Bug#649046: tomcat6: openjdk + TOMCAT6_SECURITY=yes => failed start
Ed Schaller
schallee at darkmist.net
Thu Nov 17 03:43:50 UTC 2011
Package: tomcat6
Version: 6.0.32-7
Severity: important
The debian OpenJDK has broken out common files into /usr/lib/jvm/java-6-openjdk-common. This includes it's own jre/lib/ext directory and is the location of sunpkcs11.jar which is apparently needed by tomcat at start up. Although /usr/lib/jvm/java6-openjdk-common/jre/lib/ext is included in /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/security/java.policy it is not included in the policy files that tomcat is using. The result of using openjdk and TOMCAT6_SECURITY=yes is the following exception at start time:
# /etc/init.d/tomcat6 start
Starting Tomcat servlet engine: tomcat6java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Caused by: java.lang.ExceptionInInitializerError
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
at sun.security.jca.ProviderList.loadAll(ProviderList.java:281)
at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298)
at sun.security.jca.Providers.getFullProviderList(Providers.java:170)
at java.security.Security.getProviders(Security.java:457)
at org.apache.catalina.core.JreMemoryLeakPreventionListener.lifecycleEvent(JreMemoryLeakPreventionListener.java:293)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:813)
at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
at org.apache.catalina.startup.Catalina.load(Catalina.java:562)
... 6 more
Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.security.util)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
at java.security.AccessController.checkPermission(AccessController.java:553)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529)
at java.lang.ClassLoader$1.run(ClassLoader.java:345)
at java.security.AccessController.doPrivileged(Native Method)
at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:343)
at sun.security.pkcs11.SunPKCS11.<clinit>(SunPKCS11.java:63)
... 24 more
failed!
A trivial work around is to add
grant codeBase "file:/usr/lib/jvm/java-6-openjdk-common/jre/lib/ext/*" {
permission java.security.AllPermission;
};
to a file in /etc/tomcat6/policy.d.
Although the above works as a workaround it is not very elegant and adds JVM specifics to the tomcat package. I am unsure of whether this is technically a bug in the packaging of tomcat or openjdk as it could be seen as a non-standard JRE layout in openjdk. I'm filing it against tomcat as the default policy for openjdk does include the above grant.
Thank you.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages tomcat6 depends on:
ii adduser 3.113
ii debconf [debconf-2.0] 1.5.41
ii tomcat6-common 6.0.32-7
ii ucf 3.0025+nmu2
Versions of packages tomcat6 recommends:
ii authbind 1.2.0
Versions of packages tomcat6 suggests:
pn libtcnative-1 <none>
pn tomcat6-admin <none>
pn tomcat6-docs <none>
pn tomcat6-examples <none>
pn tomcat6-user <none>
-- Configuration Files:
/etc/logrotate.d/tomcat6 changed [not included]
/etc/tomcat6/server.xml changed [not included]
-- debconf information:
* tomcat6/javaopts: -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC
* tomcat6/groupname: tomcat6
* tomcat6/username: tomcat6
More information about the pkg-java-maintainers
mailing list