AccessControlException in Coyote Http11Processor (Tomcat 6.0.14). Bug in Coyote ?

[Delian Krustev]

        Hi all,

I'm running several similarly configured Tomcat containers all using
security manager. 

On one of the instances I'm getting the following exception from the HTTP 
connector:

Nov 26, 2007 7:42:19 PM org.apache.catalina.connector.CoyoteAdapter service
SEVERE: An exception or error occurred in the container during the request 
processing
java.security.AccessControlException: org/apache/coyote/Constants
  at 
org.apache.coyote.http11.Http11Processor.prepareResponse(Http11Processor.java:1557)
  at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:934)
  at org.apache.coyote.Response.action(Response.java:183)
  at org.apache.coyote.Response.sendHeaders(Response.java:379)
  at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:305)
  at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:273)
  at org.apache.catalina.connector.Response.finishResponse(Response.java:486)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:287)
  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
  at java.lang.Thread.run(Thread.java:619)
Nov 26, 2007 7:42:19 PM org.apache.coyote.http11.Http11Processor process
SEVERE: Error finishing response
java.security.AccessControlException: org/apache/coyote/Constants
  at 
org.apache.coyote.http11.Http11Processor.prepareResponse(Http11Processor.java:1557)
  at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:934)
  at org.apache.coyote.Response.action(Response.java:181)
  at 
org.apache.coyote.http11.InternalOutputBuffer.endRequest(InternalOutputBuffer.java:379)
  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:879)
  at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
  at java.lang.Thread.run(Thread.java:619)

At the same time the AJP connector works fine.

The security policy is a bit looser than the one distributed with tomcat 6.0.14:

############ start catalina.policy ############
grant codeBase "file:${java.home}/lib/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/jre/lib/ext/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/../lib/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/ext/-" {
  permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
  permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
  permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
  permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/lib/-" {
  permission java.security.AllPermission;
};
grant {
  permission java.util.PropertyPermission "*", "read";
  permission java.lang.RuntimePermission "getAttribute";
  permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.jasper.runtime";
  permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.jasper.runtime.*";
  permission java.net.SocketPermission "*:1-", "connect";
  permission java.net.SocketPermission "localhost:1-", "connect";
  permission java.io.FilePermission "${catalina.home}/lib/-", "read";
  permission java.io.FilePermission "${java.home}/-", "read";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.lang.RuntimePermission "getProtectionDomain";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission ognl.OgnlInvokePermission "*";
  permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.tomcat.dbcp.collections";
  permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.tomcat.dbcp.pool.impl";
  permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.tomcat.dbcp.dbcp";
  permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.tomcat.dbcp.pool";
};
############ end catalina.policy ############

catalina.properties is unmodified .

The connectors are configured like this:

                <Connector
                        port="8080"
                        protocol="HTTP/1.1"
                        maxThreads="150"
                        connectionTimeout="20000"
                        redirectPort="443" />

                <Connector port="8009"
                        enableLookups="false"
                        redirectPort="443"
                        protocol="AJP/1.3"
                        backlog="100"
                        connectionTimeout="5000"
                        maxThreads="300" />


My guess is that either this is a bug in the Coyote HTTP connector or
the security policy is not strict enough and one of the 
installed applications (third party, I don't have access to the source)
modifies the security manager somehow. My modifications
to the policy do not appear to grant such permissions to the webapps, so if
the assumption is right it's a bug in the distributed catalina.policy.

Any ideas ?


Thanks
--
Delian

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]