Hi Mark, Sure, below is the policy file
*/_catalina.policy_/* // Licensed to the Apache Software Foundation (ASF) under one or more // contributor license agreements. See the NOTICE file distributed with // this work for additional information regarding copyright ownership. // The ASF licenses this file to You under the Apache License, Version 2.0 // (the "License"); you may not use this file except in compliance with // the License. You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // ============================================================================ // catalina.policy - Security Policy Permissions for Tomcat // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the "-security" option. In addition // to the permissions granted here, the following additional permissions are // granted to each web application: // // * Read access to the web application's document root directory // * Read, write and delete access to the web application's working directory // ============================================================================ // ========== SYSTEM CODE PERMISSIONS ========================================= // These permissions apply to javac grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase "file:${java.home}/jre/lib/ext/-" { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home} points at $JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // This permission is required when using javac to compile JSPs on Java 9 // onwards grant codeBase "jrt:/jdk.compiler" { permission java.security.AllPermission; }; // ========== CATALINA CODE PERMISSIONS ======================================= // These permissions apply to the daemon code grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { permission java.security.AllPermission; }; // These permissions apply to the logging API // Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home}, // update this section accordingly. // grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..} grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write"; permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write, delete"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.management.ManagementPermission "monitor"; permission java.util.logging.LoggingPermission "control"; permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read"; permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read"; permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; permission java.util.PropertyPermission "catalina.base", "read"; // Note: To enable per context logging configuration, permit read access to // the appropriate file. Be sure that the logging configuration is // secure before enabling such access. // E.g. for the examples web application (uncomment and unwrap // the following to be on a single line): // permission java.io.FilePermission "${catalina.base}${file.separator} // webapps${file.separator}examples${file.separator}WEB-INF // ${file.separator}classes${file.separator}logging.properties", "read"; }; // These permissions apply to the server startup code grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; // These permissions apply to the servlet API classes // and those that are shared across all class loaders // located in the "lib" directory grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; // If using a per instance lib directory, i.e. ${catalina.base}/lib, // then the following permission will need to be uncommented // grant codeBase "file:${catalina.base}/lib/-" { // permission java.security.AllPermission; // }; // ========== WEB APPLICATION PERMISSIONS ===================================== // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // for all files and directories in its document root. grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "java.naming.*", "read"; permission java.util.PropertyPermission "javax.sql.*", "read"; // OS Specific properties to allow read access permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; // JVM properties to allow read access permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; // Required for OpenJMX permission java.lang.RuntimePermission "getAttribute"; // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission "jaxp.debug", "read"; // All JSPs need to be able to read this package permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat"; // Precompiled JSPs need access to these packages. permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.compiler"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; // Applications using WebSocket need to be able to access these packages permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server"; }; // The Manager application needs access to the following packages to support the // session display functionality. It also requires the custom Tomcat // DeployXmlPermission to enable the use of META-INF/context.xml // These settings support the following configurations: // - default CATALINA_HOME == CATALINA_BASE // - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE // - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME grant codeBase "file:${catalina.base}/webapps/manager/-" { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; permission org.apache.catalina.security.DeployXmlPermission "manager"; }; grant codeBase "file:${catalina.home}/webapps/manager/-" { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; permission org.apache.catalina.security.DeployXmlPermission "manager"; }; grant codeBase "file:${catalina.base}/webapps/msal4j-servlet-auth/-"{ permission java.security.AllPermission; // permission java.lang.RuntimePermission "getClassLoader"; // permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.*"; permission java.io.FilePermission "<<ALL FILES>>", "read, write, delete"; permission java.util.PropertyPermission "java.io.tmpdir", "readi, write"; }; // The Host Manager application needs the custom Tomcat DeployXmlPermission to // enable the use of META-INF/context.xml // These settings support the following configurations: // - default CATALINA_HOME == CATALINA_BASE // - CATALINA_HOME != CATALINA_BASE, per instance Host Manager in CATALINA_BASE // - CATALINA_HOME != CATALINA_BASE, shared Host Manager in CATALINA_HOME grant codeBase "file:${catalina.base}/webapps/host-manager/-" { permission org.apache.catalina.security.DeployXmlPermission "host-manager"; }; grant codeBase "file:${catalina.home}/webapps/host-manager/-" { permission org.apache.catalina.security.DeployXmlPermission "host-manager"; }; // You can assign additional permissions to particular web applications by // adding additional "grant" entries here, based on the code base for that // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. // // Different permissions can be granted to JSP pages, classes loaded from // the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ // directory, or even to individual jar files in the /WEB-INF/lib/ directory. // // For instance, assume that the standard "examples" application // included a JDBC driver that needed to establish a network connection to the // corresponding database and used the scrape taglib to get the weather from // the NOAA web server. You might create a "grant" entries like this: // // The permissions granted to the context root directory apply to JSP pages. // grant codeBase "file:${catalina.base}/webapps/examples/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; // // The permissions granted to the context WEB-INF/classes directory // grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { // }; // // The permission granted to your JDBC driver // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // }; // The permission granted to the scrape taglib // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; // To grant permissions for web applications using packed WAR files, use the // Tomcat specific WAR url scheme. // // The permissions granted to the entire web application // grant codeBase "war:file:${catalina.base}/webapps/examples.war*/-" { // }; // // The permissions granted to a specific JAR // grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" { // }; Thanks, Suresh Kesavan OISM/ASD National Institute of Standards and Technology Office:- 301-975-6973 -----Original Message----- From: Mark Thomas <ma...@apache.org> Sent: Monday, March 27, 2023 11:25 AM To: users@tomcat.apache.org Subject: Re: [org.apache.jasper.JasperException: Unable to compile class for JSP] with root cause Hi, The mailing lists strips attachments so please provide the contents of your catalina.policy file in-line. Thanks, Mark On 27/03/2023 12:59, Kesavan, Suresh Prabhu (Fed) wrote: > Hi There, > > I am new to this forum, please correct me if this is not the right > place to ask below question. > > */_Problem Description_/* > > I have tomcat9/OpenJDK17 with RHEL 8.7 container image deployed on AWS > EKS/EC2 worker nodes. This image has FIPS compliance validation done > at OS/OpenJDK and at tomcat level using the configurations. I am able > to successfully deploy our application (has JSP's) in this container > but when I deploy the SSO application (using MSAL4J and can be found > at > https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in > > <https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in>) > encountering below Jasper exception. Please be advised Tomcat is started > with security manager and attaching the Catalina.policy used. > > */_Environment:_/* > > o EKS 1.24 > o EC2 worker node with RHEL 8.7 > o Container image with RHEL 8.7 and FIPS validation enabled > o Tomcat 9.0.73 > o openjdk version "17.0.6" 2023-01-17 LTS > > */_Observation_/* > > o My team member has deployed msal4j on same tomcat 9.0.73 without > FIPS and tomcat security manager, it works fine. > o I assume the index.jsp has something that is not having > permission (due to tomcat started with security manager) to > compile in runtime > o When I access https://localhost:8643/msal4j-servlet-auth its > returning 302 > <https://localhost:8643/msal4j-servlet-auth%20its%20returning%20302>. > This is expected > o When I access https://localhost:8643/msal4j-servlet-auth/ > <https://localhost:8643/msal4j-servlet-auth/> it returns 500 and > throws below exception > > */_Question_/* > > Can you help me identify what the issue is > > */_Error:_/* > > [tomcat@c793762ed6ee logs]$ cat localhost.2023-03-24.log > > 24-Mar-2023 13:46:19.866 SEVERE [https-jsse-nio-8643-exec-4] > org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() > for servlet [jsp] in context with path [/msal4j-servlet-auth] threw > exception [org.apache.jasper.JasperException: Unable to compile class > for JSP] with root cause > > java.lang.NullPointerException: Cannot invoke > "java.io.InputStream.close()" because the return value of > "java.net.URLConnection.getInputStream()" is null > > at > org.apache.jasper.JspCompilationContext.getLastModified(JspCompilation > Context.java:408) > > at > org.apache.jasper.JspCompilationContext.getLastModified(JspCompilation > Context.java:368) > > at > org.apache.jasper.compiler.Compiler.compile(Compiler.java:391) > > at > org.apache.jasper.compiler.Compiler.compile(Compiler.java:368) > > at > org.apache.jasper.compiler.Compiler.compile(Compiler.java:352) > > at > org.apache.jasper.JspCompilationContext.compile(JspCompilationContext. > java:603) > > at > org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper. > java:399) > > at > org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:37 > 9) > > at > org.apache.jasper.servlet.JspServlet.service(JspServlet.java:327) > > at > javax.servlet.http.HttpServlet.service(HttpServlet.java:596) > > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeM > ethodAccessorImpl.java:77) > > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Del > egatingMethodAccessorImpl.java:43) > > at > java.base/java.lang.reflect.Method.invoke(Method.java:568) > > at > org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUti > l.java:280) > > at > java.base/java.security.AccessController.doPrivileged(AccessController > .java:712) > > at > java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:31 > 1) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.j > ava:170) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli > cationFilterChain.java:221) > > at > org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(Appl > icationFilterChain.java:145) > > at > java.base/java.security.AccessController.doPrivileged(AccessController > .java:569) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi > lterChain.java:143) > > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) > > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeM > ethodAccessorImpl.java:77) > > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Del > egatingMethodAccessorImpl.java:43) > > at > java.base/java.lang.reflect.Method.invoke(Method.java:568) > > at > org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUti > l.java:280) > > at > java.base/java.security.AccessController.doPrivileged(AccessController > .java:712) > > at > java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584) > > at > org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:31 > 1) > > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.j > ava:253) > > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli > cationFilterChain.java:187) > > at > org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(Appl > icationFilterChain.java:145) > > at > java.base/java.security.AccessController.doPrivileged(AccessController > .java:569) > > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi > lterChain.java:143) > > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa > lve.java:197) > > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa > lve.java:97) > > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticat > orBase.java:541) > > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja > va:135) > > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja > va:92) > > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAcces > sLogValve.java:687) > > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValv > e.java:78) > > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java > :360) > > at > org.apache.coyote.http11.Http11Processor.service(Http11Processor.java: > 399) > > at > org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLigh > t.java:63) > > at > org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractP > rotocol.java:926) > > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi > nt.java:1791) > > at > org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase > .java:49) > > at > org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPool > Executor.java:1191) > > at > org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoo > lExecutor.java:659) > > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr > ead.java:61) > > at java.base/java.lang.Thread.run(Thread.java:833) > > [tomcat@c793762ed6ee logs]$ > > Thanks, > > Suresh Kesavan > > OISM/ASD > > National Institute of Standards andTechnology > > Office:- 301-975-6973 > > *From:* Kesavan, Suresh Prabhu (Fed) > *Sent:* Friday, March 24, 2023 9:50 AM > *To:* users-i...@tomcat.apache.org; users-...@tomcat.apache.org > *Subject:* [org.apache.jasper.JasperException: Unable to compile class > for JSP] with root cause > > Thanks, > > Suresh Kesavan > > OISM/ASD > > National Institute of Standards andTechnology > > Office:- 301-975-6973 > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
