[Bug 509528] [NEW] Security manager breaks session listing

imagine the.box at gmx.net
Tue Jan 19 09:04:10 GMT 2010

Public bug reported:

Binary package hint: tomcat6

The current settings of the security manager in /etc/policy.d/ do not allow to list the active sessions in the Tomcat Web Application Manager.
Steps to reproduce:
* Install tomcat6-admin including dependencies
* Open Tomcat Web Application Manager (default location http://localhost:8080/manager/html/)
* Try to open the session list of an application
* Instead of seeing the sessions administration, a "java.security.AccessControlException" error occurs (example stacktrace is attached)

This was tested on Karmic with Tomcat version 6.0.20-2ubuntu2 and
openjdk-6-jre-headless 6b16-1.6.1-3ubuntu1.

To fix this add the following rules to the security manager settings (not thoroughly tested):
grant {
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";

** Affects: tomcat6 (Ubuntu)
     Importance: Undecided
         Status: New

Security manager breaks session listing
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to tomcat6 in ubuntu.

More information about the Ubuntu-server-bugs mailing list