Security Manager Exception

Tue, 22 Jul 2014 09:05:46 -0700

I'm using Tomcat 7.0.54 with the security manager. I'm getting an exception I don't understand: 

2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR 
org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]- 
Servlet.service() for servlet [jsp] in context with path [] threw exception 
[java.security.AccessControlException: access denied ("java.lang.RuntimePermission" 
"getClassLoader")] with root cause
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" 
"getClassLoader")
        at java.security.AccessControlContext.checkPermission(Unknown Source)
        at java.security.AccessController.checkPermission(Unknown Source)
        at java.lang.SecurityManager.checkPermission(Unknown Source)
        at java.lang.ClassLoader.checkClassLoaderPermission(Unknown Source)
        at java.lang.ClassLoader.getParent(Unknown Source)
        at 
org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295)
        at 
org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266)
        at 
org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144)
        at java.util.logging.LogManager.demandLogger(Unknown Source)
        at java.util.logging.Logger.demandLogger(Unknown Source)
        at java.util.logging.Logger.getLogger(Unknown Source)
        at com.sun.mail.util.MailLogger.<init>(MailLogger.java:115)
        at javax.mail.Session.initLogger(Session.java:226)
        at javax.mail.Session.<init>(Session.java:210)
        at javax.mail.Session.getInstance(Session.java:247)
        at com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470)
Line 144 of ClassLoaderLogManager is the addLogger method trying to read the .level property for the logger being created.
The catalina.policy is pretty much the stock one. I'm confused because the catalina.policy has: 

grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
    permission java.lang.RuntimePermission "getClassLoader";
The page in question that's erroring out is a JSP that's calling a per-context jar. The hierarchy looks something like: 

JSP ->
context/WEB-INF/lib/jar Class File ->
$CATALINA_BASE/lib/ MH Software.jar ->
$CATALINA_BASE javax.mail.jar ->
$CATALINA_HOME/bin/tomcat-juli.jar

$CATALINA_BASE/lib, has the grant for java.security.AllPermission;
I don't know if this makes a difference, but I'm using log4j, and following the instructions here: 

http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j

I've made $CATALINA_BASE/conf/logging.properties an empty file.
Finally, it SEEMS to only be happening in JSP files. calls directly from classes in the context jar file don't seem to be failing.
If anyone could point me in the right direction, I would really appreciate it. 


--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Reply via email to