[Bug classpath/23822] Classpath fails with tomcat5 and security manager enabled

[WBaer at gmx dot de]

------- Additional Comments From WBaer at gmx dot de  2005-09-11 21:00 -------
I solved the NPE in SubjectDomainCombiner.combine:

When Subject.doAsPrivileged (Subject, PrivilegedExceptionAction,
   AccessControlContext) is called from Apache the given Subject
instance is null. Inside this doAsPrivileged method a new
AccessControlContext with a new SubjectDomainCombiner constructed
with this Subject instance (= null) is constructed.

That the Subject is null is allowed for SubjectDomainController
and therefore this must be respected in the combine method. The
method should be changed from:

...
LinkedList domains = new LinkedList();
Principal[] principals =
  (Principal[]) subject.getPrincipals().toArray (new Principal[0]);
if (current != null)
...

to

...
LinkedList domains = new LinkedList();
Principal[] principals = null;
if(subject != null)
  {   
    principals =
      (Principal[]) subject.getPrincipals().toArray (new Principal[0]);
  }
if (current != null)
...

This solves the NPE and is according to SUNs Javadoc correct. However
not getting a NPE here resolves in several exceptions from tomcat5:

StandardClassLoader: Security Violation, attempt to use Restricted Class:
org.apache.jasper.EmbeddedServletOptions

The ProtectionDomain's given does not allow the use of this package
at this point as shown by printing the ProtectionDomains of the context
which is used in AccessController.doPrivileged (action, context) at
the end of the Subject.doAsPrivileged method.

So I conclude that not all libraries of tomcat5 which should be allowed
to use (given the *.policy files) are allowed with the calling thread
but should be ....

Hope this helps a bit,

Wolfgang

-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23822