axis-java-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Veithen <andreas.veit...@gmail.com>
Subject Re: Axis2 and Tomcat's SECURITY Flag
Date Tue, 11 Aug 2009 21:53:17 GMT
Greg,

My guess is that Axis2 doesn't have the right permissions to list the
content of the WEB-INF/modules directory. I had a quick look at the
Axis2 code and it seems to handle an I/O error in the same way as an
empty directory. On the other hand, the documentation of
FilePermission says that "A pathname that ends in "/*" [...] indicates
all the files and directories contained in that directory." The would
suggest that you only granted permissions to the files in the
WEB-INF/modules directory, but not the permission to read (list) the
directory itself. Probably you need to add the following permission as
well:

permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/modules", "read";

If that is confirmed, could you please open a JIRA report about the
fact that Axis2 doesn't warn the user about an unreadable modules (and
services) directory?

Andreas

On Tue, Aug 11, 2009 at 21:19, Greg Logan<greg.logan@usask.ca> wrote:
> Hi List,
>
> I'm trying to get my Axis2 application to run on a Tomcat 6.0.18 install
> running on an Ubuntu server.  This server runs with the Java 2 Security
> framework in Tomcat turned ON, so solutions involving turning it off won't
> work for this case :P
>
> Unfortunately I keep running into permissions issues, and there does not
> appear to be any definitive (or working!) documentation as to precisely what
> permissions Axis2 needs.  I've tried a number of different permissions
> approaches, but I just can't seem to get the application going.
>
> For example, adding the following to the permissions:
>
> // ================= Axis2 Permissions ========================
> //
> grant {
>  // For some mysterious reason these 2 are required outside the
> Axis-specific permissions
>  // No idea what the codebase should be
>  permission java.io.FilePermission
> "${catalina.base}/webapps/player/WEB-INF/-", "read";
>  permission java.lang.RuntimePermission "getClassLoader";
> };
>
> grant codeBase "file:/var/lib/tomcat6/webapps/player/-" {
>  permission java.lang.RuntimePermission "createClassLoader";
>  permission java.lang.RuntimePermission "setContextClassLoader";
>  permission java.lang.RuntimePermission "checkPropertiesAccess";
>  permission java.lang.RuntimePermission "getClassLoader";
>  permission java.lang.RuntimePermission "getProtectionDomain";
>  permission java.lang.RuntimePermission
> "defineClassInPackage.org.apache.jasper.runtime";
>  permission java.lang.RuntimePermission "shutdownHooks";
>  permission java.lang.RuntimePermission "accessDeclaredMembers";
>  permission java.util.PropertyPermission "*", "read,write";
>  permission java.net.SocketPermission "ex.com", "resolve, connect";
>  permission java.io.FilePermission
> "${catalina.base}/webapps/player/WEB-INF/modules/*", "read,write";
>  permission java.io.FilePermission
> "${catalina.base}/webapps/player/WEB-INF/services/*", "read,write";
>  permission java.io.FilePermission "${catalina.home}/common/classes",
> "read";
>  permission java.io.FilePermission "${catalina.home}/shared/classes",
> "read";
>  permission java.io.FilePermission "${catalina.base}/common/classes",
> "read";
>  permission java.io.FilePermission "${catalina.base}/shared/classes",
> "read";
>  permission java.io.FilePermission "${catalina.home}/common/i18n/*", "read";
>  permission java.io.FilePermission "${catalina.home}/common/lib/*", "read";
>  permission java.io.FilePermission "${catalina.home}/bin/bootstrap.jar",
> "read";
>  permission java.io.FilePermission
> "${catalina.base}/webapps/player/WEB-INF/scriptServices/*", "read";
>  permission java.io.FilePermission "${java.home}/lib/ext/*", "read";
>  // Other directories that are in the classpath
>  permission java.io.FilePermission "/usr/share/java/*", "read";
> };
>
> gets me this result (note that this *exact* deployed war works fine when
> security is off, so the module *is* there):
>
> org.apache.axis2.AxisFault: The system is attempting to engage a module that
> is not available: addressing
>        at
> org.apache.axis2.engine.AxisConfiguration.engageModule(AxisConfiguration.java:506)
>        at
> org.apache.axis2.engine.AxisConfiguration.engageGlobalModules(AxisConfiguration.java:633)
>
>
> The app does work when security is turned off, and also works when granted
> java.security.AllPermissions, but that's really not ideal.  Does anyone have
> a working set of permissions for Axis2?
>

Mime
View raw message