As of 9.0.50-alt1_2jpp11 tomcat + JSP of dogtag pki fails on `curl -v -k https:/master1.ipa.test:8443/` with ``` 27-Aug-2021 13:50:12.944 INFO [Catalina-utility-2] org.apache.catalina.core.Applicatio nContext.log default: DefaultServlet.init: input buffer size=2048, output buffer size =2048 27-Aug-2021 13:50:34.427 INFO [main] org.apache.catalina.core.ApplicationContext.log d efault: DefaultServlet.init: input buffer size=2048, output buffer size=2048 27-Aug-2021 13:51:06.726 SEVERE [https-jsse-nio-8443-exec-1] org.apache.catalina.core. StandardWrapperValve.invoke Servlet.service() for servlet [jsp] in context with path [ ] threw exception [javax.servlet.ServletException: java.security.AccessControlExceptio n: access denied ("java.io.FilePermission" "/usr/share/pki/server/webapps/ROOT/WEB-INF /classes/META-INF/services/javax.el.ExpressionFactory" "read")] with root cause java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/share/pki/server/webapps/ROOT/WEB-INF/classes/META-INF/services/javax.el.Express ionFactory" "read") at java.base/java.security.AccessControlContext.checkPermission(Access ControlContext.java:472) at java.base/java.security.AccessController.checkPermission(AccessCont roller.java:897) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager .java:322) at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java: 661) at java.base/java.io.File.exists(File.java:817) at org.apache.catalina.webresources.DirResourceSet.getResource(DirReso urceSet.java:105) ... ``` Dogtag PKI is run with an enabled security manager with its own policy(Catalina + PKI). Regarding tomcat, this policy declares: ``` grant codeBase "file:/usr/share/java/tomcat/-" { permission java.security.AllPermission; }; grant codeBase "file:/usr/share/java/tomcat-el-api.jar" { permission java.security.AllPermission; }; grant codeBase "file:/usr/share/java/tomcat-servlet-api.jar" { permission java.security.AllPermission; }; ``` Due to the changes in 9.0.50-alt1_2jpp11 (in particularly, maven ones) there are no longer /usr/share/java/tomcat-servlet-api.jar and /usr/share/java/tomcat-el-api.jar. This bug is opened for reference.
tomcat-1:9.0.50-alt2_2jpp11 -> sisyphus: Fri Aug 27 2021 Stanislav Levin <slev@altlinux> 1:9.0.50-alt2_2jpp11 - Packaged missing jars (closes: #40819).
только патч в tomcat-1:9.0.50-alt2_2jpp11 получился слишком радикальный. Вернуть дубликаты в lib не страшно, но вот если убрать их из jsp, servlet, js api, то это ломает много пакетов. Навскидку заметил слом сборки в javahelp2 portlet-2.0-api resteasy. Я соберу сборку, где сохраню дубликаты в lib, но верну их в *-api.
Гм. в федоре в 9.0.52 те %exсlude уже откатили. Так что просто соберу их 9.0.52.