Created attachment 31637 [details] (1) localhost.2014-05-20.log Testing examples web application in 8.0.8 release candidate running with Security Manager enabled, with NIO connector, JDK 7u55 32-bit, Win7, I see several issues. Steps to reproduce (1). 1. Edit conf/tomcat-users.xml and uncomment sample roles there. 2. Start bin/catalina.bat start -security 3. Access the following page: http://localhost:8080/examples/jsp/security/protected/index.jsp Expected: Login page Actual: Error 500 Access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.util.http.parser") The stack trace is: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.util.http.parser") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1525) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:305) at java.lang.ClassLoader.loadClass(ClassLoader.java:412) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at org.apache.tomcat.util.http.parser.HttpParser.skipConstant(HttpParser.java:305) at org.apache.tomcat.util.http.parser.HttpParser.parseMediaType(HttpParser.java:192) at org.apache.tomcat.util.http.parser.MediaTypeCache.parse(MediaTypeCache.java:54) at org.apache.catalina.connector.Response.setContentType(Response.java:712) at org.apache.jsp.jsp.security.protected_.login_jsp._jspService(login_jsp.java:52) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) See attached "(1) localhost.2014-05-20.log" for the full stack trace.
The workaround for the issue in Comment 0 is to add the following class to the value of classesToInitialize attribute of JreMemoryLeakPreventionListener in server.xml. E.g.: <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" classesToInitialize="org.apache.tomcat.util.http.parser.HttpParser$SkipConstantResult" />
4. On the login page, enter a username (role1) and password (see tomcat-users.xml). Press "Login" button. 5. Look into logs/localhost.2014-05-20.log. There is an exception thrown by Session attribute event listener. org.apache.catalina.session.StandardSession.setAttribute Session attribute event listener threw exception java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.catalina.util") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1525) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:305) at java.lang.ClassLoader.loadClass(ClassLoader.java:412) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) at org.apache.catalina.users.MemoryUser.toString(MemoryUser.java:312) at javax.security.auth.Subject.toString(Subject.java:842) at javax.security.auth.Subject.toString(Subject.java:825) at java.lang.String.valueOf(String.java:2854) at java.lang.StringBuilder.append(StringBuilder.java:128) at listeners.SessionListener.attributeAdded(SessionListener.java:56) at org.apache.catalina.session.StandardSession.setAttribute(StandardSession.java:1546) 6. Press logout link ("you can log off by clicking here.") 7. The same exception is thrown for "attributeRemoved" event. From the stacktrace (at org.apache.catalina.users.MemoryUser.toString(MemoryUser.java:312)) my guess is that it ties to call static method RequestUtil.filter(username).
Created attachment 31638 [details] (2) localhost.2014-05-20.log Log file with exceptions for issue in Comment 2.
The workaround for issue in Comment 2 is to add "org.apache.catalina.util.RequestUtil" to the value of classesToInitialize attribute. With the following configuration both issues are resolved: <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" classesToInitialize= "org.apache.tomcat.util.http.parser.HttpParser$SkipConstantResult, org.apache.catalina.util.RequestUtil" />
Update version now I have added 8.0.8 to the list of versions for 8.0.x
These issues have been fixed in 8.0.x for 8.0.9 onwards.
The issue from Comment 0 is reproducible with 7.0.54 release candidate, using JDK 7u55 and the same reproduction recipe. The issue from Comment 2 does not happen. The workaround is as documented above, > The workaround for the issue in Comment 0 is to add the following class to > the value of classesToInitialize attribute of > JreMemoryLeakPreventionListener in server.xml. E.g.: <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" classesToInitialize="org.apache.tomcat.util.http.parser. HttpParser$SkipConstantResult" /> For a record, in 6.0.41 the issues do not happen.
Fixed in Tomcat 7 by r1597592 and will be in 7.0.55. I did not backport r1596201.