Details
-
Bug
-
Status: Reopened
-
Major
-
Resolution: Unresolved
-
v1m1
-
None
-
None
Description
This bug involves using a public @Control field, which should be possible even if "suppressAccessChecks" is not set in the security policy.
Repro (the easiest way to reproduce this):
- cd to $CATALINA_HOME/bin.
- create a file called mysecurity.policy (and REPLACE my c:/prog/... tomcat/jdk directories with ones of your own):
—
grant codeBase "file:///c:/prog/jakarta-tomcat-5.0.25/-" { permission java.security.AllPermission; };
grant codeBase "file:///c:/prog/jdk1.5.0/-"{ permission java.security.AllPermission; };
{ permission java.util.PropertyPermission "*", "read"; permission java.lang.RuntimePermission "accessDeclaredMembers"; }
grant;
—
- set the JAVA_OPTS environment variable:
(windows) set JAVA_OPTS=-Djava.security.manager -Djava.security.policy=mysecurity.policy
(linux) export JAVA_OPTS="-Djava.security.manager -Djava.security.policy=mysecurity.policy"
- start tomcat:
(windows) .\startup.bat
(linux) ./startup.sh
- Overlay the attached page flow and controls onto a webapp, and deploy it to the running tomcat.
- Hit the page flow (/usecontrol/Controller.jpf):
EXPECTED: see the message "hello there" in the displayed page.
ACTUAL: a series of exceptions, with this root cause:
Caused by: java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
at usecontrol.ControllerClientInitializer.<clinit>(ControllerClientInitializer.java:21)
... 85 more