incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Jaquith <andrew.r.jaqu...@gmail.com>
Subject Re: ProtectionDomain failure
Date Tue, 21 Jul 2009 02:46:08 GMT
If anything, you should "unsign" the jar.  I can't remember off the  
top of my head if there is a jarsigner command to do this. At worst  
you could expand the jar, remove the signature manifest file from META- 
INF, then re-jar.

Andrew

On Jul 20, 2009, at 19:31, Paul Sterk <Paul.Sterk@Sun.COM> wrote:

> On 7/20/2009 3:03 PM, Andrew Jaquith wrote:
>> The easiest way to fix this problem is to turn off Java security  
>> policy enforcement. JSPWiki wasn't really ever fully tuned to run  
>> with a SecurityManager installed.
> I checked the GlassFish Security pane and the Security Manager is  
> unchecked.  Is there more I need to do?
>>
>> Your might also experiment (instead) with removing the 'signedBy  
>> JSPWiki' clauses in the policy files -- these are causing the  
>> search for the .jks file.
>
> I did this.  I changed the file in domains/domain1/config and in WEB- 
> INF. I am seeing the same problem.
>
> What else can I check?  Should I resign the jar file?
>
> Paul
>>
>> Andrew
>>
>> On Jul 20, 2009, at 17:33, Paul Sterk <Paul.Sterk@Sun.COM> wrote:
>>
>>>
>>> Hi,
>>>
>>> I am in the process of moving a JSPWiki 2.2 instance from one host  
>>> to another using version GlassFish 9.1_u01 and have come across  
>>> the following failure displayed in the log file:
>>>
>>> context(null)- permission 
>>> (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish  
>>> Wiki")) domain that failed(ProtectionDomain  (file:/storage/ 
>>> glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/ 
>>> j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
>>>
>>> More details are shown below. After some searching, I found out  
>>> that I must have jspwiki.jks located in (app name)/WEB-INF and in  
>>> the app server's domains/domain1/config directory.  I have done  
>>> that.  I also found out that I had to append the JSPWiki  
>>> server.policy section to the app server's server.policy file (see  
>>> below). I have done that also.
>>>
>>> I still get the domain protection failure.  What did I miss?  BTW,  
>>> I do not have the option to upgrade the JSPWiki.
>>>
>>> Paul
>>>
>>> [#|2009-07-19T17:41:38.727-0700|INFO|sun-appserver9.1| 
>>> javax.enterprise.system.core.security| 
>>> _ThreadID=15;_ThreadName=httpSSLWorkerThread-80-0;|JACC Policy  
>>> Provider: PolicyWrapper.implies, context(null)- permission 
>>> (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish  
>>> Wiki")) domain that failed(ProtectionDomain  (file:/storage/ 
>>> glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/ 
>>> j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar [
>>> [
>>> Version: V1
>>> Subject: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,  
>>> O=jspwiki.org, C=FI
>>> Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
>>>
>>> Key:  SunPKCS11-Solaris DSA public key, 1024 bits (id 143695096,  
>>> session object)
>>> y:  
>>> 685336709211189479978176481322996401882667342822443461375871414904657271343827072933994730697972525463287186110312511525703609990543636216407479486
 

>>
>>
>>> 03057873733660321330081871201176281154664912732522693955389713650625161330397090864782939712676489034956390674378204731139907826475282246840419508442831
 

>>
>>
>>> 762130982
>>> p:  
>>> 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668
 

>>
>>
>>> 38814403412974522117181850604723115003930107995935806739534871706631980226201971496652413506094591370759495651467285569060679413583754270737172742955134
 

>>
>>
>>> 3320695239
>>> q: 864205495604807476120572616017955259175325408501
>>> g:  
>>> 174068207532402095185811980123523436538604490794561350978495831040599953488455823147851597408940950725307797094915759492368300574252438761037084473
 

>>
>>
>>> 46718014887611810308304375498519098347260155049469132948808339549231385000036164648264460849230407872181895999905649609776936801774927370896200668918795
 

>>
>>
>>> 6744210730
>>> Validity: [From: Fri Mar 02 09:35:56 PST 2007,
>>>              To: Thu May 31 10:35:56 PDT 2007]
>>> Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,  
>>> O=jspwiki.org, C=FI
>>> SerialNumber: [    45e8607c]
>>>
>>> ]
>>> Algorithm: [SHA1withDSA]
>>> Signature:
>>> 0000: 30 2C 02 14 37 83 53 EC   47 39 1B 73 EE 7C 7E 39   
>>> 0,..7.S.G9.s...9
>>> 0010: 89 78 04 31 86 22 DF 1C   02 14 5A CB CE 61 E3 F8  .x. 
>>> 1."....Z..a..
>>> 0020: 8F 73 70 E7 47 DA 5A D9   28 2C DE E0 4C F2        .sp.G.Z. 
>>> (,..L.
>>>
>>> ])
>>> WebappClassLoader
>>> delegate: true
>>> repositories:
>>>   /WEB-INF/classes/
>>> ----------> Parent Classloader:
>>> EJBClassLoader :
>>> urlSet = []
>>> doneCalled = false
>>> Parent -> java.net.URLClassLoader@1f0cf51
>>>
>>>
>>> (principals com.ecyrd.jspwiki.auth.WikiPrincipal "Guest",
>>> com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
>>> com.ecyrd.jspwiki.auth.authorize.Role "All")
>>>
>>> --- 
>>> --- 
>>> --- 
>>> --- 
>>> --- 
>>> --- 
>>> --- 
>>> --- 
>>> --- 
>>> --- 
>>> --- 
>>> --- 
>>> -------------------------------------------------------------------
>>>
>>> keystore "jspwiki.jks";
>>>
>>> // JSPWiki itself needs some basic privileges in order to operate.
>>> // If you are running JSPWiki with a security manager, don't  
>>> change these,
>>> // because it will totally b0rk the system.
>>>
>>> grant signedBy "jspwiki" {
>>>   permission java.security.SecurityPermission   "getPolicy";
>>>   permission java.security.SecurityPermission   "setPolicy";
>>>   permission java.util.PropertyPermission        
>>> "java.security.auth.login.config", "write";
>>>   permission java.util.PropertyPermission        
>>> "java.security.policy", "read,write";
>>>   permission javax.security.auth.AuthPermission  
>>> "getLoginConfiguration";
>>>   permission javax.security.auth.AuthPermission  
>>> "setLoginConfiguration";
>>> };
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
>>>   permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
>>> "*:*", "view";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editPreferences";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editProfile";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "login";
>>> };
>>>
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
>>>   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
>>> "*:*", "view";
>>>   permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
>>> "*:*", "view";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editPreferences";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editProfile";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "login";
>>> };
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>>>   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
>>> "*:*", "view";
>>>   permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
>>> "*:*", "view";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editPreferences";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editProfile";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "login";
>>> };
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.authorize.Role "Validated" {
>>>   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
>>> "*:*", "view";
>>>   // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
>>> "*:<groupmember>", "edit";
>>>   permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
>>> "*:*", "modify,rename";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "createPages,createGroups";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editPreferences";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editProfile";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "login";
>>> };
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Validated" {
>>>   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
>>> "*:*", "view";
>>>   // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
>>> "*:<groupmember>", "edit";
>>>   permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
>>> "*:*", "modify,rename";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "createPages,createGroups";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editPreferences";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editProfile";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "login";
>>> };
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "ServletSpec" {
>>>   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
>>> "*:*", "view";
>>>   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
>>> "*:<groupmember>", "edit";
>>>   permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
>>> "*:*", "modify,rename";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "createPages,createGroups";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editPreferences";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editProfile";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "login";
>>> };
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Sip" {
>>>   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
>>> "*:*", "view";
>>>   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
>>> "*:<groupmember>", "edit";
>>>   permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
>>> "*:*", "modify,rename";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "createPages,createGroups";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editPreferences";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "editProfile";
>>>   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission  
>>> "*", "login";
>>> };
>>>
>>> // Administrators (principals or roles possessing AllPermission)
>>> // are allowed to delete any page, and can edit, rename and delete
>>> // groups. You should match the permission target (here, 'JSPWiki')
>>> // with the value of the 'jspwiki.applicationName' property in
>>> // jspwiki.properties. Two administative groups are set up below:
>>> // the wiki group "Admin" (stored by default in wiki page  
>>> GroupAdmin)
>>> // and the container role "Admin" (managed by the web container).
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
>>>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
>>> "GlassFish Wiki";
>>>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
>>> "Open ESB Wiki";
>>>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
>>> "Slynkr Wiki";
>>>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
>>> "Update Center Wiki";
>>>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
>>> "SocialSite Wiki";
>>> };
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
>>>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
>>> "GlassFish Wiki";
>>>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
>>> "Open ESB Wiki";
>>>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
>>> "Slynkr Wiki";
>>>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
>>> "Update Center Wiki";
>>>   permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
>>> "SocialSite Wiki";
>>> };
>

Mime
View raw message