geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dan Becker (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-4037) Geronimo 2.0.3 (and I guess at least 2.0.2) can't run with a security manager settled from the command line using -Djava.security.manager
Date Thu, 22 May 2008 19:01:57 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-4037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12599120#action_12599120
] 

Dan Becker commented on GERONIMO-4037:
--------------------------------------

Hi Jacques,

It is definitely strange that your security policy would work on Linux but not on Windows.
The behavior you mention should be  the same on all platforms.

>From your stack trace above, it appears that org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:1056)
is attempting to set a class loader, which is privileged action requiring a runtime permission,
but somehow the policy you have set is not visible to the security manager.

Three possible problems with your security policy client.policy that you might be able to
easily test.
1) I thought the grant statement in the policy file required a URL for the code base. You
might need to add the URL for the Geronimo code base in order for this permission to be visible.
2) The JVM command line arg -Djava.security.policy=client.policy requires a URL for the location
of the policy file. It could be that this file is visible in Linux and not in Windows. You
might want to hard code a file URL to test this.
3) The "-Djava.security.policy" policy file value will be ignored if the "policy.allowSystemProperty"
property in the security properties file is set to false. The default is true. You can add
this to the command line with -Dpolicy.allowSystemProperty=true.

You can also get lots of security diagnostics of running with security managers when you add
-Djava.security.debug=policy or -Djava.security.debug=all. 

Report back and let me know if any of these work.

> Geronimo 2.0.3 (and I guess at least 2.0.2) can't run  with a security manager settled
from the command line using -Djava.security.manager
> ------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-4037
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4037
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: kernel, security
>    Affects Versions: 2.0.2
>         Environment: Windows Xp Sp2
>            Reporter: Jacques Le Roux
>            Priority: Blocker
>
> I'm facing an issue on Windows XPsp2: I can't run WASCE with a security manager settled
from the command line using -Djava.security.manager-Djava.security.policy=client.policy options.
I get the error below. Note that this is working properly under Linux (Ubuntu and Suze as
well).
> C:\geronimo-tomcat6-jee5-2.0.3\bin>geronimo run
> Using GERONIMO_BASE:   C:\geronimo-tomcat6-jee5-2.0.3
> Using GERONIMO_HOME:   C:\geronimo-tomcat6-jee5-2.0.3
> Using GERONIMO_TMPDIR: var\temp
> Using JRE_HOME:        C:\Program Files\Java\jre1.5.0_11
> Listening for transport dt_socket at address: 5005
> Booting Geronimo Kernel (in Java 1.5.0_11)...
> Starting Geronimo Application Server v2.0.3-SNAPSHOT
> [***>                                  ] 11%  27s Starting org.apac...15:57:28,625
ERROR [GBeanInstanceState] Error while starting; GBean is now in the FAILED state: abstractName="org.apache.geronimo.configs/
> j2ee-security/2.0.3-SNAPSHOT/car?ServiceModule=org.apache.geronimo.configs/j2ee-security/2.0.3-SNAPSHOT/car,j2eeType=GBean,name=SecurityService"
> java.lang.LinkageError: org/apache/geronimo/security/jacc/GeronimoPolicyConfigurationFactory
>         at org.apache.geronimo.security.jacc.GeronimoPolicy.implies(GeronimoPolicy.java:74)
>         at java.security.ProtectionDomain.implies(Unknown Source)
>         at java.security.AccessControlContext.checkPermission(Unknown Source)
>         at java.security.AccessController.checkPermission(Unknown Source)
>         at java.lang.SecurityManager.checkPermission(Unknown Source)
>         at java.lang.Thread.setContextClassLoader(Unknown Source)
>         at org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:1056)
>         at org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:268)
>         at org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:102)
>         at org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:124)
>         at org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:553)
>         at org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:379)
>         at org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:448)
>         at org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:187)
>         at org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:530)
>         at org.apache.geronimo.kernel.config.SimpleConfigurationManager$$FastClassByCGLIB$$ce77a924.invoke(<generated>)
>         at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
>         at org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38)
>         at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:124)
>         at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:830)
>         at org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
>         at org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35)
>         at org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)
>         at org.apache.geronimo.kernel.config.EditableConfigurationManager$$EnhancerByCGLIB$$7e14cd11.startConfiguration(<generated>)
>         at org.apache.geronimo.system.main.EmbeddedDaemon.doStartup(EmbeddedDaemon.java:156)
>         at org.apache.geronimo.system.main.EmbeddedDaemon.execute(EmbeddedDaemon.java:78)
>         at org.apache.geronimo.kernel.util.MainConfigurationBootstrapper.main(MainConfigurationBootstrapper.java:45)
>         at org.apache.geronimo.cli.AbstractCLI.executeMain(AbstractCLI.java:67)
>         at org.apache.geronimo.cli.daemon.DaemonCLI.main(DaemonCLI.java:30)
> 15:57:28,640 WARN  [BasicLifecycleMonitor] Exception occured while notifying listener
> [...]
> This is needed in order to launch the OFBiz RMIDispatcher (in other words to allow using
RMI inside Apache OFBiz). That's why I put this issue as a blocker.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message