Tomcat 9.0 with security manager reports access denied on Windows

Question

I started my Tomcat 9.0 on Windows 10 with:

-Djava.security.manager
-Djava.security.policy==C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\catalina.policy
-Djava.security.debug=access,failure

using a Connector of type org.apache.coyote.http11.Http11Nio2Protocol with enabled ssl.

Also I have only (my own) ROOT app running and nothing else.

Within catalina.policy I have defined (for a first test):

grant codeBase "file:${catalina.base}/webapps/ROOT/-" {
  permission java.security.AllPermission;
};

When I now check the tomcat9-stderr.log I found the following entries:

access: access denied ("java.util.PropertyPermission" "org.apache.juli.logging.UserDataHelper.CONFIG" "read")

java.lang.Exception: Stack trace
at java.lang.Thread.dumpStack(Unknown Source)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at org.apache.tomcat.util.log.UserDataHelper.<init>(UserDataHelper.java:57)
at org.apache.coyote.AbstractProcessor.<init>(AbstractProcessor.java:90)
at org.apache.coyote.http2.StreamProcessor.<init>(StreamProcessor.java:56)
at org.apache.coyote.http2.Http2UpgradeHandler.processStreamOnContainerThread(Http2UpgradeHandler.java:261)
at org.apache.coyote.http2.Http2UpgradeHandler.headersEnd(Http2UpgradeHandler.java:1356)
at org.apache.coyote.http2.Http2AsyncUpgradeHandler.headersEnd(Http2AsyncUpgradeHandler.java:37)
at org.apache.coyote.http2.Http2Parser.onHeadersComplete(Http2Parser.java:583)
at org.apache.coyote.http2.Http2Parser.readHeadersFrame(Http2Parser.java:272)
at org.apache.coyote.http2.Http2AsyncParser$FrameCompletionHandler.completed(Http2AsyncParser.java:167)
at org.apache.coyote.http2.Http2AsyncParser$FrameCompletionHandler.completed(Http2AsyncParser.java:85)
at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$VectoredIOCompletionHandler.completed(Nio2Endpoint.java:1148)
at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$VectoredIOCompletionHandler.completed(Nio2Endpoint.java:1117)
at org.apache.tomcat.util.net.SecureNio2Channel$2.completed(SecureNio2Channel.java:1047)
at org.apache.tomcat.util.net.SecureNio2Channel$2.completed(SecureNio2Channel.java:992)
at sun.nio.ch.Invoker.invokeUnchecked(Unknown Source)
at sun.nio.ch.Invoker$2.run(Unknown Source)
at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)

access: domain that failed ProtectionDomain  null
 null
 <no principals>
 null

As well as two of these:

access: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.util.net")
java.lang.Exception: Stack trace
at java.lang.Thread.dumpStack(Unknown Source)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPackageAccess(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.apache.tomcat.util.net.SecureNio2Channel.flush(SecureNio2Channel.java:196)
at org.apache.tomcat.util.net.SecureNio2Channel.close(SecureNio2Channel.java:585)
at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper.close(Nio2Endpoint.java:932)
at org.apache.coyote.http2.Http2UpgradeHandler.close(Http2UpgradeHandler.java:1010)
at org.apache.coyote.http2.Http2UpgradeHandler.upgradeDispatch(Http2UpgradeHandler.java:359)
at org.apache.coyote.http2.Http2AsyncUpgradeHandler.upgradeDispatch(Http2AsyncUpgradeHandler.java:37)
at org.apache.coyote.http2.Http2AsyncParser$FrameCompletionHandler.failed(Http2AsyncParser.java:240)
at org.apache.coyote.http2.Http2AsyncParser$FrameCompletionHandler.failed(Http2AsyncParser.java:85)
at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$VectoredIOCompletionHandler.failed(Nio2Endpoint.java:1184)
at org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper$VectoredIOCompletionHandler.failed(Nio2Endpoint.java:1117)
at org.apache.tomcat.util.net.SecureNio2Channel$2.failed(SecureNio2Channel.java:1055)
at org.apache.tomcat.util.net.SecureNio2Channel$2.completed(SecureNio2Channel.java:1049)
at org.apache.tomcat.util.net.SecureNio2Channel$2.completed(SecureNio2Channel.java:992)
at sun.nio.ch.Invoker.invokeUnchecked(Unknown Source)
at sun.nio.ch.Invoker$2.run(Unknown Source)
at sun.nio.ch.AsynchronousChannelGroupImpl$1.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Unknown Source)

access: domain that failed ProtectionDomain  null
null
<no principals>
null

So I tried to add

permission java.util.PropertyPermission "org.apache.juli.logging.UserDataHelper.CONFIG", "read";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.net";

at different locations in the catalina.policy file (for webapps/ROOT/, CATALINA CODE PERMISSIONS, WEB APPLICATION PERMISSIONS).

But all these will not make the two access denied's go away.

So my question is how to clean up these two access denieds?

Update 1

For the accessClassInPackage.org.apache.tomcat.util.net I wonder why this happens, because org.apache.tomcat.util.net is in Tomcat/lib/tomcat-coyote.jar that got the permissions from:

grant codeBase "file:${catalina.home}/lib/-" {
  permission java.security.AllPermission;
};

Update 2

Changed

-Djava.security.policy=

to

-Djava.security.policy==

this let the

access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.tomcat.util.net")

vanish - so that only the juli logging is still denied.

Update 3

Now I got an addition exception:

access: access denied ("java.net.SocketPermission" "127.0.0.1:15484" "accept,resolve")
11-Feb-2019 14:46:43.895 SCHWERWIEGEND [https-openssl-nio2-443-exec-7] org.apache.tomcat.util.net.Nio2Endpoint$Nio2Acceptor.failed Socket accept failed
 java.security.AccessControlException: access denied ("java.net.SocketPermission" "127.0.0.1:15478" "accept,resolve")
    at java.security.AccessControlContext.checkPermission(Unknown Source)
    at java.security.AccessController.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkPermission(Unknown Source)
    at java.lang.SecurityManager.checkAccept(Unknown Source)
    at sun.nio.ch.WindowsAsynchronousServerSocketChannelImpl$AcceptTask$1.run(Unknown Source)
    at sun.nio.ch.WindowsAsynchronousServerSocketChannelImpl$AcceptTask$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.nio.ch.WindowsAsynchronousServerSocketChannelImpl$AcceptTask.finishAccept(Unknown Source)
    at sun.nio.ch.WindowsAsynchronousServerSocketChannelImpl$AcceptTask.completed(Unknown Source)
    at sun.nio.ch.Iocp$EventHandlerTask.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
    at sun.misc.InnocuousThread.run(Unknown Source)

Which is strange, because

org.apache.tomcat.util.net.Nio2Endpoint

Is part of

tomcat/lib/tomcat-coyote.jar

which should have no limitations by

grant codeBase "file:${catalina.home}/lib/-" {
    permission java.security.AllPermission;
};

More strange is that this one is followed by:

access: access allowed ("java.net.SocketPermission" "127.0.0.1:15485" "accept,resolve")

Which makes the whole thing more mysterious.

Btw. looks like the same is true for the UserDataHelper there are access allowed beside the access denied.

Answer 1

Similar issue was observed in our application. The security settings in catalina policy has no impact on the code whatsoever; and more importantly for us it was coming intermittently.

We did lot of digging through catalina debug mode (which helps to step debug through catalina threads).

We resolved this issue by changing the Connector in server.xml to org.apache.coyote.http11.Http11NioProtocol (The first version of NIO, instead of NIO2).

We somehow feel that NIO2 messes up with security policies while creating multiple async threads behind the scene.

More on NIO2 features here