java.lang.ArrayIndexOutOfBoundsException: -1 oracle.jdbc.driver.T4CTTIoauthenticate.setSessionFields(T4CTTIoauthenticate.java:942) oracle.jdbc.driver.T4CTTIoauthenticate.<init>(T4CTTIoauthenticate.java:221) oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:358) oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:508) oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:203) oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:33) oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:510) oracle.jdbc.pool.OracleDataSource.getPhysicalConnection(OracleDataSource.java:275) oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:206) xxx.yyy.CPC.data.DAOUtil.getConnection(Unknown Source) xxx.yyy.CPC.logging.LogDAO.createLog(Unknown Source) xxx.yyy.CPC.logging.DBLogger.db(Unknown Source) org.apache.jsp.CPC.Default_jsp._jspService(Default_jsp.java:90) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:717) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260) javax.servlet.http.HttpServlet.service(HttpServlet.java:717) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:597) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:269) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:517) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:301) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162) When I enabled -Djava.security.debug=access,failure I see The problem was with oracle jar in file:${catalina.base}\lib dir was getting called with \ at the start. The problem was that there was attempt to access \file:${catalina.base}\lib\ojdbc6.jar rather than file:\${catalina.base}\lib\ojdbc6.jar. When I added the AllProperty policy rule for that \file:${catalina.base}\lib\- . this error went away.
That looks rather odd. Could you please provide: - the full security failure from the logs that prompted you to make this change - the exact entry you added to the policy file Thanks.
Created attachment 25356 [details] Error log file
(In reply to comment #1) > That looks rather odd. Could you please provide: > - the full security failure from the logs that prompted you to make this change > - the exact entry you added to the policy file > > Thanks. hi Mark When I run the Tomcat with -security option and if the following policy grant codeBase "file:\${catalina.base}\lib\-" { permission java.security.AllPermission; }; is not entered in the log, I see the following error come up in the stdout access: access denied (java.io.FilePermission \C:\javaaps\apache-tomcat-6.0.26\a pache-tomcat-6.0.26\lib\ojdbc6.jar read) java.lang.Exception: Stack trace at java.lang.Thread.dumpStack(Thread.java:1206) at java.security.AccessControlContext.checkPermission(AccessControlConte xt.java:313) at java.security.AccessController.checkPermission(AccessController.java: 546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at sun.misc.URLClassPath.check(URLClassPath.java:408) at sun.misc.URLClassPath.checkURL(URLClassPath.java:388) at java.net.URLClassLoader.findResource(URLClassLoader.java:366) at java.lang.ClassLoader.getResource(ClassLoader.java:977) at java.lang.Class.getResource(Class.java:2074) at oracle.sql.ConverterArchive.readObj(ConverterArchive.java:398) at oracle.sql.converter.CharacterConverterJDBC.getInstance(CharacterConv erterJDBC.java:143) at oracle.sql.converter.CharacterConverterFactoryJDBC.make(CharacterConv erterFactoryJDBC.java:45) at oracle.sql.CharacterSetWithConverter.getInstance(CharacterSetWithConv erter.java:95) at oracle.sql.CharacterSetFactoryThin.make(CharacterSetFactoryThin.java: 126) at oracle.sql.CharacterSet.make(CharacterSet.java:448) at oracle.jdbc.driver.DBConversion.init(DBConversion.java:150) at oracle.jdbc.driver.DBConversion.<init>(DBConversion.java:111) at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1007) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:292) at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java: 508) at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:203) at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtensio n.java:33) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:510) at oracle.jdbc.pool.OracleDataSource.getPhysicalConnection(OracleDataSou rce.java:275) at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java :206) at edu.utmb.CPC.data.DAOUtil.getConnection(Unknown Source) at edu.utmb.CPC.logging.LogDAO.createLog(Unknown Source) at edu.utmb.CPC.logging.DBLogger.db(Unknown Source) at org.apache.jsp.CPC.Default_jsp._jspService(Default_jsp.java:90) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper .java:377) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3 13) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:269 ) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:3 01) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil. java:162) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:283) at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicatio nFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilt erChain.java:189) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:185) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV alve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV alve.java:191) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica torBase.java:465) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j ava:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j ava:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal ve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav a:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java :852) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce ss(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:48 9) at java.lang.Thread.run(Thread.java:619) Apr 26, 2010 12:46:35 PM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet jsp threw exception java.lang.ArrayIndexOutOfBoundsException: -1 at oracle.jdbc.driver.T4CTTIoauthenticate.setSessionFields(T4CTTIoauthenticate.java:942) at oracle.jdbc.driver.T4CTTIoauthenticate.<init>(T4CTTIoauthenticate.java:221) at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:358) at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:508) at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:203) at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:33) at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:510) at oracle.jdbc.pool.OracleDataSource.getPhysicalConnection(OracleDataSource.java:275) at oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:206) at edu.utmb.CPC.data.DAOUtil.getConnection(Unknown Source) at edu.utmb.CPC.logging.LogDAO.createLog(Unknown Source) at edu.utmb.CPC.logging.DBLogger.db(Unknown Source) at org.apache.jsp.CPC.Default_jsp._jspService(Default_jsp.java:90) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:269) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:301) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:283) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:465) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:619) However, once I added the policy and restarted the error went away.
Created attachment 25362 [details] Bug49178PermissionUrlTest.java - sample code to check Java API behaviour The preceding slash in the permission is how Java behaves. It is not specific to Tomcat. I am attaching a sample class that demonstrates Java API behaviour. When I am running it on Windows XP with Sun JRE 6u20 as "java -cp . Bug49178PermissionUrlTest c:\projects\sample.txt" it prints: // File: C:\PROJECTS\sample.txt // URL: file:/C:/PROJECTS/sample.txt // URL.getPath(): /C:/PROJECTS/sample.txt // URLConnection.getPermission(): (java.io.FilePermission \C:\PROJECTS\sample.txt read) // File(url.getPath()).getCanonicalPath() C:\PROJECTS\sample.txt // FilePermission.equals() true The Permission is printed with preceding slash, but that does not matter, because the FilePermissions are compared by canonical paths, and the canonical path is constructed correctly regardless of that slash. Suresh, are you running with separate CATALINA_HOME and CATALINA_BASE? The classes mentioned in the "access denied" stacktrace -- where their jars are located?
It looks like this is a catalina home/base issue. I have added an additional permission (commented out) to the policy file that folks can use in this situation. The change has been applied to trunk for 7.0.0 onwards and proposed for 6.0.x It would be good to get some confirmation that home/base was indeed the issue. If no confirmation is forthcoming, I will assume that was the root cause.
The additional permission has been added (as a comment) to catalina.policy and will be included in 6.0.27 onwards. If you still see this issue, feel free to re-open this bug report but you will need to include the exact, complete (and simplest) set of steps to reproduce this on a clean install of the latest stable 6.0.x release.