Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#585379: tomcat6: tomcat fails to start using a security manager

1 view
Skip to first unread message

Adam Guthrie

unread,
Jun 9, 2010, 7:00:02 PM6/9/10
to
Package: tomcat6
Version: 6.0.24-2
Severity: normal
Tags: patch
User: ubuntu...@lists.ubuntu.com
Usertags: origin-ubuntu maverick ubuntu-patch


Using tomcat6 package version 6.0.24-2ubuntu, after editing /etc/default/tomcat6 to set TOMCAT6_SECURITY=yes, Tomcat breaks on startup with (in catalina.out):

Using CATALINA_BASE: /var/lib/tomcat6
Using CATALINA_HOME: /usr/share/tomcat6
Using CATALINA_TMPDIR: /tmp/tomcat6-tmp
Using JRE_HOME: /usr/lib/jvm/java-6-openjdk
Using CLASSPATH: /usr/share/tomcat6/bin/bootstrap.jar
Using Security Manager
Exception in thread "main" java.lang.ExceptionInInitializerError
at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:171)
at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:243)
at org.apache.juli.logging.LogFactory.getLog(LogFactory.java:298)
at org.apache.catalina.startup.Bootstrap.<clinit>(Bootstrap.java:55)
Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission java.util.logging.config.class read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:342)
at java.security.AccessController.checkPermission(AccessController.java:553)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1302)
at java.lang.System.getProperty(System.java:669)
at org.apache.juli.logging.DirectJDKLog.<clinit>(DirectJDKLog.java:43)
... 4 more
Could not find the main class: org.apache.catalina.startup.Bootstrap. Program will exit.

The problem is that -Djava.security.policy is being set twice, firstly in /etc/init.d/tomcat6 to $CATALINA_BASE/work/catalina.policy (correct), secondly in /usr/share/tomcat6/bin/catalina.sh to $CATALINA_BASE/conf/catalina.policy (an invalid path). Unfortunately the second takes precedence, and so no policy file is actually used.

To fix this, I suggest patching catalina.sh to change 'conf/catalina.policy' references to 'work/catalina.policy'. It would also be good to remove the explicit setting of -Djava.security.manager and -Djava.security.policy from the init.d script, since it is done anyway in the init script. I've attached two patches for this.

Originally reported in Ubuntu by Jeff Turner, and tracked at https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/591802


*** /tmp/tmpgCS3jR
In Ubuntu, we've applied the attached patch to achieve the following:

* Fixing failure to start with security manager enable (Closes: LP: #591802)
Thanks to Jeff Turner for patches

We thought you might be interested in doing the same.


-- System Information:
Debian Release: squeeze/sid
APT prefers lucid-updates
APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-22-generic (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

tmpeODczg
0 new messages