Bug#649046: tomcat6: openjdk + TOMCAT6_SECURITY=yes => failed start

Ed Schaller schallee at darkmist.net
Thu Nov 17 03:43:50 UTC 2011 

Package: tomcat6
Version: 6.0.32-7
Severity: important

The debian OpenJDK has broken out common files into /usr/lib/jvm/java-6-openjdk-common. This includes it's own jre/lib/ext directory and is the location of sunpkcs11.jar which is apparently needed by tomcat at start up. Although /usr/lib/jvm/java6-openjdk-common/jre/lib/ext is included in /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/security/java.policy it is not included in the policy files that tomcat is using. The result of using openjdk and TOMCAT6_SECURITY=yes is the following exception at start time:

# /etc/init.d/tomcat6 start
Starting Tomcat servlet engine: tomcat6java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
Caused by: java.lang.ExceptionInInitializerError
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:532)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:262)
        at sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:244)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:244)
        at sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:224)
        at sun.security.jca.ProviderList.loadAll(ProviderList.java:281)
        at sun.security.jca.ProviderList.removeInvalid(ProviderList.java:298)
        at sun.security.jca.Providers.getFullProviderList(Providers.java:170)
        at java.security.Security.getProviders(Security.java:457)
        at org.apache.catalina.core.JreMemoryLeakPreventionListener.lifecycleEvent(JreMemoryLeakPreventionListener.java:293)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
        at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:813)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:562)
        ... 6 more
Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.sun.security.util)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
        at java.security.AccessController.checkPermission(AccessController.java:553)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529)
        at java.lang.ClassLoader$1.run(ClassLoader.java:345)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:343)
        at sun.security.pkcs11.SunPKCS11.<clinit>(SunPKCS11.java:63)
        ... 24 more
 failed!

A trivial work around is to add 

grant codeBase "file:/usr/lib/jvm/java-6-openjdk-common/jre/lib/ext/*" {
        permission java.security.AllPermission;
};

to a file in /etc/tomcat6/policy.d.

Although the above works as a workaround it is not very elegant and adds JVM specifics to the tomcat package.  I am unsure of whether this is technically a bug in the packaging of tomcat or openjdk as it could be seen as a non-standard JRE layout in openjdk. I'm filing it against tomcat as the default policy for openjdk does include the above grant.

Thank you.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages tomcat6 depends on:
ii  adduser                3.113      
ii  debconf [debconf-2.0]  1.5.41     
ii  tomcat6-common         6.0.32-7   
ii  ucf                    3.0025+nmu2

Versions of packages tomcat6 recommends:
ii  authbind  1.2.0

Versions of packages tomcat6 suggests:
pn  libtcnative-1     <none>
pn  tomcat6-admin     <none>
pn  tomcat6-docs      <none>
pn  tomcat6-examples  <none>
pn  tomcat6-user      <none>

-- Configuration Files:
/etc/logrotate.d/tomcat6 changed [not included]
/etc/tomcat6/server.xml changed [not included]

-- debconf information:
* tomcat6/javaopts: -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC
* tomcat6/groupname: tomcat6
* tomcat6/username: tomcat6

More information about the pkg-java-maintainers mailing list