Running SampleTomcatApplication fails for me with the following exception:
java.util.concurrent.ExecutionException: org.apache.catalina.LifecycleException: A child container failed during start
at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122) ~[na:na]
at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191) ~[na:na]
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:756) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:203) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:415) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:870) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.startup.Tomcat.start(Tomcat.java:437) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.initialize(TomcatWebServer.java:128) ~[main/:na]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.<init>(TomcatWebServer.java:107) ~[main/:na]
at org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory.getTomcatWebServer(TomcatServletWebServerFactory.java:516) ~[main/:na]
at org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory.getWebServer(TomcatServletWebServerFactory.java:222) ~[main/:na]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.createWebServer(ServletWebServerApplicationContext.java:193) ~[main/:na]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:167) ~[main/:na]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:621) ~[spring-context-6.2.3.jar:6.2.3]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) ~[main/:na]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:752) ~[main/:na]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:439) ~[main/:na]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:318) ~[main/:na]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1361) ~[main/:na]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1350) ~[main/:na]
at smoketest.tomcat.SampleTomcatApplication.main(SampleTomcatApplication.java:51) ~[main/:na]
Caused by: org.apache.catalina.LifecycleException: A child container failed during start
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:768) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:772) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1203) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1193) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145) ~[na:na]
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:749) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
... 21 common frames omitted
Caused by: java.util.concurrent.ExecutionException: org.apache.catalina.LifecycleException: Failed to initialize component [org.apache.catalina.webresources.DirResourceSet@5d58c727]
at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122) ~[na:na]
at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191) ~[na:na]
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:756) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
... 29 common frames omitted
Caused by: org.apache.catalina.LifecycleException: Failed to initialize component [org.apache.catalina.webresources.DirResourceSet@5d58c727]
at org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:406) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:125) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.webresources.StandardRoot.startInternal(StandardRoot.java:726) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.StandardContext.resourcesStart(StandardContext.java:4162) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4284) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1203) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1193) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145) ~[na:na]
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:749) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
... 29 common frames omitted
Caused by: java.lang.IllegalStateException: Unable to disable the global canonical file name cache or confirm that it is disabled when starting the WebResourceSet at [/var/folders/q9/d8h90v6965b8z19fm4_5pnw80000gn/T/tomcat-docbase.8080.15696593139772065661] which is part of the web application []. The WebResourceSet may be exposed to CVE-2024-56337.
at org.apache.catalina.webresources.DirResourceSet.initInternal(DirResourceSet.java:364) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
... 41 common frames omitted
2025-02-18T12:03:09.582-08:00 INFO 45424 --- [ main] o.apache.catalina.core.StandardService : Stopping service [Tomcat]
2025-02-18T12:03:09.584-08:00 WARN 45424 --- [ main] ConfigServletWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.context.ApplicationContextException: Unable to start web server
2025-02-18T12:03:09.589-08:00 INFO 45424 --- [ main] .s.b.a.l.ConditionEvaluationReportLogger :
Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled.
2025-02-18T12:03:09.601-08:00 ERROR 45424 --- [ main] o.s.boot.SpringApplication : Application run failed
org.springframework.context.ApplicationContextException: Unable to start web server
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:170) ~[main/:na]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:621) ~[spring-context-6.2.3.jar:6.2.3]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) ~[main/:na]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:752) ~[main/:na]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:439) ~[main/:na]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:318) ~[main/:na]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1361) ~[main/:na]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1350) ~[main/:na]
at smoketest.tomcat.SampleTomcatApplication.main(SampleTomcatApplication.java:51) ~[main/:na]
Caused by: org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.initialize(TomcatWebServer.java:147) ~[main/:na]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.<init>(TomcatWebServer.java:107) ~[main/:na]
at org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory.getTomcatWebServer(TomcatServletWebServerFactory.java:516) ~[main/:na]
at org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory.getWebServer(TomcatServletWebServerFactory.java:222) ~[main/:na]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.createWebServer(ServletWebServerApplicationContext.java:193) ~[main/:na]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:167) ~[main/:na]
... 8 common frames omitted
Caused by: org.apache.catalina.LifecycleException: A child container failed during start
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:768) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:203) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.StandardService.startInternal(StandardService.java:415) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:870) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.startup.Tomcat.start(Tomcat.java:437) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.initialize(TomcatWebServer.java:128) ~[main/:na]
... 13 common frames omitted
Caused by: java.util.concurrent.ExecutionException: org.apache.catalina.LifecycleException: A child container failed during start
at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122) ~[na:na]
at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191) ~[na:na]
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:756) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
... 21 common frames omitted
Caused by: org.apache.catalina.LifecycleException: A child container failed during start
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:768) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:772) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1203) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1193) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145) ~[na:na]
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:749) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
... 21 common frames omitted
Caused by: java.util.concurrent.ExecutionException: org.apache.catalina.LifecycleException: Failed to initialize component [org.apache.catalina.webresources.DirResourceSet@5d58c727]
at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122) ~[na:na]
at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191) ~[na:na]
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:756) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
... 29 common frames omitted
Caused by: org.apache.catalina.LifecycleException: Failed to initialize component [org.apache.catalina.webresources.DirResourceSet@5d58c727]
at org.apache.catalina.util.LifecycleBase.handleSubClassException(LifecycleBase.java:406) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:125) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:155) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.webresources.StandardRoot.startInternal(StandardRoot.java:726) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.StandardContext.resourcesStart(StandardContext.java:4162) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4284) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1203) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1193) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145) ~[na:na]
at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:749) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
... 29 common frames omitted
Caused by: java.lang.IllegalStateException: Unable to disable the global canonical file name cache or confirm that it is disabled when starting the WebResourceSet at [/var/folders/q9/d8h90v6965b8z19fm4_5pnw80000gn/T/tomcat-docbase.8080.15696593139772065661] which is part of the web application []. The WebResourceSet may be exposed to CVE-2024-56337.
at org.apache.catalina.webresources.DirResourceSet.initInternal(DirResourceSet.java:364) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) ~[tomcat-embed-core-10.1.36.jar:10.1.36]
... 41 common frames omitted
I also see similar failures from :spring-boot-project:spring-boot-docs:runLoggingFormatExample.
Comment From: philwebb
It looks like there are a few things happening. Firstly, the DirResourceSet.isCaseSensitive() method always returns false, even on a Mac. This appears to be because calling upper.getCanonicalPath() returns the lowercase name so true is never returned.
The second problem is that JreCompat uses reflection to check FileSystem.useCanonCaches. On Java 17 a InaccessibleObjectException is thrown so this method isn't available.
Comment From: ftreede
I also ran into this issue. Seems like tomcat can set the readonly flag on multiple levels; for the DefaultServlet it defaults to true but for DirResourceSet it defaults to false, and DirResourceSet is the class where the check is performed.
It's possible to work around this by setting the resource root to readonly too:
@Bean
TomcatContextCustomizer readOnlyTomcatContextCustomizer() {
return context -> {
if (context.getResources() == null) {
context.setResources(new StandardRoot());
}
context.getResources().setReadOnly(true);
};
}
However there are still issues, since a similar attempt will also be caused by org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory.StaticResourceConfigurer. In that case it happens if the classpath contains folders with meta-inf/resources. It doesn't crash the server as the exception ends up getting eaten by a broad empty catch block though: https://github.com/spring-projects/spring-boot/blob/7db43b5774d8636209c4862b612978726ad13692/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TomcatServletWebServerFactory.java#L861-L863
Comment From: wilkinsona
Superseded by #44331.
Comment From: mycad
and have CVE-2024-56337 error message:
Caused by: java.lang.IllegalStateException: Unable to disable the global canonical file name cache or confirm that it is disabled when starting the WebResourceSet at [C:\Users\ADMINI~1\AppData\Local\Temp\tomcat-docbase.8080.6017016405716347101] which is part of the web application []. The WebResourceSet may be exposed to CVE-2024-56337.
Comment From: mycad
@Override
protected void initInternal() throws LifecycleException {
super.initInternal();
caseSensitive = isCaseSensitive();
// Is this an exploded web application?
if (getWebAppMount().equals("")) {
// Look for a manifest
File mf = file("META-INF/MANIFEST.MF", true);
if (mf != null && mf.isFile()) {
try (FileInputStream fis = new FileInputStream(mf)) {
setManifest(new Manifest(fis));
} catch (IOException e) {
log.warn(sm.getString("dirResourceSet.manifestFail", mf.getAbsolutePath()), e);
}
}
}
// Check for exposure to CVE-2024-56337
if (caseSensitive) {
// CVE-2024-56337 (nor CVE-2024-50379) is not exploitable on a case sensitive file system
return;
}
if (isReadOnly()) {
// CVE-2024-56337 (nor CVE-2024-50379) is not exploitable on a read-only ResourceSet
return;
}
if (JreCompat.getInstance().isCanonCachesDisabled()) {
// CVE-2024-56337 (nor CVE-2024-50379) is not exploitable if the canonical file name cache is disabled
return;
}
// This ResourceSet may be exposed to CVE-2024-56337.
if (JreCompat.getInstance().disableCanonCaches()) {
/*
* The canonical file name cache was enabled and is now disabled.
*/
log.warn(sm.getString("dirResourceSet.canonCaches.disabled", getFileBase(),
getRoot().getContext().getName()));
} else {
/*
* The canonical file name cache could not be disabled (or Tomcat cannot confirm it has been disabled). This
* ResourceSet may be exposed to CVE-2024-56337.
*/
throw new IllegalStateException(sm.getString("dirResourceSet.canonCaches.enabled", getFileBase(),
getRoot().getContext().getName()));
}
}
and DirResourceSet missing setReadonly method provied by AbstractFileResourceSet, readonly default value is false
public DirResourceSet(WebResourceRoot root, String webAppMount, String base, String internalPath) {
super(internalPath);
setRoot(root);
setWebAppMount(webAppMount);
setBase(base);
if (root.getContext().getAddWebinfClassesResources()) {
File f = new File(base, internalPath);
f = new File(f, "/WEB-INF/classes/META-INF/resources");
if (f.isDirectory()) {
root.createWebResourceSet(ResourceSetType.RESOURCE_JAR, "/", f.getAbsolutePath(), null, "/");
}
}
if (getRoot().getState().isAvailable()) {
try {
start();
} catch (LifecycleException e) {
throw new IllegalStateException(e);
}
}
}
public abstract class AbstractFileResourceSet extends AbstractResourceSet {
private static final Log log = LogFactory.getLog(AbstractFileResourceSet.class);
protected static final String[] EMPTY_STRING_ARRAY = new String[0];
private File fileBase;
private String absoluteBase;
private String canonicalBase;
private boolean readOnly = false;
protected AbstractFileResourceSet(String internalPath) {
setInternalPath(internalPath);
}
protected final File getFileBase() {
return fileBase;
}