I'm trying to apply a DOD STIG fix for Java Security Manager. The fix requires me to modify the /etc/systemd/system/tomcat.service file and set the "ExecStart" parameter to read:
ExecStart=/opt/tomcat/bin/startup.sh -security.
After I applied this fix, tomcat would fail to start. Has anyone else experienced this issue?
I added -security to the end of ExecStart=/opt/tomcat/bin/startup.sh. After saving/exiting the tomcat.service file, I applied the systemctl daemon-reload command. I'm expecting tomcat to run as expected but it fails to start after a while.
When I restarted tomcat, catalina.out showed the following:
19-Oct-2023 14:16:26.412 SEVERE [acop-startStop-1] org.apache.catalina.core.ContainerBase.startInternal A child container failed during start java.util.concurrent.ExecutionException: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[a2].StandardHost[localhost].StandardContext[/a2]] at java.util.concurrent.FutureTask.report(FutureTask.java:122) at java.util.concurrent.FutureTask.get(FutureTask.java:192) at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:892) at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:793) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1362) at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1352) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:750) Caused by: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[a2].StandardHost[localhost].StandardContext[/a2]] at org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:440) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:198) ... 6 more Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.org.apache.catalina.connector") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:886) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564) at java.lang.ClassLoader$1.run(ClassLoader.java:496) at java.lang.ClassLoader$1.run(ClassLoader.java:494) at java.security.AccessController.doPrivileged(Native Method) at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:494) at java.lang.Class.getDeclaredFields0(Native Method) at java.lang.Class.privateGetDeclaredFields(Class.java:2583) at java.lang.Class.getDeclaredFields(Class.java:1916) at org.apache.catalina.util.Introspection$1.run(Introspection.java:106) at org.apache.catalina.util.Introspection$1.run(Introspection.java:103) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.util.Introspection.getDeclaredFields(Introspection.java:102) at org.apache.catalina.startup.WebAnnotationSet.loadFieldsAnnotation(WebAnnotationSet.java:269) at org.apache.catalina.startup.WebAnnotationSet.loadApplicationServletAnnotations(WebAnnotationSet.java:137) at org.apache.catalina.startup.WebAnnotationSet.loadApplicationAnnotations(WebAnnotationSet.java:69) at org.apache.catalina.startup.ContextConfig.applicationAnnotationsConfig(ContextConfig.java:329)
You may need to modify your
conf/catalina.policyand include some additional permissions, such as: