It's my fault that I didn't know that I had auto updates turned ON in one of our production Ubuntu Servers running 18.04.2 in AWS. Tomcat was updated to 8.5.39 recently (automatically) and when we restart tomcat8, our code fails to deploy with the following exception:
Caused by: java.lang.IllegalStateException: Attribute 'javax.websocket.server.ServerContainer' not found in ServletContext at org.springframework.util.Assert.state(Assert.java:73)
When I enable the security related debug messages in tomcat, I can see the following:
policy: evaluate codesources:
Policy CodeSource: (file:/usr/lib/jvm/java-8-oracle/jre/lib/ext/* <no signer certificates>)
Active CodeSource: (file:/var/lib/tomcat8/webapps/api/WEB-INF/lib/spring-retry-1.2.2.RELEASE.jar <no signer certificates>)
policy: evaluation (codesource) failed
policy: evaluate codesources:
Policy CodeSource: (file:/usr/java/packages/lib/ext/* <no signer certificates>)
Active CodeSource: (file:/var/lib/tomcat8/webapps/api/WEB-INF/lib/spring-retry-1.2.2.RELEASE.jar <no signer certificates>)
policy: evaluation (codesource) failed
policy: evaluate codesources:
Policy CodeSource: (null <no signer certificates>)
Active CodeSource: (file:/var/lib/tomcat8/webapps/api/WEB-INF/lib/spring-retry-1.2.2.RELEASE.jar <no signer certificates>)
policy: evaluate principals:
Policy Principals: []
Active Principals: []
I don't really know if these are related... what do we need to do to make websocket "visible" to Spring? I don't know the version of tomcat that was running on this server before this update, but we never got the exception on javax.websocket.server.ServerContainer not found running with that tomcat version. Is it possible to turn off any tomcat security checks?
This seems to be a known issue on Spring: Spring Boot version 2.0.2.RELEASE and Tomcat version 8.5.39