Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Apache 6 CGI Security Exception

 
usman shaikh
Greenhorn
Posts: 4
Eclipse IDE Java Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi ranchers

I'm trying to get cgi working with Tomcat 6 bet keep getting this problem when I try to startup tomcat.

java.lang.SecurityException: Servlet of class org.apache.catalina.servlets.CGIServlet is privileged and cannot be loaded by this web application
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1134)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:981)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4058)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4364)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:924)
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:887)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1147)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)


I can get rid of this exception by changing the context.xml to

<Context reloadable="true" privileged="true">

After reading the FAQ I found out the invoker is EVIL. Is there any way to get cgi working without adding the above?

Also is the invoker really enabled by adding the above? In my web.xml file the invoker servlet and mapping is still commented out. Is this ok?

Appreciate any help

Thanks
Usman
[ May 14, 2008: Message edited by: usman shaikh ]
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Welcome to JavaRanch.

Making a web app privileged has nothing to do with the invoker (which, by the way, isn't nearly as evil as using CGI in a Java web app :-)
 
usman shaikh
Greenhorn
Posts: 4
Eclipse IDE Java Python
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, thanks for the welcome and reply

Is making an application privileged considered a security flaw? This application needs to be used in a real (non-test) environment so I need to make sure there are no security flaws?
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I wouldn't consider it a security flaw if the complete JVM is under your control. If this was a shared environment I'd avoid making apps privileged, though (if it's even allowed).
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ulf Dittmer:

Making a web app privileged has nothing to do with the invoker (which, by the way, isn't nearly as evil as using CGI in a Java web app :-)


That is true but the inverse is not.
Starting in version 6, a web app needs to be privileged in order for the invoker servlet to work.

One more reason not to use it.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic