializer.java:172)
> >> at
> >> org.apache.myfaces.webapp.StartupServletContextListener.contextInitia
> >> l
> >> ized(S
> >> tartupServletContextListener.java:121)
> >> at
> >>
> >
> org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:
> >> 4810)
> >> at
> >>
> >
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:
> >> 5255)
> >> at
> >> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
> >> at
> >> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.
> >> java:7
> >> 25)
> >> at
> >>
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)
> >> at
> >>
> >
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.
> >> java:153)
> >> at
> >>
> >
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.
> >> java:143)
> >> at java.security.AccessController.doPrivileged(Native Method)
> >> at
> >> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)
> >> at
> >> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
> >> at
> >> org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:939)
> >> at
> >>
> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1812)
> >> at
> >> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
> >> at java.util.concurrent.FutureTask.run(FutureTask.java:266)
> >> at
> >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> >> j
> >> ava:11
> >> 42)
> >> at
> >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.
> >> java:6
> >> 17)
> >> at java.lang.Thread.run(Thread.java:745)
> >>
> >> I previously had a 2.1.9 version running on Tomcat 6 without any
> problems.
> >> Is it true that now MyFaces cannot be deployed in these circumstances?
> >> If not, can anyone tell me how I can overcome these problems?
> >>
> >> Many thanks,
> >> Neil
> >>
> >>
> >>
> >
> >
> >
>
>
