All geek questions in one place

Tomcat v7.0 Load Exception - Marking ssi servlet as unavailable

New installation of Tomcat v7.0 and Eclipse. Trying to load SSI Servlet. Changed context.xml and web.xml according to Tomcat instructions.

Context.xml (corresponding fragments are shown):

<Context reloadable="true" privileged="true"> <!-- Default set of monitored resources --> <WatchedResource>WEB-INF/web.xml</WatchedResource> </Context>

web.xml (corresponding fragments are shown):

  <servlet> <servlet-name>ssi</servlet-name> <servlet-class> org.apache.catalina.ssi.SSIServlet </servlet-class> <init-param> <param-name>buffered</param-name> <param-value>1</param-value> </init-param> <init-param> <param-name>debug</param-name> <param-value>0</param-value> </init-param> <init-param> <param-name>expires</param-name> <param-value>666</param-value> </init-param> <init-param> <param-name>isVirtualWebappRelative</param-name> <param-value>0</param-value> </init-param> <load-on-startup>4</load-on-startup> </servlet> <servlet-mapping> <servlet-name>ssi</servlet-name> <url-pattern>*.shtml</url-pattern> </servlet-mapping>

But I still get the following load exception:

 Mar 23, 2012 12:06:00 PM org.apache.catalina.core.StandardContext loadOnStartup SEVERE: Servlet threw load() exception java.lang.SecurityException: Restricted class org.apache.catalina.ssi.SSIServlet at org.apache.catalina.core.DefaultInstanceManager.checkAccess(DefaultInstanceManager.java:548) at org.apache.catalina.core.DefaultInstanceManager.checkAccess(DefaultInstanceManager.java:539) at org.apache.catalina.core.DefaultInstanceManager.loadClassMaybePrivileged(DefaultInstanceManager.java:509) at org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:124) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1136) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1080) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5001) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5289) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1525) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1515) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) at java.util.concurrent.FutureTask.run(FutureTask.java:166) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) at java.lang.Thread.run(Thread.java:722) Mar 23, 2012 12:06:00 PM org.apache.catalina.core.ApplicationContext log INFO: Marking servlet ssi as unavailable

I tried everything I could think of. Can anyone advise how to fix this? thanks!

+4
source share
3 answers

I added the privileged="true" attribute to the context element in the context.xml file in the root. He solved the security exception for CGI for me.

I found that through this site .

+6
source

I have the same problem with another package: cgi instead of ssi. I will go through a solution that, as I found, overcome the error.

As with the OP, I had a clean install of Tomcat 7.0.27. I tested CGI. While working on the initial setup, I kept getting the following:

 SEVERE: Servlet /TestTomcatApp threw load() exception java.lang.SecurityException: Restricted class org.apache.catalina.servlets.CGIServlet at org.apache.catalina.core.DefaultInstanceManager.checkAccess(DefaultInstanceManager.java:548 )

which is pretty much identical to OP, except for the class involved.

I searched for "Tomcat Restricted DefaultInstanceManager" and found [this java source code] [1]:

 private void [More ...] checkAccess(Class<?> clazz, Properties restricted) { while (clazz != null) { if ("restricted".equals(restricted.getProperty(clazz.getName()))) { throw new SecurityException("Restricted class" + clazz); } clazz = clazz.getSuperclass(); } }

The Properties class (which can be linked to a link to a code page with a hot link) showed that the code most likely reads the .properties file. Thus, I was able to reset the catalines .properties and catalina.policy. After carefully reading the documentation in these two files, as well as the link to the [Tomcat SecurityManager Doc] [2], I realized that I had to add the grant statement to the catalina.policy file:

 // The Manager application needs access to the following packages to support the // session display functionality. These settings support the following // configurations: // - default CATALINA_HOME == CATALINA_BASE // - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE // - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME grant codeBase "file:${catalina.base}/webapps/manager/-" { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; **permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.servlets.CGIServlet";** }; grant codeBase "file:${catalina.home}/webapps/manager/-" { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; **permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.servlets.CGIServlet"; };**

(My uploads are in bold)

After restarting Tomcat, the error disappeared.

NOTE. I realized that this whole problem should be caused by security issues with certain modules on Tomcat. My use is intended solely for testing on a single machine, and production is not expected in this mode.

[1] http://grepcode.com/file/repo1.maven.org/maven2/org.apache.tomcat/tomcat-catalina/7.0.0/org/apache/catalina/core/DefaultInstanceManager.java#DefaultInstanceManager.checkAccess % 28java.lang.Class% 29

[2] http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html#Configuring_Tomcat_With_A_SecurityManager

+1
source

So, just to confirm (how this works for me):

  • Download Tomcat 7.0.26 (zip)
  • Unpacked
  • Changed $ {TOMCAT_HOME) /conf/web.xml
    • Compiled SSI servlet definition around line 276
    • Compiled SSI servlet mapping on line 370
  • Changed $ {TOMCAT_HOME} /conf/tomcat-users.xml
    • Added admin-gui role
    • A user administrator with the administrator role has been added.

  • Added a simple ssi.shtml page to $ {TOMCAT_HOME} / webapps / host-manager:

    <! - # printenv →

  • Tomcat started, no errors, http: // localhost: 8080 / host-manager / ssi.shtml works as expected

Finally - you are editing the web application context.xml, not web.xml in the $ {TOMCAT_HOME} / conf folder - I think since your example has a WatchedResource element

0
source

Source: https://habr.com/ru/post/1403160/

More articles:


All Articles