Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 7943 invoked from network); 22 May 2008 19:02:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 22 May 2008 19:02:25 -0000 Received: (qmail 76543 invoked by uid 500); 22 May 2008 19:02:24 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 76467 invoked by uid 500); 22 May 2008 19:02:24 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 76416 invoked by uid 99); 22 May 2008 19:02:23 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 May 2008 12:02:23 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 May 2008 19:01:36 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id AD518234C11E for ; Thu, 22 May 2008 12:01:57 -0700 (PDT) Message-ID: <1157545018.1211482917708.JavaMail.jira@brutus> Date: Thu, 22 May 2008 12:01:57 -0700 (PDT) From: "Dan Becker (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Commented: (GERONIMO-4037) Geronimo 2.0.3 (and I guess at least 2.0.2) can't run with a security manager settled from the command line using -Djava.security.manager In-Reply-To: <1069772001.1211293735629.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/GERONIMO-4037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12599120#action_12599120 ] Dan Becker commented on GERONIMO-4037: -------------------------------------- Hi Jacques, It is definitely strange that your security policy would work on Linux but not on Windows. The behavior you mention should be the same on all platforms. >From your stack trace above, it appears that org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:1056) is attempting to set a class loader, which is privileged action requiring a runtime permission, but somehow the policy you have set is not visible to the security manager. Three possible problems with your security policy client.policy that you might be able to easily test. 1) I thought the grant statement in the policy file required a URL for the code base. You might need to add the URL for the Geronimo code base in order for this permission to be visible. 2) The JVM command line arg -Djava.security.policy=client.policy requires a URL for the location of the policy file. It could be that this file is visible in Linux and not in Windows. You might want to hard code a file URL to test this. 3) The "-Djava.security.policy" policy file value will be ignored if the "policy.allowSystemProperty" property in the security properties file is set to false. The default is true. You can add this to the command line with -Dpolicy.allowSystemProperty=true. You can also get lots of security diagnostics of running with security managers when you add -Djava.security.debug=policy or -Djava.security.debug=all. Report back and let me know if any of these work. > Geronimo 2.0.3 (and I guess at least 2.0.2) can't run with a security manager settled from the command line using -Djava.security.manager > ------------------------------------------------------------------------------------------------------------------------------------------ > > Key: GERONIMO-4037 > URL: https://issues.apache.org/jira/browse/GERONIMO-4037 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: kernel, security > Affects Versions: 2.0.2 > Environment: Windows Xp Sp2 > Reporter: Jacques Le Roux > Priority: Blocker > > I'm facing an issue on Windows XPsp2: I can't run WASCE with a security manager settled from the command line using -Djava.security.manager-Djava.security.policy=client.policy options. I get the error below. Note that this is working properly under Linux (Ubuntu and Suze as well). > C:\geronimo-tomcat6-jee5-2.0.3\bin>geronimo run > Using GERONIMO_BASE: C:\geronimo-tomcat6-jee5-2.0.3 > Using GERONIMO_HOME: C:\geronimo-tomcat6-jee5-2.0.3 > Using GERONIMO_TMPDIR: var\temp > Using JRE_HOME: C:\Program Files\Java\jre1.5.0_11 > Listening for transport dt_socket at address: 5005 > Booting Geronimo Kernel (in Java 1.5.0_11)... > Starting Geronimo Application Server v2.0.3-SNAPSHOT > [***> ] 11% 27s Starting org.apac...15:57:28,625 ERROR [GBeanInstanceState] Error while starting; GBean is now in the FAILED state: abstractName="org.apache.geronimo.configs/ > j2ee-security/2.0.3-SNAPSHOT/car?ServiceModule=org.apache.geronimo.configs/j2ee-security/2.0.3-SNAPSHOT/car,j2eeType=GBean,name=SecurityService" > java.lang.LinkageError: org/apache/geronimo/security/jacc/GeronimoPolicyConfigurationFactory > at org.apache.geronimo.security.jacc.GeronimoPolicy.implies(GeronimoPolicy.java:74) > at java.security.ProtectionDomain.implies(Unknown Source) > at java.security.AccessControlContext.checkPermission(Unknown Source) > at java.security.AccessController.checkPermission(Unknown Source) > at java.lang.SecurityManager.checkPermission(Unknown Source) > at java.lang.Thread.setContextClassLoader(Unknown Source) > at org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:1056) > at org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:268) > at org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:102) > at org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:124) > at org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:553) > at org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:379) > at org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:448) > at org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:187) > at org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:530) > at org.apache.geronimo.kernel.config.SimpleConfigurationManager$$FastClassByCGLIB$$ce77a924.invoke() > at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53) > at org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38) > at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:124) > at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:830) > at org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57) > at org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35) > at org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96) > at org.apache.geronimo.kernel.config.EditableConfigurationManager$$EnhancerByCGLIB$$7e14cd11.startConfiguration() > at org.apache.geronimo.system.main.EmbeddedDaemon.doStartup(EmbeddedDaemon.java:156) > at org.apache.geronimo.system.main.EmbeddedDaemon.execute(EmbeddedDaemon.java:78) > at org.apache.geronimo.kernel.util.MainConfigurationBootstrapper.main(MainConfigurationBootstrapper.java:45) > at org.apache.geronimo.cli.AbstractCLI.executeMain(AbstractCLI.java:67) > at org.apache.geronimo.cli.daemon.DaemonCLI.main(DaemonCLI.java:30) > 15:57:28,640 WARN [BasicLifecycleMonitor] Exception occured while notifying listener > [...] > This is needed in order to launch the OFBiz RMIDispatcher (in other words to allow using RMI inside Apache OFBiz). That's why I put this issue as a blocker. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.