Hi Mark,
Sure, below is the policy file
*/_catalina.policy_/*
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed
with // this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version
2.0 // (the "License"); you may not use this file except in compliance
with // the License. You may obtain a copy of the License at //
//
https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.apache.org%2Flicenses%2FLICENSE-2.0&data=05%7C01%7Csureshprabhu.kesavan%40nist.gov%7C0fae3558eb82448fe0f408db30b6dbe9%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638157334161987625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1MXkLyzwJ0d9CWADPfIAjbvaGHlX2whCFY7iPYR3sdM%3D&reserved=0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
======================================================================
====== // catalina.policy - Security Policy Permissions for Tomcat //
// This file contains a default set of security policies to be
enforced (by the // JVM) when Catalina is executed with the
"-security" option. In addition // to the permissions granted here,
the following additional permissions are // granted to each web application:
//
// * Read access to the web application's document root directory // *
Read, write and delete access to the web application's working
directory //
======================================================================
======
// ========== SYSTEM CODE PERMISSIONS
=========================================
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission; };
// These permissions apply to all shared system extensions grant
codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission; };
// These permissions apply to javac when ${java.home} points at
$JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" {
permission java.security.AllPermission; };
// These permissions apply to all shared system extensions when //
${java.home} points at $JAVA_HOME/jre grant codeBase
"file:${java.home}/lib/ext/-" {
permission java.security.AllPermission; };
// This permission is required when using javac to compile JSPs on
Java 9 // onwards grant codeBase "jrt:/jdk.compiler" {
permission java.security.AllPermission; };
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the logging API
// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
// update this section accordingly.
// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.io.FilePermission
"${java.home}${file.separator}lib${file.separator}logging.properties",
"read";
permission java.io.FilePermission
"${catalina.base}${file.separator}conf${file.separator}logging.properties",
"read";
permission java.io.FilePermission
"${catalina.base}${file.separator}logs", "read, write";
permission java.io.FilePermission
"${catalina.base}${file.separator}logs${file.separator}*", "read, write,
delete";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.management.ManagementPermission "monitor";
permission java.util.logging.LoggingPermission "control";
permission java.util.PropertyPermission "java.util.logging.config.class",
"read";
permission java.util.PropertyPermission "java.util.logging.config.file",
"read";
permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount",
"read";
permission java.util.PropertyPermission
"org.apache.juli.AsyncOverflowDropType", "read";
permission java.util.PropertyPermission
"org.apache.juli.ClassLoaderLogManager.debug", "read";
permission java.util.PropertyPermission "catalina.base", "read";
// Note: To enable per context logging configuration, permit read
access to
// the appropriate file. Be sure that the logging configuration is
// secure before enabling such access.
// E.g. for the examples web application (uncomment and unwrap
// the following to be on a single line):
// permission java.io.FilePermission
"${catalina.base}${file.separator}
// webapps${file.separator}examples${file.separator}WEB-INF
// ${file.separator}classes${file.separator}logging.properties",
"read";
};
// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
// If using a per instance lib directory, i.e. ${catalina.base}/lib,
// then the following permission will need to be uncommented
// grant codeBase "file:${catalina.base}/lib/-" {
// permission java.security.AllPermission;
// };
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// for all files and directories in its document root.
grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.naming.*", "read";
permission java.util.PropertyPermission "javax.sql.*", "read";
// OS Specific properties to allow read access
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
// JVM properties to allow read access
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "java.specification.version",
"read";
permission java.util.PropertyPermission "java.specification.vendor",
"read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version",
"read";
permission java.util.PropertyPermission "java.vm.specification.vendor",
"read";
permission java.util.PropertyPermission "java.vm.specification.name",
"read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
// Required for OpenJMX
permission java.lang.RuntimePermission "getAttribute";
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
// All JSPs need to be able to read this package
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat";
// Precompiled JSPs need access to these packages.
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.el";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.compiler";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.runtime.*";
// Applications using WebSocket need to be able to access these packages
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.websocket";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.websocket.server";
};
// The Manager application needs access to the following packages to support the
// session display functionality. It also requires the custom Tomcat
// DeployXmlPermission to enable the use of META-INF/context.xml
// These settings support the following configurations:
// - default CATALINA_HOME == CATALINA_BASE
// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
grant codeBase "file:${catalina.base}/webapps/manager/-" {
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.ha.session";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.manager";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.manager.util";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.util";
permission org.apache.catalina.security.DeployXmlPermission "manager";
};
grant codeBase "file:${catalina.home}/webapps/manager/-" {
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.ha.session";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.manager";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.manager.util";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.util";
permission org.apache.catalina.security.DeployXmlPermission "manager";
};
grant codeBase "file:${catalina.base}/webapps/msal4j-servlet-auth/-"{
permission java.security.AllPermission;
// permission java.lang.RuntimePermission "getClassLoader";
// permission java.lang.RuntimePermission
"accessClassInPackage.sun.net.https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.protocol%2F&data=05%7C01%7Csureshprabhu.kesavan%40nist.gov%7C0fae3558eb82448fe0f408db30b6dbe9%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638157334161987625%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eLOlNYytZU4myFnIFoP%2BPg8vl0kVpDc7KV%2F5q6Mu%2FEw%3D&reserved=0.*";;
permission java.io.FilePermission "<<ALL FILES>>", "read, write, delete";
permission java.util.PropertyPermission "java.io.tmpdir", "readi, write";
};
// The Host Manager application needs the custom Tomcat DeployXmlPermission to
// enable the use of META-INF/context.xml
// These settings support the following configurations:
// - default CATALINA_HOME == CATALINA_BASE
// - CATALINA_HOME != CATALINA_BASE, per instance Host Manager in CATALINA_BASE
// - CATALINA_HOME != CATALINA_BASE, shared Host Manager in CATALINA_HOME
grant codeBase "file:${catalina.base}/webapps/host-manager/-" {
permission org.apache.catalina.security.DeployXmlPermission
"host-manager";
};
grant codeBase "file:${catalina.home}/webapps/host-manager/-" {
permission org.apache.catalina.security.DeployXmlPermission
"host-manager";
};
// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
//
// Different permissions can be granted to JSP pages, classes loaded from
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
//
// For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to the
// corresponding database and used the scrape taglib to get the weather from
// the NOAA web server. You might create a "grant" entries like this:
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.base}/webapps/examples/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432",
"connect";
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
// };
//
// The permission granted to your JDBC driver
// grant codeBase
"jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432",
"connect";
// };
// The permission granted to the scrape taglib
// grant codeBase
"jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
// To grant permissions for web applications using packed WAR files, use the
// Tomcat specific WAR url scheme.
//
// The permissions granted to the entire web application
// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/-" {
// };
//
// The permissions granted to a specific JAR
// grant codeBase
"war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" {
// };
Thanks,
Suresh Kesavan
OISM/ASD
National Institute of Standards and Technology
Office:- 301-975-6973
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Monday, March 27, 2023 11:25 AM
To: users@tomcat.apache.org
Subject: Re: [org.apache.jasper.JasperException: Unable to compile class for
JSP] with root cause
Hi,
The mailing lists strips attachments so please provide the contents of your
catalina.policy file in-line.
Thanks,
Mark
On 27/03/2023 12:59, Kesavan, Suresh Prabhu (Fed) wrote:
Hi There,
I am new to this forum, please correct me if this is not the right
place to ask below question.
*/_Problem Description_/*
I have tomcat9/OpenJDK17 with RHEL 8.7 container image deployed on AWS
EKS/EC2 worker nodes. This image has FIPS compliance validation done
at OS/OpenJDK and at tomcat level using the configurations. I am able
to successfully deploy our application (has JSP's) in this container
but when I deploy the SSO application (using MSAL4J and can be found
at
https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in
<https://github.com/Azure-Samples/ms-identity-msal-java-samples/tree/main/3.%20Java%20Servlet%20Web%20App%20Tutorial/1-Authentication/sign-in>)
encountering below Jasper exception. Please be advised Tomcat is started with
security manager and attaching the Catalina.policy used.
*/_Environment:_/*
o EKS 1.24
o EC2 worker node with RHEL 8.7
o Container image with RHEL 8.7 and FIPS validation enabled
o Tomcat 9.0.73
o openjdk version "17.0.6" 2023-01-17 LTS
*/_Observation_/*
o My team member has deployed msal4j on same tomcat 9.0.73 without
FIPS and tomcat security manager, it works fine.
o I assume the index.jsp has something that is not having
permission (due to tomcat started with security manager) to
compile in runtime
o When I access https://localhost:8643/msal4j-servlet-auth its
returning 302
<https://localhost:8643/msal4j-servlet-auth%20its%20returning%20302>.
This is expected
o When I access https://localhost:8643/msal4j-servlet-auth/
<https://localhost:8643/msal4j-servlet-auth/> it returns 500 and
throws below exception
*/_Question_/*
Can you help me identify what the issue is
*/_Error:_/*
[tomcat@c793762ed6ee logs]$ cat localhost.2023-03-24.log
24-Mar-2023 13:46:19.866 SEVERE [https-jsse-nio-8643-exec-4]
org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()
for servlet [jsp] in context with path [/msal4j-servlet-auth] threw
exception [org.apache.jasper.JasperException: Unable to compile class
for JSP] with root cause
java.lang.NullPointerException: Cannot invoke
"java.io.InputStream.close()" because the return value of
"java.net.URLConnection.getInputStream()" is null
at
org.apache.jasper.JspCompilationContext.getLastModified(JspCompilation
Context.java:408)
at
org.apache.jasper.JspCompilationContext.getLastModified(JspCompilation
Context.java:368)
at
org.apache.jasper.compiler.Compiler.compile(Compiler.java:391)
at
org.apache.jasper.compiler.Compiler.compile(Compiler.java:368)
at
org.apache.jasper.compiler.Compiler.compile(Compiler.java:352)
at
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.
java:603)
at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.
java:399)
at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:37
9)
at
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:327)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:596)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeM
ethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Del
egatingMethodAccessorImpl.java:43)
at
java.base/java.lang.reflect.Method.invoke(Method.java:568)
at
org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUti
l.java:280)
at
java.base/java.security.AccessController.doPrivileged(AccessController
.java:712)
at
java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:31
1)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.j
ava:170)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
cationFilterChain.java:221)
at
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(Appl
icationFilterChain.java:145)
at
java.base/java.security.AccessController.doPrivileged(AccessController
.java:569)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
lterChain.java:143)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeM
ethodAccessorImpl.java:77)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Del
egatingMethodAccessorImpl.java:43)
at
java.base/java.lang.reflect.Method.invoke(Method.java:568)
at
org.apache.catalina.security.SecurityUtil.lambda$execute$0(SecurityUti
l.java:280)
at
java.base/java.security.AccessController.doPrivileged(AccessController
.java:712)
at
java.base/javax.security.auth.Subject.doAsPrivileged(Subject.java:584)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:31
1)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.j
ava:253)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
cationFilterChain.java:187)
at
org.apache.catalina.core.ApplicationFilterChain.lambda$doFilter$0(Appl
icationFilterChain.java:145)
at
java.base/java.security.AccessController.doPrivileged(AccessController
.java:569)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
lterChain.java:143)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa
lve.java:197)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa
lve.java:97)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticat
orBase.java:541)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja
va:135)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja
va:92)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAcces
sLogValve.java:687)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValv
e.java:78)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
:360)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:
399)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLigh
t.java:63)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractP
rotocol.java:926)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoi
nt.java:1791)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase
.java:49)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPool
Executor.java:1191)
at
org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoo
lExecutor.java:659)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThr
ead.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)
[tomcat@c793762ed6ee logs]$
Thanks,
Suresh Kesavan
OISM/ASD
National Institute of Standards andTechnology
Office:- 301-975-6973
*From:* Kesavan, Suresh Prabhu (Fed)
*Sent:* Friday, March 24, 2023 9:50 AM
*To:* users-i...@tomcat.apache.org; users-...@tomcat.apache.org
*Subject:* [org.apache.jasper.JasperException: Unable to compile class
for JSP] with root cause
Thanks,
Suresh Kesavan
OISM/ASD
National Institute of Standards andTechnology
Office:- 301-975-6973
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
