incubator-jspwiki-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Janne Jalkanen <janne.jalka...@ecyrd.com>
Subject Re: ProtectionDomain failure
Date Mon, 20 Jul 2009 22:00:54 GMT

Sounds a bit fishy, since 2.2 didn't (IIRC) have any sort of working  
ACLs or use the jks file at all.  So if you're sure it's a 2.2  
instance, it sounds to me like you have accidentally copied some  
2.4/2.6 -specific files in there and those are messing everything up.

You could of course try and sign the app yourself too and see if that  
helps. I think the signing password was hardcoded into the build  
scripts ;-)

[If Glassfish has a security manager, please turn it off. JSPWiki does  
not play ball with Tomcat's security manager either.]

/Janne

On 21 Jul 2009, at 00:33, Paul Sterk wrote:

>
> Hi,
>
> I am in the process of moving a JSPWiki 2.2 instance from one host  
> to another using version GlassFish 9.1_u01 and have come across the  
> following failure displayed in the log file:
>
> context(null)-  
> permission 
> (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish  
> Wiki")) domain that failed(ProtectionDomain  (file:/storage/ 
> glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/ 
> j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
>
> More details are shown below. After some searching, I found out that  
> I must have jspwiki.jks located in (app name)/WEB-INF and in the app  
> server's domains/domain1/config directory.  I have done that.  I  
> also found out that I had to append the JSPWiki server.policy  
> section to the app server's server.policy file (see below). I have  
> done that also.
>
> I still get the domain protection failure.  What did I miss?  BTW, I  
> do not have the option to upgrade the JSPWiki.
>
> Paul
>
> [#|2009-07-19T17:41:38.727-0700|INFO|sun-appserver9.1| 
> javax.enterprise.system.core.security| 
> _ThreadID=15;_ThreadName=httpSSLWorkerThread-80-0;|JACC Policy  
> Provider: PolicyWrapper.implies, context(null)-  
> permission 
> (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish  
> Wiki")) domain that failed(ProtectionDomain  (file:/storage/ 
> glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/ 
> j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar [
> [
>  Version: V1
>  Subject: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,  
> O=jspwiki.org, C=FI
>  Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
>
>  Key:  SunPKCS11-Solaris DSA public key, 1024 bits (id 143695096,  
> session object)
>  y:  
> 685336709211189479978176481322996401882667342822443461375871414904657271343827072933994730697972525463287186110312511525703609990543636216407479486
> 03057873733660321330081871201176281154664912732522693955389713650625161330397090864782939712676489034956390674378204731139907826475282246840419508442831
> 762130982
>  p:  
> 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668
> 38814403412974522117181850604723115003930107995935806739534871706631980226201971496652413506094591370759495651467285569060679413583754270737172742955134
> 3320695239
>  q: 864205495604807476120572616017955259175325408501
>  g:  
> 174068207532402095185811980123523436538604490794561350978495831040599953488455823147851597408940950725307797094915759492368300574252438761037084473
> 46718014887611810308304375498519098347260155049469132948808339549231385000036164648264460849230407872181895999905649609776936801774927370896200668918795
> 6744210730
>  Validity: [From: Fri Mar 02 09:35:56 PST 2007,
>               To: Thu May 31 10:35:56 PDT 2007]
>  Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,  
> O=jspwiki.org, C=FI
>  SerialNumber: [    45e8607c]
>
> ]
>  Algorithm: [SHA1withDSA]
>  Signature:
> 0000: 30 2C 02 14 37 83 53 EC   47 39 1B 73 EE 7C 7E 39   
> 0,..7.S.G9.s...9
> 0010: 89 78 04 31 86 22 DF 1C   02 14 5A CB CE 61 E3 F8  .x. 
> 1."....Z..a..
> 0020: 8F 73 70 E7 47 DA 5A D9   28 2C DE E0 4C F2        .sp.G.Z. 
> (,..L.
>
> ])
> WebappClassLoader
>  delegate: true
>  repositories:
>    /WEB-INF/classes/
> ----------> Parent Classloader:
> EJBClassLoader :
> urlSet = []
> doneCalled = false
> Parent -> java.net.URLClassLoader@1f0cf51
>
>
> (principals com.ecyrd.jspwiki.auth.WikiPrincipal "Guest",
> com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
> com.ecyrd.jspwiki.auth.authorize.Role "All")
>
> -------------------------------------------------------------------------------------------------------
>
> keystore "jspwiki.jks";
>
> // JSPWiki itself needs some basic privileges in order to operate.
> // If you are running JSPWiki with a security manager, don't change  
> these,
> // because it will totally b0rk the system.
>
> grant signedBy "jspwiki" {
>    permission java.security.SecurityPermission   "getPolicy";
>    permission java.security.SecurityPermission   "setPolicy";
>    permission java.util.PropertyPermission        
> "java.security.auth.login.config", "write";
>    permission java.util.PropertyPermission        
> "java.security.policy", "read,write";
>    permission javax.security.auth.AuthPermission  
> "getLoginConfiguration";
>    permission javax.security.auth.AuthPermission  
> "setLoginConfiguration";
> };
>
> grant signedBy "jspwiki",
>  principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
> "*:*", "view";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editPreferences";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editProfile";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "login";
> };
>
>
> grant signedBy "jspwiki",
>  principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
> "*:*", "view";
>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
> "*:*", "view";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editPreferences";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editProfile";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "login";
> };
>
> grant signedBy "jspwiki",
>  principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
> "*:*", "view";
>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
> "*:*", "view";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editPreferences";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editProfile";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "login";
> };
>
> grant signedBy "jspwiki",
>  principal com.ecyrd.jspwiki.auth.authorize.Role "Validated" {
>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
> "*:*", "view";
>    // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
> "*:<groupmember>", "edit";
>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
> "*:*", "modify,rename";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "createPages,createGroups";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editPreferences";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editProfile";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "login";
> };
>
> grant signedBy "jspwiki",
>  principal com.ecyrd.jspwiki.auth.GroupPrincipal "Validated" {
>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
> "*:*", "view";
>    // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
> "*:<groupmember>", "edit";
>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
> "*:*", "modify,rename";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "createPages,createGroups";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editPreferences";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editProfile";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "login";
> };
>
> grant signedBy "jspwiki",
>  principal com.ecyrd.jspwiki.auth.GroupPrincipal "ServletSpec" {
>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
> "*:*", "view";
>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
> "*:<groupmember>", "edit";
>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
> "*:*", "modify,rename";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "createPages,createGroups";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editPreferences";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editProfile";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "login";
> };
>
> grant signedBy "jspwiki",
>  principal com.ecyrd.jspwiki.auth.GroupPrincipal "Sip" {
>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
> "*:*", "view";
>    permission com.ecyrd.jspwiki.auth.permissions.GroupPermission  
> "*:<groupmember>", "edit";
>    permission com.ecyrd.jspwiki.auth.permissions.PagePermission  
> "*:*", "modify,rename";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "createPages,createGroups";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editPreferences";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "editProfile";
>    permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",  
> "login";
> };
>
> // Administrators (principals or roles possessing AllPermission)
> // are allowed to delete any page, and can edit, rename and delete
> // groups. You should match the permission target (here, 'JSPWiki')
> // with the value of the 'jspwiki.applicationName' property in
> // jspwiki.properties. Two administative groups are set up below:
> // the wiki group "Admin" (stored by default in wiki page GroupAdmin)
> // and the container role "Admin" (managed by the web container).
>
> grant signedBy "jspwiki",
>  principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
> "GlassFish Wiki";
>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open  
> ESB Wiki";
>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
> "Slynkr Wiki";
>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
> "Update Center Wiki";
>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
> "SocialSite Wiki";
> };
> grant signedBy "jspwiki",
>  principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
> "GlassFish Wiki";
>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open  
> ESB Wiki";
>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
> "Slynkr Wiki";
>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
> "Update Center Wiki";
>    permission com.ecyrd.jspwiki.auth.permissions.AllPermission  
> "SocialSite Wiki";
> };


Mime
View raw message