Geronimo
  1. Geronimo
  2. GERONIMO-3451

"Restricted listeners property file not found" error logged during Tomcat server startup

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.5
    • Fix Version/s: None
    • Component/s: Tomcat
    • Security Level: public (Regular issues)
    • Labels:
      None

      Description

      During Tomcat server startup, the following log error is displayed on the console:

      12:57:32,559 ERROR [[/]] "Restricted listeners property file not found

      Althgough the log message can be ignored, users assume that something is broken...

      1. G3451.patch
        1 kB
        Shawn Jiang

        Issue Links

          Activity

          Hide
          David Meibusch added a comment -

          What is the quick workaround to avoid the error being logged?
          An empty listeners property file placed somewhere?

          Show
          David Meibusch added a comment - What is the quick workaround to avoid the error being logged? An empty listeners property file placed somewhere?
          Hide
          javahan added a comment -

          create s empty RestrictedListeners.properties and put it to catalina-6.0.13-G543818.jar,detail location is catalina-6.0.13-G543818.jar\org\apache\catalina\core ,then restart geronimo .

          Show
          javahan added a comment - create s empty RestrictedListeners.properties and put it to catalina-6.0.13-G543818.jar,detail location is catalina-6.0.13-G543818.jar\org\apache\catalina\core ,then restart geronimo .
          Hide
          Paul McMahan added a comment - - edited

          It's not clear to me that this error message is actually harmless. Tomcat uses RestrictedServlet.properties and RestrictedFilters.properties files as a sort of internalized/proprietary security mechanism to limit access to certain types of servlets and filters. The instance manager patch that is applied to Geronimo's build of tomcat (see GERONIMO-3010 and GERONIMO-3206) introduced a new type of security check in DefaultInstanceManager for restricted Listeners :

          DefaultInstanceManager.java
              private void checkAccess(Class clazz)
              {
                  if(privileged)
                      return;
                  if(clazz.isAssignableFrom(javax/servlet/Filter))
                      checkAccess(clazz, restrictedFilters);
                  else
                  if(clazz.isAssignableFrom(javax/servlet/Servlet))
                      checkAccess(clazz, restrictedServlets);
                  else
                      checkAccess(clazz, restrictedListeners);
              }
          

          However, that class also has a bug in the place where the RestrictedListeners.properties is read in, adding its contents to the restrictedFilters list instead of the restrictedListeners list :

          DefaultInstanceManager.java
                      java.io.InputStream is = getClass().getClassLoader().getResourceAsStream("org/apache/catalina/core/RestrictedListeners.properties");
                      if(is != null)
                          *restrictedFilters.load(is);*     //   <---- should be restrictedListeners.load(is)
                      else
                          catalinaContext.getLogger().error(sm.getString("defaultInstanceManager.restrictedListenersResources"));
          

          So addressing this issue will involve :

          1. determine if the DefaultInstanceManager really needs to check for restricted listeners
          2. if so, determine which listeners should be restricted (what to put in the RestrictedListeners.properties)
          3. add RestrictedListeners.properties to Geronimo's catalina.jar
          4. fix the bug in DefaultInstanceManager mentioned above
          Show
          Paul McMahan added a comment - - edited It's not clear to me that this error message is actually harmless. Tomcat uses RestrictedServlet.properties and RestrictedFilters.properties files as a sort of internalized/proprietary security mechanism to limit access to certain types of servlets and filters. The instance manager patch that is applied to Geronimo's build of tomcat (see GERONIMO-3010 and GERONIMO-3206 ) introduced a new type of security check in DefaultInstanceManager for restricted Listeners : DefaultInstanceManager.java private void checkAccess( Class clazz) { if (privileged) return ; if (clazz.isAssignableFrom(javax/servlet/Filter)) checkAccess(clazz, restrictedFilters); else if (clazz.isAssignableFrom(javax/servlet/Servlet)) checkAccess(clazz, restrictedServlets); else checkAccess(clazz, restrictedListeners); } However, that class also has a bug in the place where the RestrictedListeners.properties is read in, adding its contents to the restrictedFilters list instead of the restrictedListeners list : DefaultInstanceManager.java java.io.InputStream is = getClass().getClassLoader().getResourceAsStream( "org/apache/catalina/core/RestrictedListeners.properties" ); if (is != null ) *restrictedFilters.load(is);* // <---- should be restrictedListeners.load(is) else catalinaContext.getLogger().error(sm.getString( "defaultInstanceManager.restrictedListenersResources" )); So addressing this issue will involve : determine if the DefaultInstanceManager really needs to check for restricted listeners if so, determine which listeners should be restricted (what to put in the RestrictedListeners.properties) add RestrictedListeners.properties to Geronimo's catalina.jar fix the bug in DefaultInstanceManager mentioned above
          Hide
          David Jencks added a comment -

          So addressing this issue will involve :

          1. determine if the DefaultInstanceManager really needs to check for restricted listeners
          – I invented this file for symmetry with the other restrictedXXX files. Depending on what "really" means.... we need it as does tomcat.
          2. if so, determine which listeners should be restricted (what to put in the RestrictedListeners.properties)
          There aren't any, tomcat didn't have this file or concept.
          3. add RestrictedListeners.properties to Geronimo's catalina.jar
          good idea.
          4. fix the bug in DefaultInstanceManager mentioned above
          very good idea.

          I don't see how the bug can produce a problem right now since there aren't any standard restricted listeners and anyone who can modify the restricted listeners file could also modify the restricted filters file. On the other hand I seem to be getting skilled at missing obvious security problems

          Show
          David Jencks added a comment - So addressing this issue will involve : 1. determine if the DefaultInstanceManager really needs to check for restricted listeners – I invented this file for symmetry with the other restrictedXXX files. Depending on what "really" means.... we need it as does tomcat. 2. if so, determine which listeners should be restricted (what to put in the RestrictedListeners.properties) There aren't any, tomcat didn't have this file or concept. 3. add RestrictedListeners.properties to Geronimo's catalina.jar good idea. 4. fix the bug in DefaultInstanceManager mentioned above very good idea. I don't see how the bug can produce a problem right now since there aren't any standard restricted listeners and anyone who can modify the restricted listeners file could also modify the restricted filters file. On the other hand I seem to be getting skilled at missing obvious security problems
          Hide
          David Jencks added a comment -

          I opened http://issues.apache.org/bugzilla/show_bug.cgi?id=44261 with a fix for tomcat trunk.

          Show
          David Jencks added a comment - I opened http://issues.apache.org/bugzilla/show_bug.cgi?id=44261 with a fix for tomcat trunk.
          Hide
          Jay D. McHugh added a comment -

          Resolved this issue on trunk with a new version of tomcat private snapshot including the latest security patch and djencks patch for the restricted listener fix.

          Sending pom.xml
          Adding repository/org/apache/tomcat/6.0.14-G614585.README.TXT
          Adding repository/org/apache/tomcat/catalina/6.0.14-G614585
          Adding (bin) repository/org/apache/tomcat/catalina/6.0.14-G614585/catalina-6.0.14-G614585.jar
          Adding repository/org/apache/tomcat/jasper/6.0.14-G614585
          Adding (bin) repository/org/apache/tomcat/jasper/6.0.14-G614585/jasper-6.0.14-G614585.jar
          Transmitting file data ....
          Committed revision 614754.

          Show
          Jay D. McHugh added a comment - Resolved this issue on trunk with a new version of tomcat private snapshot including the latest security patch and djencks patch for the restricted listener fix. Sending pom.xml Adding repository/org/apache/tomcat/6.0.14-G614585.README.TXT Adding repository/org/apache/tomcat/catalina/6.0.14-G614585 Adding (bin) repository/org/apache/tomcat/catalina/6.0.14-G614585/catalina-6.0.14-G614585.jar Adding repository/org/apache/tomcat/jasper/6.0.14-G614585 Adding (bin) repository/org/apache/tomcat/jasper/6.0.14-G614585/jasper-6.0.14-G614585.jar Transmitting file data .... Committed revision 614754.
          Hide
          Jay D. McHugh added a comment -

          Checked into branches/2.0 also:

          Sending pom.xml
          Adding repository/org/apache/tomcat/catalina/6.0.14-G614585
          Adding (bin) repository/org/apache/tomcat/catalina/6.0.14-G614585/catalina-6.0.14-G614585.jar
          Adding repository/org/apache/tomcat/jasper/6.0.14-G614585
          Adding (bin) repository/org/apache/tomcat/jasper/6.0.14-G614585/jasper-6.0.14-G614585.jar
          Transmitting file data ...
          Committed revision 614758.

          Show
          Jay D. McHugh added a comment - Checked into branches/2.0 also: Sending pom.xml Adding repository/org/apache/tomcat/catalina/6.0.14-G614585 Adding (bin) repository/org/apache/tomcat/catalina/6.0.14-G614585/catalina-6.0.14-G614585.jar Adding repository/org/apache/tomcat/jasper/6.0.14-G614585 Adding (bin) repository/org/apache/tomcat/jasper/6.0.14-G614585/jasper-6.0.14-G614585.jar Transmitting file data ... Committed revision 614758.
          Hide
          Shawn Jiang added a comment -

          This happened again after geronimo 2.1 branch update tomcat to 6.0.20.

          Module 24/68 org.apache.geronimo.configs/tomcat6/2.1.5-SNAPSHOT/car
                     2009-07-24 16:46:18,703 ERROR [[TomcatWebContainer]] "Restricted list
          eners property file not found
          

          What solution we are going to use in 2.1 branch this time ?

          Show
          Shawn Jiang added a comment - This happened again after geronimo 2.1 branch update tomcat to 6.0.20. Module 24/68 org.apache.geronimo.configs/tomcat6/2.1.5-SNAPSHOT/car 2009-07-24 16:46:18,703 ERROR [[TomcatWebContainer]] "Restricted list eners property file not found What solution we are going to use in 2.1 branch this time ?
          Hide
          Shawn Jiang added a comment -

          Update the JIRA version to 2.1.5

          Show
          Shawn Jiang added a comment - Update the JIRA version to 2.1.5
          Hide
          Shawn Jiang added a comment -

          Created a stupid patch to add the blank RestrictedListeners.properties file into tomcat 6.0.20

          Show
          Shawn Jiang added a comment - Created a stupid patch to add the blank RestrictedListeners.properties file into tomcat 6.0.20
          Hide
          Ivan added a comment -

          Commit the patch to tomcat-6.0.20 At revision: 799220, thanks Shawn !

          Show
          Ivan added a comment - Commit the patch to tomcat-6.0.20 At revision: 799220, thanks Shawn !

            People

            • Assignee:
              Jay D. McHugh
              Reporter:
              Kevan Miller
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development