Bug 40819 - Jasper is unabled to compile class for JSP
Summary: Jasper is unabled to compile class for JSP
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: tomcat (show other bugs)
Version: unstable
Hardware: x86_64 Linux
: P5 normal
Assignee: Stanislav Levin
QA Contact: qa-sisyphus
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-27 17:04 MSK by Stanislav Levin
Modified: 2021-08-28 19:38 MSK (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stanislav Levin 2021-08-27 17:04:50 MSK
As of 9.0.50-alt1_2jpp11 tomcat + JSP of dogtag pki fails on
`curl -v -k https:/master1.ipa.test:8443/` with

```
27-Aug-2021 13:50:12.944 INFO [Catalina-utility-2] org.apache.catalina.core.Applicatio
nContext.log default: DefaultServlet.init:  input buffer size=2048, output buffer size
=2048
27-Aug-2021 13:50:34.427 INFO [main] org.apache.catalina.core.ApplicationContext.log d
efault: DefaultServlet.init:  input buffer size=2048, output buffer size=2048
27-Aug-2021 13:51:06.726 SEVERE [https-jsse-nio-8443-exec-1] org.apache.catalina.core.
StandardWrapperValve.invoke Servlet.service() for servlet [jsp] in context with path [
] threw exception [javax.servlet.ServletException: java.security.AccessControlExceptio
n: access denied ("java.io.FilePermission" "/usr/share/pki/server/webapps/ROOT/WEB-INF
/classes/META-INF/services/javax.el.ExpressionFactory" "read")] with root cause
        java.security.AccessControlException: access denied ("java.io.FilePermission" 
"/usr/share/pki/server/webapps/ROOT/WEB-INF/classes/META-INF/services/javax.el.Express
ionFactory" "read")
                at java.base/java.security.AccessControlContext.checkPermission(Access
ControlContext.java:472)
                at java.base/java.security.AccessController.checkPermission(AccessCont
roller.java:897)
                at java.base/java.lang.SecurityManager.checkPermission(SecurityManager
.java:322)
                at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:
661)
                at java.base/java.io.File.exists(File.java:817)
                at org.apache.catalina.webresources.DirResourceSet.getResource(DirReso
urceSet.java:105)

...
```

Dogtag PKI is run with an enabled security manager with its own policy(Catalina + PKI). Regarding tomcat, this policy declares:
```
grant codeBase "file:/usr/share/java/tomcat/-" {
        permission java.security.AllPermission;
};

grant codeBase "file:/usr/share/java/tomcat-el-api.jar" {
        permission java.security.AllPermission;
};

grant codeBase "file:/usr/share/java/tomcat-servlet-api.jar" {
        permission java.security.AllPermission;
};
```

Due to the changes in 9.0.50-alt1_2jpp11 (in particularly, maven ones) there are no longer /usr/share/java/tomcat-servlet-api.jar and /usr/share/java/tomcat-el-api.jar.

This bug is opened for reference.
Comment 1 Repository Robot 2021-08-28 12:08:15 MSK
tomcat-1:9.0.50-alt2_2jpp11 -> sisyphus:

 Fri Aug 27 2021 Stanislav Levin <slev@altlinux> 1:9.0.50-alt2_2jpp11
 - Packaged missing jars (closes: #40819).
Comment 2 viy 2021-08-28 19:31:24 MSK
только патч в tomcat-1:9.0.50-alt2_2jpp11
получился слишком радикальный. Вернуть дубликаты в lib не страшно, 
но вот если убрать их из jsp, servlet, js api, то это ломает много
пакетов. Навскидку заметил слом сборки в javahelp2 portlet-2.0-api resteasy.

Я соберу сборку, где сохраню дубликаты в lib, но верну их в *-api.
Comment 3 viy 2021-08-28 19:38:10 MSK
Гм. в федоре в 9.0.52 те %exсlude уже откатили. Так что просто соберу их 9.0.52.