Tomcat Security Exceptions on deployment of example war

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Tomcat Security Exceptions on deployment of example war

Neil Richards
Hi,

 

I've been having trouble deploying my MyFaces(2.2.9) app on Tomcat 8 with
the security manager enabled, so I then tried deploying the
myfaces-example-simple-1.1.14.war and had the same problem. I need the
security manager enabled as I am deploying in production on a shared Tomcat
instance and the hosts will not allow the   RuntimePermissions on
org.apache.catalina.core, org.apache.catalina.servlets or
org.apache.jasper.compiler. These are the stack traces I get:

 

29-Feb-2016 21:31:57.388 INFO [localhost-startStop-1]
org.apache.catalina.loader.WebappClassLoaderBase.loadClass Security
Violation, attempt to use Restricted Class:
org.apache.catalina.servlets.DefaultServlet

java.security.AccessControlException: access denied
("java.lang.RuntimePermission"
"accessClassInPackage.org.apache.catalina.servlets")

        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java
:472)

        at
java.security.AccessController.checkPermission(AccessController.java:884)

        at
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)

        at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)

        at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoader
Base.java:1243)

        at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoader
Base.java:1142)

        at java.lang.Class.forName0(Native Method)

        at java.lang.Class.forName(Class.java:264)

        at
org.apache.myfaces.ee6.MyFacesContainerInitializer.isDelegatedFacesServlet(M
yFacesContainerInitializer.java:280)

        at
org.apache.myfaces.ee6.MyFacesContainerInitializer.onStartup(MyFacesContaine
rInitializer.java:150)

        at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:
5244)

        at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)

        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:7
25)

        at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)

        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.
java:153)

        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.
java:143)

        at java.security.AccessController.doPrivileged(Native Method)

        at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)

        at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)

        at
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:939)

        at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1812)

        at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

        at java.util.concurrent.FutureTask.run(FutureTask.java:266)

        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:11
42)

        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:6
17)

        at java.lang.Thread.run(Thread.java:745)

 

 

ERROR 29/02/16 21:32:04,115 [initWebApplicationContext] (ContextLoader:353)
- Context initialization failed

org.springframework.beans.factory.BeanInitializationException: Failed to
process @EventListener annotation on bean with name 'servletContext'; nested
exception is java.security.AccessControlException: access denied
("java.lang.RuntimePermission"
"accessClassInPackage.org.apache.catalina.core")

        at
org.springframework.context.event.EventListenerMethodProcessor.afterSingleto
nsInstantiated(EventListenerMethodProcessor.java:105)

        at
org.springframework.beans.factory.support.DefaultListableBeanFactory$3.run(D
efaultListableBeanFactory.java:786)

        at java.security.AccessController.doPrivileged(Native Method)

        at
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInst
antiateSingletons(DefaultListableBeanFactory.java:783)

        at
org.springframework.context.support.AbstractApplicationContext.finishBeanFac
toryInitialization(AbstractApplicationContext.java:839)

        at
org.springframework.context.support.AbstractApplicationContext.refresh(Abstr
actApplicationContext.java:538)

        at
org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicat
ionContext(ContextLoader.java:446)

        at
org.springframework.web.context.ContextLoader.initWebApplicationContext(Cont
extLoader.java:328)

        at
org.springframework.web.context.ContextLoaderListener.contextInitialized(Con
textLoaderListener.java:107)

        at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:
4812)

        at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:
5255)

        at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)

        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:7
25)

        at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)

        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.
java:153)

        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.
java:143)

        at java.security.AccessController.doPrivileged(Native Method)

        at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)

        at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)

        at
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:939)

        at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1812)

        at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

        at java.util.concurrent.FutureTask.run(FutureTask.java:266)

        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:11
42)

        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:6
17)

        at java.lang.Thread.run(Thread.java:745)

Caused by: java.security.AccessControlException: access denied
("java.lang.RuntimePermission"
"accessClassInPackage.org.apache.catalina.core")

        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java
:472)

        at
java.security.AccessController.checkPermission(AccessController.java:884)

        at
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)

        at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)

        at java.lang.Class.checkPackageAccess(Class.java:2372)

        at java.lang.Class.checkMemberAccess(Class.java:2351)

        at java.lang.Class.getDeclaredMethods(Class.java:1974)

        at
org.springframework.util.ReflectionUtils.getDeclaredMethods(ReflectionUtils.
java:609)

        at
org.springframework.util.ReflectionUtils.doWithMethods(ReflectionUtils.java:
521)

        at
org.springframework.core.MethodIntrospector.selectMethods(MethodIntrospector
.java:68)

        at
org.springframework.context.event.EventListenerMethodProcessor.processBean(E
ventListenerMethodProcessor.java:127)

        at
org.springframework.context.event.EventListenerMethodProcessor.afterSingleto
nsInstantiated(EventListenerMethodProcessor.java:102)

        ... 25 more

29-Feb-2016 21:32:04.287 INFO [localhost-startStop-1]
org.apache.catalina.loader.WebappClassLoaderBase.loadClass Security
Violation, attempt to use Restricted Class:
org.apache.jasper.compiler.JspRuntimeContext

java.security.AccessControlException: access denied
("java.lang.RuntimePermission"
"accessClassInPackage.org.apache.jasper.compiler")

        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java
:472)

        at
java.security.AccessController.checkPermission(AccessController.java:884)

        at
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)

        at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)

        at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoader
Base.java:1243)

        at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoader
Base.java:1142)

        at java.lang.Class.forName0(Native Method)

        at java.lang.Class.forName(Class.java:264)

        at
org.apache.myfaces.webapp.Jsp21FacesInitializer.getJspFactory(Jsp21FacesInit
ializer.java:88)

        at
org.apache.myfaces.webapp.Jsp21FacesInitializer.initContainerIntegration(Jsp
21FacesInitializer.java:62)

        at
org.apache.myfaces.webapp.AbstractFacesInitializer.initFaces(AbstractFacesIn
itializer.java:172)

        at
org.apache.myfaces.webapp.StartupServletContextListener.contextInitialized(S
tartupServletContextListener.java:121)

        at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:
4810)

        at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:
5255)

        at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)

        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:7
25)

        at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)

        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.
java:153)

        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.
java:143)

        at java.security.AccessController.doPrivileged(Native Method)

        at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)

        at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)

        at
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:939)

        at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1812)

        at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)

        at java.util.concurrent.FutureTask.run(FutureTask.java:266)

        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:11
42)

        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:6
17)

        at java.lang.Thread.run(Thread.java:745)

 

I previously had a 2.1.9 version running on Tomcat 6 without any problems.
Is it true that now MyFaces cannot be deployed in these circumstances? If
not, can anyone tell me how I can overcome these problems?

 

Many thanks,

Neil