I am running tomcat 5.5.9 with a security manager. I
am testing an application that still uses the servlet
2.3 web.xml file and jstl 1-0-5
My policy file has an entry like:
grant signedby "software",
Principal com.mypackage.MyPrincipal "Paul" {
.... permissions.
};
This principal is bundled in a jar file in the web
application's /WEB-INF/lib directory.
I also have a security constraint defined in web.xml
for web pages in a certain directory that require
authorization. After logging in to access a page in
the protected directory, I get the following
exception:
java.lang.ClassCircularityError:
com/mypackage/MyPrincipal
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:242)
at
sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1403)
at
sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1307)
at
sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1270)
at
sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1211)
at
sun.security.provider.PolicyFile.implies(PolicyFile.java:1166)
at
java.security.ProtectionDomain.implies(ProtectionDomain.java:195)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:249)
at
java.security.AccessController.checkPermission(AccessController.java:427)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at
java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.File.exists(File.java:700)
at
org.apache.naming.resources.FileDirContext.file(FileDirContext.java:824)
at
org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:210)
at
org.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java:293)
at
org.apache.catalina.loader.WebappClassLoader.findResourceInternal(WebappClassLoader.java:1699)
at
org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1570)
at
org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:850)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1299)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1181)
at
java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:242)
at
sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1403)
at
sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1307)
at
sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1270)
at
sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1211)
at
sun.security.provider.PolicyFile.implies(PolicyFile.java:1166)
at
java.security.ProtectionDomain.implies(ProtectionDomain.java:195)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:249)
at
java.security.AccessController.checkPermission(AccessController.java:427)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at
java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.File.exists(File.java:700)
at
org.apache.naming.resources.FileDirContext.file(FileDirContext.java:824)
at
org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:210)
at
org.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java:293)
at
org.apache.catalina.loader.WebappClassLoader.findResourceInternal(WebappClassLoader.java:1699)
at
org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1570)
at
org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:850)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1299)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1181)
at
javax.xml.parsers.FactoryFinder.newInstance(FactoryFinder.java:88)
at
javax.xml.parsers.FactoryFinder.findJarServiceProvider(FactoryFinder.java:278)
at
javax.xml.parsers.FactoryFinder.find(FactoryFinder.java:185)
at
javax.xml.parsers.SAXParserFactory.newInstance(SAXParserFactory.java:107)
at
org.apache.taglibs.standard.tlv.JstlBaseTLV.validate(JstlBaseTLV.java:177)
at
org.apache.taglibs.standard.tlv.JstlCoreTLV.validate(JstlCoreTLV.java:137)
at
org.apache.jasper.compiler.TagLibraryInfoImpl.validate(TagLibraryInfoImpl.java:750)
at
org.apache.jasper.compiler.Validator.validateXmlView(Validator.java:1527)
at
org.apache.jasper.compiler.Validator.validate(Validator.java:1495)
at
org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:157)
at
org.apache.jasper.compiler.Compiler.compile(Compiler.java:286)
at
org.apache.jasper.compiler.Compiler.compile(Compiler.java:267)
at
org.apache.jasper.compiler.Compiler.compile(Compiler.java:255)
at
org.apache.jasper.JspCompilationContext.compile(JspCompilationContext.java:556)
at
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:293)
at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
at
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
at
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:243)
at java.security.AccessController.doPrivileged(Native
Method)
at
javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:275)
at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:161)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:245)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:50)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:156)
at java.security.AccessController.doPrivileged(Native
Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:152)
at
org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:672)
at
org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:465)
at
org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:398)
at
org.apache.catalina.core.ApplicationDispatcher.access$000(ApplicationDispatcher.java:66)
at
org.apache.catalina.core.ApplicationDispatcher$PrivilegedForward.run(ApplicationDispatcher.java:81)
at java.security.AccessController.doPrivileged(Native
Method)
at
org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:293)
at
org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:362)
at
org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:211)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:134)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
If I remove the entry from my policy file it works
correctly. If I access a JSP page in the protected
directory that does not use JSTL it work correctly. If
I ask a page with JSTL outside of the protected
directory it works correctly. Is this a known bug or
is my configuration possibly wrong? Or there any code
debugging options for tracking down a
java.lang.ClassCircularityError exception?
Thank you.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
