Tomcat security manager asking for permissions for spring boot application

Question

I have a spring boot application that I want to deploy to external tomcat server. The tomcat has Tomcat Security Manager enabled, so when I place the war file in /webapps/ folder of tomcat and start the server, the tomcat asks for permissions as shown below. I am using spring boot 2.4.2 version, changing the version is not an option.

java version is : 1.8 (both application and tomcat) tomcat is running on unix.

08-Apr-2021 15:41:20.326 SEVERE [main] org.apache.catalina.startup.HostConfig.deployWAR Error deploying web application archive [/opt/apache/tomcat/base/webapps/com#myApp.war]
    java.lang.IllegalStateException: Error starting child
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
        at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:706)
        at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:978)
        at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1848)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
        at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
        at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:773)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:427)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1576)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:309)
        at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:123)
        at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:423)
        at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:366)
        at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:936)
        at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:843)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1384)
        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1374)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
        at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:134)
        at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:909)
        at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:262)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.core.StandardService.startInternal(StandardService.java:421)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:772)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:342)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
    Caused by: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/com/myApp]]
        at org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:198)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
        ... 41 more
    Caused by: java.lang.IllegalArgumentException: Cannot instantiate interface org.springframework.context.ApplicationContextInitializer : org.springframework.boot.autoconfigure.SharedMetadataReaderFactoryContextInitializer
        at org.springframework.boot.SpringApplication.createSpringFactoriesInstances(SpringApplication.java:467)
        at org.springframework.boot.SpringApplication.getSpringFactoriesInstances(SpringApplication.java:449)
        at org.springframework.boot.SpringApplication.getSpringFactoriesInstances(SpringApplication.java:442)
        at org.springframework.boot.SpringApplication.<init>(SpringApplication.java:284)
        at org.springframework.boot.SpringApplication.<init>(SpringApplication.java:264)
        at org.springframework.boot.builder.SpringApplicationBuilder.createSpringApplication(SpringApplicationBuilder.java:109)
        at org.springframework.boot.builder.SpringApplicationBuilder.<init>(SpringApplicationBuilder.java:97)
        at org.springframework.boot.web.servlet.support.SpringBootServletInitializer.createSpringApplicationBuilder(SpringBootServletInitializer.java:164)
        at org.springframework.boot.web.servlet.support.SpringBootServletInitializer.createRootApplicationContext(SpringBootServletInitializer.java:128)
        at org.springframework.boot.web.servlet.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:95)
        at org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:174)
        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5166)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        ... 42 more
    Caused by: java.lang.ExceptionInInitializerError
        at org.springframework.beans.BeanUtils.<clinit>(BeanUtils.java:80)
        at org.springframework.boot.SpringApplication.createSpringFactoriesInstances(SpringApplication.java:463)
        ... 54 more
    Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "org.graalvm.nativeimage.imagecode" "read")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:886)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
        at java.lang.System.getProperty(System.java:717)
        at org.springframework.core.DefaultParameterNameDiscoverer.<clinit>(DefaultParameterNameDiscoverer.java:47)
        ... 56 more
08-Apr-2021 15:41:20.329 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/opt/apache/tomcat/base/webapps/com#myApp.war] has finished in [3,052] ms
08-Apr-2021 15:41:20.331 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
08-Apr-2021 15:41:20.348 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-jsse-nio2-8443"]
08-Apr-2021 15:41:20.349 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [21648] milliseconds

Can any one suggest where is the problem?

If I grant the permission

permission java.util.PropertyPermission "org.graalvm.nativeimage.imagecode", "read";

Then again it asks for another permission

java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks") (Though I am not able to set the correct permission for this exception). I have the following questions regarding these exceptions:

Why I am getting these exceptions? Another spring application I was able to run on the same tomcat with security manager enabled. The spring application(not spring boot) works fine without any permissions needed, but not the spring boot application. Why?
How can I set correct permission for this exception java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")? I try to grant the permission

permission java.util.PropertyPermission "java.lang.reflect.ReflectPermission" "suppressAccessChecks";

I get an exception

java.security.policy: error parsing file:/C:/apache-tomcat-9.0.40/conf/catalina.policy:
expected [;], found [suppressAccessChecks]

How to find the route cause of the issue? Does these exceptions with tomcat security manager means is there any problem with my spring boot application?

pom.xml

<dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
            <optional>true</optional>
        </dependency>

    
        <dependency>
            <groupId>com.oracle.ojdbc</groupId>
            <artifactId>ojdbc8</artifactId>
            <version>19.3.0.0</version>
<!--            <scope>provided</scope>-->
        </dependency>


        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-test</artifactId>
            <scope>test</scope>
        </dependency>
        
    </dependencies>

    <build>
<!--        This gives the final war file name-->

        <finalName>${project.artifactId}</finalName>

        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>3.3</version>
                <configuration>
                    <source>1.8</source>
                    <target>1.8</target>
                </configuration>
            </plugin>


            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <version>2.4.2</version>

                <executions>
                    <execution>
                        <id>build-info</id>
                        <goals>
                            <goal>build-info</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>

Please, don't post your questions [twice](https://stackoverflow.com/q/67006661/11748454). Editing bumps them up anyway. — Piotr P. Karwasz, Apr 11 '21 at 09:14
@PiotrP.Karwasz Ok The edited the old one, Can u suggest something about this question please — Syed Iftekharuddin, Apr 11 '21 at 09:19

score 0 · Answer 1 · edited Aug 03 '21 at 07:45

0

You can trying using permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

edited Aug 03 '21 at 07:45

Dharman

30,962
25
85
135

answered Aug 03 '21 at 07:39

Madhav Chakkilala

1

Tomcat security manager asking for permissions for spring boot application

1 Answers1