incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Sterk <Paul.St...@Sun.COM>
Subject Re: ProtectionDomain failure
Date Mon, 20 Jul 2009 23:31:18 GMT
On 7/20/2009 3:03 PM, Andrew Jaquith wrote:
> The easiest way to fix this problem is to turn off Java security 
> policy enforcement. JSPWiki wasn't really ever fully tuned to run with 
> a SecurityManager installed.
I checked the GlassFish Security pane and the Security Manager is 
unchecked.  Is there more I need to do?
>
> Your might also experiment (instead) with removing the 'signedBy 
> JSPWiki' clauses in the policy files -- these are causing the search 
> for the .jks file.

I did this.  I changed the file in domains/domain1/config and in 
WEB-INF. I am seeing the same problem.

What else can I check?  Should I resign the jar file?

Paul
>
> Andrew
>
> On Jul 20, 2009, at 17:33, Paul Sterk <Paul.Sterk@Sun.COM> wrote:
>
>>
>> Hi,
>>
>> I am in the process of moving a JSPWiki 2.2 instance from one host to 
>> another using version GlassFish 9.1_u01 and have come across the 
>> following failure displayed in the log file:
>>
>> context(null)- 
>> permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish 
>> Wiki")) domain that failed(ProtectionDomain  
>> (file:/storage/glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar

>>
>>
>> More details are shown below. After some searching, I found out that 
>> I must have jspwiki.jks located in (app name)/WEB-INF and in the app 
>> server's domains/domain1/config directory.  I have done that.  I also 
>> found out that I had to append the JSPWiki server.policy section to 
>> the app server's server.policy file (see below). I have done that also.
>>
>> I still get the domain protection failure.  What did I miss?  BTW, I 
>> do not have the option to upgrade the JSPWiki.
>>
>> Paul
>>
>> [#|2009-07-19T17:41:38.727-0700|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-80-0;|JACC

>> Policy Provider: PolicyWrapper.implies, context(null)- 
>> permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish 
>> Wiki")) domain that failed(ProtectionDomain  
>> (file:/storage/glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar

>> [
>> [
>>  Version: V1
>>  Subject: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, 
>> O=jspwiki.org, C=FI
>>  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
>>
>>  Key:  SunPKCS11-Solaris DSA public key, 1024 bits (id 143695096, 
>> session object)
>>  y: 
>> 685336709211189479978176481322996401882667342822443461375871414904657271343827072933994730697972525463287186110312511525703609990543636216407479486

>>
>
>
>> 03057873733660321330081871201176281154664912732522693955389713650625161330397090864782939712676489034956390674378204731139907826475282246840419508442831

>>
>
>
>> 762130982
>>  p: 
>> 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668

>>
>
>
>> 38814403412974522117181850604723115003930107995935806739534871706631980226201971496652413506094591370759495651467285569060679413583754270737172742955134

>>
>
>
>> 3320695239
>>  q: 864205495604807476120572616017955259175325408501
>>  g: 
>> 174068207532402095185811980123523436538604490794561350978495831040599953488455823147851597408940950725307797094915759492368300574252438761037084473

>>
>
>
>> 46718014887611810308304375498519098347260155049469132948808339549231385000036164648264460849230407872181895999905649609776936801774927370896200668918795

>>
>
>
>> 6744210730
>>  Validity: [From: Fri Mar 02 09:35:56 PST 2007,
>>               To: Thu May 31 10:35:56 PDT 2007]
>>  Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, 
>> O=jspwiki.org, C=FI
>>  SerialNumber: [    45e8607c]
>>
>> ]
>>  Algorithm: [SHA1withDSA]
>>  Signature:
>> 0000: 30 2C 02 14 37 83 53 EC   47 39 1B 73 EE 7C 7E 39  
>> 0,..7.S.G9.s...9
>> 0010: 89 78 04 31 86 22 DF 1C   02 14 5A CB CE 61 E3 F8  
>> .x.1."....Z..a..
>> 0020: 8F 73 70 E7 47 DA 5A D9   28 2C DE E0 4C F2        .sp.G.Z.(,..L.
>>
>> ])
>> WebappClassLoader
>>  delegate: true
>>  repositories:
>>    /WEB-INF/classes/
>> ----------> Parent Classloader:
>> EJBClassLoader :
>> urlSet = []
>> doneCalled = false
>> Parent -> java.net.URLClassLoader@1f0cf51
>>
>>
>> (principals com.ecyrd.jspwiki.auth.WikiPrincipal "Guest",
>> com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
>> com.ecyrd.jspwiki.auth.authorize.Role "All")
>>
>> -------------------------------------------------------------------------------------------------------

>>
>>
>> keystore "jspwiki.jks";
>>
>> // JSPWiki itself needs some basic privileges in order to operate.
>> // If you are running JSPWiki with a security manager, don't change 
>> these,
>> // because it will totally b0rk the system.
>>
>> grant signedBy "jspwiki" {
>>    permission java.security.SecurityPermission   "getPolicy";
>>    permission java.security.SecurityPermission   "setPolicy";
>>    permission java.util.PropertyPermission       
>> "java.security.auth.login.config", "write";
>>    permission java.util.PropertyPermission       
>> "java.security.policy", "read,write";
>>    permission javax.security.auth.AuthPermission 
>> "getLoginConfiguration";
>>    permission javax.security.auth.AuthPermission 
>> "setLoginConfiguration";
>> };
>>
>> grant signedBy "jspwiki",
>>  principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
>> "*:*", "view";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editPreferences";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editProfile";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "login";
>> };
>>
>>
>> grant signedBy "jspwiki",
>>  principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
>>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
>> "*:*", "view";
>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
>> "*:*", "view";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editPreferences";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editProfile";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>>  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
>> "*:*", "view";
>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
>> "*:*", "view";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editPreferences";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editProfile";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>>  principal com.ecyrd.jspwiki.auth.authorize.Role "Validated" {
>>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
>> "*:*", "view";
>>    // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
>> "*:<groupmember>", "edit";
>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
>> "*:*", "modify,rename";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "createPages,createGroups";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editPreferences";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editProfile";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>>  principal com.ecyrd.jspwiki.auth.GroupPrincipal "Validated" {
>>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
>> "*:*", "view";
>>    // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
>> "*:<groupmember>", "edit";
>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
>> "*:*", "modify,rename";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "createPages,createGroups";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editPreferences";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editProfile";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>>  principal com.ecyrd.jspwiki.auth.GroupPrincipal "ServletSpec" {
>>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
>> "*:*", "view";
>>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
>> "*:<groupmember>", "edit";
>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
>> "*:*", "modify,rename";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "createPages,createGroups";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editPreferences";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editProfile";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>>  principal com.ecyrd.jspwiki.auth.GroupPrincipal "Sip" {
>>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
>> "*:*", "view";
>>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
>> "*:<groupmember>", "edit";
>>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
>> "*:*", "modify,rename";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "createPages,createGroups";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editPreferences";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "editProfile";
>>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
>> "login";
>> };
>>
>> // Administrators (principals or roles possessing AllPermission)
>> // are allowed to delete any page, and can edit, rename and delete
>> // groups. You should match the permission target (here, 'JSPWiki')
>> // with the value of the 'jspwiki.applicationName' property in
>> // jspwiki.properties. Two administative groups are set up below:
>> // the wiki group "Admin" (stored by default in wiki page GroupAdmin)
>> // and the container role "Admin" (managed by the web container).
>>
>> grant signedBy "jspwiki",
>>  principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
>>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
>> "GlassFish Wiki";
>>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open 
>> ESB Wiki";
>>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
>> "Slynkr Wiki";
>>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
>> "Update Center Wiki";
>>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
>> "SocialSite Wiki";
>> };
>> grant signedBy "jspwiki",
>>  principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
>>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
>> "GlassFish Wiki";
>>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open 
>> ESB Wiki";
>>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
>> "Slynkr Wiki";
>>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
>> "Update Center Wiki";
>>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
>> "SocialSite Wiki";
>> };


Mime
View raw message