Java agent v1.25.0 fails to start with Security Manager running on Tomcat 9.x
See original GitHub issueThe Java agent v1.25.0 fails to start when integrated Tomcat 9.x with Security Manager enabled. Have tested it with both Java 8 and Java 11. Fails with the following error -
[main] INFO co.elastic.apm.agent.configuration.StartupInfo - Starting Elastic APM 1.25.0 as my-cool-service on Java 11.0.11 Runtime version: 11.0.11+9-Ubuntu-0ubuntu2.18.04 VM version: 11.0.11+9-Ubuntu-0ubuntu2.18.04 (Ubuntu) Linux 5.4.0-80-generic 2021-08-12 18:55:24,297
[main] INFO co.elastic.apm.agent.configuration.StartupInfo - service_name: 'my-cool-service' (source: Java System Properties) 2021-08-12 18:55:24,297
[main] INFO co.elastic.apm.agent.configuration.StartupInfo - application_packages: 'mypackage' (source: Java System Properties)
[elastic-apm-agent] ERROR Failed to start agent java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at co.elastic.apm.agent.premain.AgentMain.loadAndInitializeAgent(AgentMain.java:149)
at co.elastic.apm.agent.premain.AgentMain.init(AgentMain.java:94)
at co.elastic.apm.agent.premain.AgentMain.premain(AgentMain.java:50)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:513)
at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:525)
Caused by: java.lang.RuntimeException: java.lang.UnsupportedOperationException: Could not access Unsafe class: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at co.elastic.apm.agent.bci.IndyBootstrap.getIndyBootstrapMethod(IndyBootstrap.java:215)
at co.elastic.apm.agent.bci.ElasticApmAgent.getTransformer(ElasticApmAgent.java:431)
at co.elastic.apm.agent.bci.ElasticApmAgent.applyAdvice(ElasticApmAgent.java:393)
at co.elastic.apm.agent.bci.ElasticApmAgent.initAgentBuilder(ElasticApmAgent.java:314)
at co.elastic.apm.agent.bci.ElasticApmAgent.initInstrumentation(ElasticApmAgent.java:260)
at co.elastic.apm.agent.bci.ElasticApmAgent.initInstrumentation(ElasticApmAgent.java:164)
at co.elastic.apm.agent.bci.ElasticApmAgent.initialize(ElasticApmAgent.java:150)
... 13 more
Caused by: java.lang.UnsupportedOperationException: Could not access Unsafe class: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
at co.elastic.apm.agent.shaded.bytebuddy.dynamic.loading.ClassInjector$UsingUnsafe$Dispatcher$Unavailable.defineClass(ClassInjector.java:2068)
at co.elastic.apm.agent.shaded.bytebuddy.dynamic.loading.ClassInjector$UsingUnsafe.injectRaw(ClassInjector.java:1802)
at co.elastic.apm.agent.bci.IndyBootstrap.initIndyBootstrap(IndyBootstrap.java:228)
at co.elastic.apm.agent.bci.IndyBootstrap.getIndyBootstrapMethod(IndyBootstrap.java:209)
... 19 more
Have added the following permissions in catalina.policy but it still fails
grant codeBase "file:/opt/tomcat9/apm/elastic-apm-agent-1.25.0.jar" {
permission java.security.AllPermission;
};
The issue seems to be introduced as part of changes for elastic/apm-agent-java#1415 Downgrading to version 1.18.1 works around issue.
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (5 by maintainers)
Top Results From Across the Web
NoClassDefFound with Tomcat + Security Manager #2520
Any updates on this? I have hit the same issue (NoClassDefFound) running agent 1.34.1 with Tomcat 9.0.65. My catalina.out is polluted with ...
Read more >Apache Tomcat 9 (9.0.70) - Security Manager How-To
java.security.AllPermission - Allows access to all permissions, just as if you were running Tomcat without a SecurityManager. Configuring Tomcat ...
Read more >9.1 Starting Tomcat with Security Manager | Tenable®
Configure applications to run in a sandbox using the Security Manager. The Security Manager restricts what classes Tomcat can access thus protecting your...
Read more >Tomcat 9.0 with security manager reports access denied on ...
The security settings in catalina policy has no impact on the code whatsoever; ... We resolved this issue by changing the Connector in...
Read more >Finding applications that use Log4J - runZero
runZero can help you build an up-to-date asset inventory and search for assets that may be affected by Log4J vulnerabilities, such as Log4shell....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
The issue seems to be resolved on the snapshot version (elastic-apm-agent-1.25.1-20210816.094409-25.jar). Tried it on Java 11.
Closing issue for new, feel free to re-open/comment if needed.