wood burning stoves
The moose likes Tomcat and the fly likes Apache 6 CGI Security Exception Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Apache 6 CGI Security Exception" Watch "Apache 6 CGI Security Exception" New topic

Apache 6 CGI Security Exception

usman shaikh

Joined: May 14, 2008
Posts: 4

Hi ranchers

I'm trying to get cgi working with Tomcat 6 bet keep getting this problem when I try to startup tomcat.

java.lang.SecurityException: Servlet of class org.apache.catalina.servlets.CGIServlet is privileged and cannot be loaded by this web application
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1134)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:981)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4058)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4364)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:924)
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:887)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1147)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)

I can get rid of this exception by changing the context.xml to

<Context reloadable="true" privileged="true">

After reading the FAQ I found out the invoker is EVIL. Is there any way to get cgi working without adding the above?

Also is the invoker really enabled by adding the above? In my web.xml file the invoker servlet and mapping is still commented out. Is this ok?

Appreciate any help

[ May 14, 2008: Message edited by: usman shaikh ]

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
Welcome to JavaRanch.

Making a web app privileged has nothing to do with the invoker (which, by the way, isn't nearly as evil as using CGI in a Java web app :-)
usman shaikh

Joined: May 14, 2008
Posts: 4

Hi, thanks for the welcome and reply

Is making an application privileged considered a security flaw? This application needs to be used in a real (non-test) environment so I need to make sure there are no security flaws?
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
I wouldn't consider it a security flaw if the complete JVM is under your control. If this was a shared environment I'd avoid making apps privileged, though (if it's even allowed).
Ben Souther

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Ulf Dittmer:

Making a web app privileged has nothing to do with the invoker (which, by the way, isn't nearly as evil as using CGI in a Java web app :-)

That is true but the inverse is not.
Starting in version 6, a web app needs to be privileged in order for the invoker servlet to work.

One more reason not to use it.

Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
I agree. Here's the link: http://aspose.com/file-tools
subject: Apache 6 CGI Security Exception
It's not a secret anymore!