Bug 53368 - Running with SecurityManager: WebSocket examples need accessClassInPackage permission
Summary: Running with SecurityManager: WebSocket examples need accessClassInPackage pe...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.27
Hardware: PC Windows XP
: P2 minor (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-06 01:13 UTC by Konstantin Kolinko
Modified: 2012-06-06 18:47 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Konstantin Kolinko 2012-06-06 01:13:06 UTC
WebSocket examples fail to work if Tomcat 7 is run with SecurityManager enabled.

They start to work correctly with the following change the policy file:

Index: catalina.policy
===================================================================
--- catalina.policy     (revision 1346679)
+++ catalina.policy     (working copy)
@@ -188,6 +188,7 @@

     // Applications using Comet need to be able to access this package
     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.websocket";
 };


Steps to reproduce:
1. Start "catalina.bat start -security"

2. Go to "Echo" websocket example:
http://localhost:8080/examples/websocket/echo.html

3. Click "(.) streams", then click "[Connect]" button.

Expected: The following message in "console" area:
Info: WebSocket connection opened.

Actual: The following message is printed:
Info: WebSocket connection closed.


The following exception is written to catalina*.log:
[[[
06.06.2012 4:54:20 org.apache.catalina.loader.WebappClassLoader findClass
WARNING: WebappClassLoader.findClassInternal(websocket.echo.EchoStream) security exception: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.websocket)
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.websocket)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
	at java.security.AccessController.checkPermission(AccessController.java:546)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
	at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
	at java.lang.ClassLoader$1.run(ClassLoader.java:330)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:328)
	at java.lang.ClassLoader.defineClass1(Native Method)
	at java.lang.ClassLoader.defineClassCond(ClassLoader.java:631)
	at java.lang.ClassLoader.defineClass(ClassLoader.java:615)
	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
	at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:2889)
	at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:1170)
	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1678)
	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1556)
	at org.apache.catalina.core.StandardWrapper.servletSecurityAnnotationScan(StandardWrapper.java:1215)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:461)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:573)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)
]]]
Comment 1 Mark Thomas 2012-06-06 18:47:13 UTC
Fixed in trunk and 7.0.x and will be included in 7.0.28 onwards.