Issue Type: Bug Bug
Affects Versions: 1.0.13, 1.0.12, 1.0.11
Assignee: Logback dev list
Components: logback-classic
Created: 10/Jul/13 12:21 AM
Description:

When logback does not have 

grant {
	permission java.lang.RuntimePermission "getClassLoader";
}

it will fail with an exception something like:

SEVERE: Servlet.service() for servlet springportlet Servlet threw exception
java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
	at java.security.AccessController.checkPermission(AccessController.java:558)
	at com.liferay.portal.security.pacl.PortalSecurityManagerImpl.checkPermission(PortalSecurityManagerImpl.java:271)
	at java.lang.Class.getClassLoader(Class.java:613)
	at ch.qos.logback.classic.spi.PackagingDataCalculator.populateFrames(PackagingDataCalculator.java:91)
	at ch.qos.logback.classic.spi.PackagingDataCalculator.calculate(PackagingDataCalculator.java:55)
	at ch.qos.logback.classic.spi.ThrowableProxy.calculatePackagingData(ThrowableProxy.java:147)
	at ch.qos.logback.classic.spi.LoggingEvent.<init>(LoggingEvent.java:127)
	at ch.qos.logback.classic.Logger.buildLoggingEventAndAppend(Logger.java:447)
	at ch.qos.logback.classic.Logger.filterAndLog_0_Or3Plus(Logger.java:403)
	at ch.qos.logback.classic.Logger.log(Logger.java:803)
	at org.apache.commons.logging.impl.SLF4JLocationAwareLog.warn(SLF4JLocationAwareLog.java:199)
	at org.springframework.web.portlet.multipart.CommonsPortletMultipartResolver.cleanupMultipart(CommonsPortletMultipartResolver.java:185)
	at org.springframework.web.portlet.DispatcherPortlet.doActionService(DispatcherPortlet.java:671)
	at org.springframework.web.portlet.FrameworkPortlet.processRequest(FrameworkPortlet.java:519)
	at org.springframework.web.portlet.FrameworkPortlet.processAction(FrameworkPortlet.java:460)
	at com.liferay.portlet.FilterChainImpl.doFilter(FilterChainImpl.java:71)
	at com.liferay.portal.kernel.portlet.PortletFilterUtil.doFilter(PortletFilterUtil.java:48)
	at com.liferay.portal.kernel.servlet.PortletServlet.service(PortletServlet.java:112)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:73)
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:81)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
	at org.apache.catalina.core.ApplicationDispatcher.doInclude(ApplicationDispatcher.java:605)
	at org.apache.catalina.core.ApplicationDispatcher.include(ApplicationDispatcher.java:544)
	at com.liferay.portlet.InvokerPortletImpl.invoke(InvokerPortletImpl.java:604)
	at com.liferay.portlet.InvokerPortletImpl.invokeAction(InvokerPortletImpl.java:649)
	at com.liferay.portlet.InvokerPortletImpl.processAction(InvokerPortletImpl.java:312)
	at com.liferay.portlet.PortletContainerImpl._doProcessAction(PortletContainerImpl.java:402)
	at com.liferay.portlet.PortletContainerImpl.processAction(PortletContainerImpl.java:110)
	at com.liferay.portlet.SecurityPortletContainerWrapper.processAction(SecurityPortletContainerWrapper.java:108)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:616)
	at com.liferay.portal.security.lang.DoPrivilegedHandler$InvokePrivilegedExceptionAction.run(DoPrivilegedHandler.java:167)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.liferay.portal.security.lang.DoPrivilegedHandler.doInvoke(DoPrivilegedHandler.java:100)
	at com.liferay.portal.security.lang.DoPrivilegedHandler.invoke(DoPrivilegedHandler.java:56)
	at sun.proxy.$Proxy52.processAction(Unknown Source)
	at com.liferay.portlet.RestrictPortletContainerWrapper.processAction(RestrictPortletContainerWrapper.java:75)
	at com.liferay.portal.kernel.portlet.PortletContainerUtil.processAction(PortletContainerUtil.java:114)
	at com.liferay.portal.action.LayoutAction.processLayout(LayoutAction.java:356)
	at com.liferay.portal.action.LayoutAction.doExecute(LayoutAction.java:178)
	at com.liferay.portal.action.LayoutAction.execute(LayoutAction.java:79)
	at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
	at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
	at com.liferay.portal.struts.PortalRequestProcessor.process(PortalRequestProcessor.java:175)
	at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
	at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
	at com.liferay.portal.servlet.MainServlet.callParentService(MainServlet.java:549)
	at com.liferay.portal.servlet.MainServlet.service(MainServlet.java:526)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:73)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169)
	at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:293)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169)
	at com.liferay.portal.servlet.filters.jsoncontenttype.JSONContentTypeFilter.processFilter(JSONContentTypeFilter.java:42)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:81)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
	at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:487)
	at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:412)
	at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339)
	at com.liferay.portal.servlet.FriendlyURLServlet.service(FriendlyURLServlet.java:153)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:73)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169)
	at com.liferay.portal.servlet.filters.strip.StripFilter.processFilter(StripFilter.java:358)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169)
	at com.liferay.portal.servlet.filters.gzip.GZipFilter.processFilter(GZipFilter.java:123)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169)
	at com.liferay.portal.servlet.filters.secure.SecureFilter.processFilter(SecureFilter.java:293)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169)
	at com.liferay.portal.servlet.filters.i18n.I18nFilter.processFilter(I18nFilter.java:231)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169)
	at com.liferay.portal.servlet.filters.etag.ETagFilter.processFilter(ETagFilter.java:67)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169)
	at com.liferay.portal.servlet.filters.jsoncontenttype.JSONContentTypeFilter.processFilter(JSONContentTypeFilter.java:42)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169)
	at com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.processFilter(AutoLoginFilter.java:240)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169)
	at com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter.processFilter(NtlmPostFilter.java:83)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169)
	at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:88)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:169)
	at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:193)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:59)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:207)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:109)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:168)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:117)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:188)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:96)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:81)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1008)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:679)

Ideally, it should fail gracefully and not completely blow up. This type of behavior prevents a system admin from being able to control the security configuration of applications due to libraries which think they can just do whatever they want. Loggers are by far one of the most problematic violators.

Note the warning about the required permission: http://docs.oracle.com/javase/6/docs/api/java/lang/RuntimePermission.html

This would grant an attacker permission to get the class loader for a particular class. This is dangerous because having access to a class's class loader allows the attacker to load other classes available to that class loader. The attacker would typically otherwise not have access to those classes.

Any application that embeds logback currently has to be granted this permission.
Environment:

Any with java security enabled
Project: logback
Priority: Major Major
Reporter: Raymond Auge
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira