hudson won’t work with tomcat security manager enabled

I tried installing Hudson on by copying the war to the webapps folder on Ubuntu (what a mess it makes of a tomcat install.  You should NOT, repeat NOT use apt-get to install Tomcat, among many other things.)

It throws out this cryptic error message:

HTTP Status 500 -

---

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: Could not initialize class org.apache.commons.discovery.resource.names.DiscoverServiceNames
	org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:294)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:115)
	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
	org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
	org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
	org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
	org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
	org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
	java.lang.Thread.run(Thread.java:636)

root cause

java.lang.NoClassDefFoundError: Could not initialize class org.apache.commons.discovery.resource.names.DiscoverServiceNames
	org.kohsuke.stapler.Facet.discover(Facet.java:35)
	org.kohsuke.stapler.WebApp.<init>(WebApp.java:73)
	org.kohsuke.stapler.WebApp.get(WebApp.java:31)
	org.kohsuke.stapler.Stapler.init(Stapler.java:68)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:616)
	org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244)
	java.security.AccessController.doPrivileged(Native Method)
	javax.security.auth.Subject.doAsPrivileged(Subject.java:537)
	org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
	org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:115)
	org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
	org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
	org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
	org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
	org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
	org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)

	java.lang.Thread.run(Thread.java:636)

note The full stack trace of the root cause is available in the Apache Tomcat/5.5 logs.

---

Apache Tomcat/5.5

Thankfully, a quick google search turned up this blog post.

http://testinfected.blogspot.com/2009/01/hudson-gets-accesscontrolexception-when.html

Hudson won’t work with Tomcat Security Manager enabled, but frankly, I can’t think of a realistic scenario where the security manager would do any good.  Does anyone allow cross-site servlet authoring?

“Here, enter some java code in this text box and we’ll compile and run it for you”  or “Click here to upload your war and I’ll deploy it.”

Does tomcat really allow this behavior by default?  (I guess I could see a place where it might be useful, such as appliances with embedded tomcat to push updates.)

workaround for bug in trac that wants to write to PYTHON_EGG_CACHE

I upgraded trac on a qa-site the other day, but then found I was getting “500 internal server error” about every other post.

Investigating revealed a log barf disguised as a stack trace, the final line of which was:

[Thu Mar 12 14:47:23 2009] [error] [client 24.16.139.248] PythonHandler trac.web.modpython_frontend: ExtractionError: Can’t extract file(s) to egg cache\n\nThe following error occurred while trying to extract file(s) to the Python egg\ncache:\n\n  [Errno 13] Permission denied: ‘/www/sites/fluffy/trac/.egg-cache’\n\nThe Python egg cache directory is currently set to:\n\n  /www/sites/fluffy/trac/.egg-cache\n\nPerhaps your account does not have write access to this directory?  You can\nchange the cache directory by setting the PYTHON_EGG_CACHE environment\nvariable to point to an accessible directory.\n, referer: http://fluffy.qa-site.com/trac/wiki/BuildFlexSdk?action=edit

I tried a simple solution, by creating the directory .egg-cache and giving apache write access.  But that’s no good.

Alternately, you could change the location of the environment variable PYTHON_EGG_CACHE.

You can do this with CGI, A bit better of a fix is to add the following line to your httpd.conf

SetEnv PYTHON_EGG_CACHE /tmp

Luckily, a lot of other people have seen this problem, and some of them even know a bit about mod_python

A helpful google search turned up a trac mailing list post gave me the hint I needed.

Thanks to Django’s funky setup, a lot of people have discovered that mod_python doesn’t take SetEnv.  I don’t know if this is a bug or a design flaw (perhaps with some justification).

Anyway here’s the hack for mod_python users, instead of SetEnv, use PythonOption:

PythonOption PYTHON_EGG_CACHE /tmp

MissionControl

Here’s an app under development that looks similar to my “QA Site” idea.

http://missioncontrolapp.com/