aspose file tools*
The moose likes Tomcat and the fly likes Apache 6 CGI Security Exception Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Apache 6 CGI Security Exception" Watch "Apache 6 CGI Security Exception" New topic
Author

Apache 6 CGI Security Exception

usman shaikh
Greenhorn

Joined: May 14, 2008
Posts: 4

Hi ranchers

I'm trying to get cgi working with Tomcat 6 bet keep getting this problem when I try to startup tomcat.

java.lang.SecurityException: Servlet of class org.apache.catalina.servlets.CGIServlet is privileged and cannot be loaded by this web application
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1134)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:981)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4058)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4364)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:924)
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:887)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:492)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1147)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)


I can get rid of this exception by changing the context.xml to

<Context reloadable="true" privileged="true">

After reading the FAQ I found out the invoker is EVIL. Is there any way to get cgi working without adding the above?

Also is the invoker really enabled by adding the above? In my web.xml file the invoker servlet and mapping is still commented out. Is this ok?

Appreciate any help

Thanks
Usman
[ May 14, 2008: Message edited by: usman shaikh ]

OCPJP 6, OCEJWCD 6
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42289
    
  64
Welcome to JavaRanch.

Making a web app privileged has nothing to do with the invoker (which, by the way, isn't nearly as evil as using CGI in a Java web app :-)


Ping & DNS - my free Android networking tools app
usman shaikh
Greenhorn

Joined: May 14, 2008
Posts: 4

Hi, thanks for the welcome and reply

Is making an application privileged considered a security flaw? This application needs to be used in a real (non-test) environment so I need to make sure there are no security flaws?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 42289
    
  64
I wouldn't consider it a security flaw if the complete JVM is under your control. If this was a shared environment I'd avoid making apps privileged, though (if it's even allowed).
Ben Souther
Sheriff

Joined: Dec 11, 2004
Posts: 13410

Originally posted by Ulf Dittmer:

Making a web app privileged has nothing to do with the invoker (which, by the way, isn't nearly as evil as using CGI in a Java web app :-)


That is true but the inverse is not.
Starting in version 6, a web app needs to be privileged in order for the invoker servlet to work.

One more reason not to use it.


Java API J2EE API Servlet Spec JSP Spec How to ask a question... Simple Servlet Examples jsonf
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Apache 6 CGI Security Exception