Uploaded image for project: 'MyFaces Core'
  1. MyFaces Core
  2. MYFACES-4037

RuntimePermissions required for protected packages when security manager enabled

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Incomplete
    • Affects Version/s: 2.2.9
    • Fix Version/s: None
    • Component/s: General
    • Labels:
      None
    • Environment:
      Tomcat 8

      Description

      Deploying myfaces-example-simple-1.1.14.war with security manager enabled causes AccessControlExceptions as follows:

      org.apache.catalina.loader.WebappClassLoaderBase.loadClass Security Violation, attempt to use Restricted Class: org.apache.catalina.servlets.DefaultServlet
      java.security.AccessControlException: access denied
      ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.catalina.servlets")
      java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.catalina.servlets")
      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
      at java.security.AccessController.checkPermission(AccessController.java:884)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
      at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
      at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1243)
      at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1142)
      at java.lang.Class.forName0(Native Method)
      at java.lang.Class.forName(Class.java:264)
      at org.apache.myfaces.ee6.MyFacesContainerInitializer.isDelegatedFacesServlet(MyFacesContainerInitializer.java:280)
      at org.apache.myfaces.ee6.MyFacesContainerInitializer.onStartup(MyFacesContainerInitializer.java:150)
      at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5244)
      at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
      at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
      at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)
      at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)
      at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)
      at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
      at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:939)
      at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1812)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)

      org.apache.catalina.loader.WebappClassLoaderBase.loadClass Security Violation, attempt to use Restricted Class: org.apache.jasper.compiler.JspRuntimeContext
      java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper.compiler")
      at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
      at java.security.AccessController.checkPermission(AccessController.java:884)
      at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
      at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
      at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1243)
      at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1142)
      at java.lang.Class.forName0(Native Method)
      at java.lang.Class.forName(Class.java:264)
      at org.apache.myfaces.webapp.Jsp21FacesInitializer.getJspFactory(Jsp21FacesInitializer.java:88)
      at org.apache.myfaces.webapp.Jsp21FacesInitializer.initContainerIntegration(Jsp21FacesInitializer.java:62)
      at org.apache.myfaces.webapp.AbstractFacesInitializer.initFaces(AbstractFacesInitializer.java:172)
      at org.apache.myfaces.webapp.StartupServletContextListener.contextInitialized(StartupServletContextListener.java:121)
      at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4810)
      at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5255)
      at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147)
      at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
      at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)
      at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)
      at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
      at java.security.AccessController.doPrivileged(Native Method)
      at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)
      at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
      at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:939)
      at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1812)
      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
      at java.util.concurrent.FutureTask.run(FutureTask.java:266)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      at java.lang.Thread.run(Thread.java:745)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              neilrichards Neil Richards
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: