Return-Path: Delivered-To: apmail-incubator-jspwiki-user-archive@minotaur.apache.org Received: (qmail 96747 invoked from network); 20 Jul 2009 22:03:15 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 20 Jul 2009 22:03:15 -0000 Received: (qmail 34343 invoked by uid 500); 20 Jul 2009 22:04:20 -0000 Delivered-To: apmail-incubator-jspwiki-user-archive@incubator.apache.org Received: (qmail 34327 invoked by uid 500); 20 Jul 2009 22:04:20 -0000 Mailing-List: contact jspwiki-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: jspwiki-user@incubator.apache.org Delivered-To: mailing list jspwiki-user@incubator.apache.org Received: (qmail 34317 invoked by uid 99); 20 Jul 2009 22:04:20 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Jul 2009 22:04:20 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of andrew.r.jaquith@gmail.com designates 74.125.92.148 as permitted sender) Received: from [74.125.92.148] (HELO qw-out-1920.google.com) (74.125.92.148) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Jul 2009 22:04:08 +0000 Received: by qw-out-1920.google.com with SMTP id 5so851398qwf.54 for ; Mon, 20 Jul 2009 15:03:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:x-mailer :mime-version:subject:date:references; bh=FvsRav9BkACn4d68SvG4O7X4TG3JVJDS5PZ39zKSYCQ=; b=irPOxNYxBjdS0Jsid0uQkYs9kPu84CrJtnfTYKQ7D2iA0mT+LhuugIUBxGMowB1wzD iZIP4y8dJwgeYur7X93U8PlHDo8pNJ7DBy9weBNC14vVPgT+9qp1MPoVrMKt31h7EYw0 e3/zL0Y1d5a/ZOVyIU+eFj6Go0HJDOEKpjur0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:from:to:in-reply-to:content-type :content-transfer-encoding:x-mailer:mime-version:subject:date :references; b=eDlg63ohPQzLvcv5wG3rRR/Rj/gcgeShRHH9biRnbZCVtJfKNfoikUK3Il56NXVlq2 LbZ9pYG5PFpkIA7gaLxazJ8i4vD53aZjxEBYkOBV0JRpKcylM4zpL/Kl0FT/FKKaL7jy GSCJefNcQstsrpS/x0t0mQRDaDeo+hUeNhG74= Received: by 10.224.89.7 with SMTP id c7mr3114538qam.304.1248127427646; Mon, 20 Jul 2009 15:03:47 -0700 (PDT) Received: from ?10.85.68.252? (mobile-166-137-134-157.mycingular.net [166.137.134.157]) by mx.google.com with ESMTPS id 7sm7577955qwb.0.2009.07.20.15.03.42 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 20 Jul 2009 15:03:47 -0700 (PDT) Message-Id: <9A7B76CB-85B2-42C5-9369-3B7F91FE06D3@gmail.com> From: Andrew Jaquith To: "jspwiki-user@incubator.apache.org" In-Reply-To: <4A64E29D.7090500@sun.com> Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit X-Mailer: iPhone Mail (7A341) Mime-Version: 1.0 (iPhone Mail 7A341) Subject: Re: ProtectionDomain failure Date: Mon, 20 Jul 2009 18:03:23 -0400 References: <4A64E29D.7090500@sun.com> X-Virus-Checked: Checked by ClamAV on apache.org The easiest way to fix this problem is to turn off Java security policy enforcement. JSPWiki wasn't really ever fully tuned to run with a SecurityManager installed. Your might also experiment (instead) with removing the 'signedBy JSPWiki' clauses in the policy files -- these are causing the search for the .jks file. Andrew On Jul 20, 2009, at 17:33, Paul Sterk wrote: > > Hi, > > I am in the process of moving a JSPWiki 2.2 instance from one host > to another using version GlassFish 9.1_u01 and have come across the > following failure displayed in the log file: > > context(null)- permission > (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish > Wiki")) domain that failed(ProtectionDomain (file:/storage/ > glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/ > j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar > > More details are shown below. After some searching, I found out that > I must have jspwiki.jks located in (app name)/WEB-INF and in the app > server's domains/domain1/config directory. I have done that. I > also found out that I had to append the JSPWiki server.policy > section to the app server's server.policy file (see below). I have > done that also. > > I still get the domain protection failure. What did I miss? BTW, I > do not have the option to upgrade the JSPWiki. > > Paul > > [#|2009-07-19T17:41:38.727-0700|INFO|sun-appserver9.1| > javax.enterprise.system.core.security| > _ThreadID=15;_ThreadName=httpSSLWorkerThread-80-0;|JACC Policy > Provider: PolicyWrapper.implies, context(null)- permission > (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish > Wiki")) domain that failed(ProtectionDomain (file:/storage/ > glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/ > j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar [ > [ > Version: V1 > Subject: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, > O=jspwiki.org, C=FI > Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3 > > Key: SunPKCS11-Solaris DSA public key, 1024 bits (id 143695096, > session object) > y: > 685336709211189479978176481322996401882667342822443461375871414904657271343827072933994730697972525463287186110312511525703609990543636216407479486 > 03057873733660321330081871201176281154664912732522693955389713650625161330397090864782939712676489034956390674378204731139907826475282246840419508442831 > 762130982 > p: > 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668 > 38814403412974522117181850604723115003930107995935806739534871706631980226201971496652413506094591370759495651467285569060679413583754270737172742955134 > 3320695239 > q: 864205495604807476120572616017955259175325408501 > g: > 174068207532402095185811980123523436538604490794561350978495831040599953488455823147851597408940950725307797094915759492368300574252438761037084473 > 46718014887611810308304375498519098347260155049469132948808339549231385000036164648264460849230407872181895999905649609776936801774927370896200668918795 > 6744210730 > Validity: [From: Fri Mar 02 09:35:56 PST 2007, > To: Thu May 31 10:35:56 PDT 2007] > Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, > O=jspwiki.org, C=FI > SerialNumber: [ 45e8607c] > > ] > Algorithm: [SHA1withDSA] > Signature: > 0000: 30 2C 02 14 37 83 53 EC 47 39 1B 73 EE 7C 7E 39 > 0,..7.S.G9.s...9 > 0010: 89 78 04 31 86 22 DF 1C 02 14 5A CB CE 61 E3 F8 .x. > 1."....Z..a.. > 0020: 8F 73 70 E7 47 DA 5A D9 28 2C DE E0 4C F2 .sp.G.Z. > (,..L. > > ]) > WebappClassLoader > delegate: true > repositories: > /WEB-INF/classes/ > ----------> Parent Classloader: > EJBClassLoader : > urlSet = [] > doneCalled = false > Parent -> java.net.URLClassLoader@1f0cf51 > > > (principals com.ecyrd.jspwiki.auth.WikiPrincipal "Guest", > com.ecyrd.jspwiki.auth.authorize.Role "Anonymous", > com.ecyrd.jspwiki.auth.authorize.Role "All") > > --- > --- > --- > --- > --- > --- > --- > --- > --- > --- > --- > ---------------------------------------------------------------------- > > keystore "jspwiki.jks"; > > // JSPWiki itself needs some basic privileges in order to operate. > // If you are running JSPWiki with a security manager, don't change > these, > // because it will totally b0rk the system. > > grant signedBy "jspwiki" { > permission java.security.SecurityPermission "getPolicy"; > permission java.security.SecurityPermission "setPolicy"; > permission java.util.PropertyPermission > "java.security.auth.login.config", "write"; > permission java.util.PropertyPermission > "java.security.policy", "read,write"; > permission javax.security.auth.AuthPermission > "getLoginConfiguration"; > permission javax.security.auth.AuthPermission > "setLoginConfiguration"; > }; > > grant signedBy "jspwiki", > principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" { > permission com.ecyrd.jspwiki.auth.permissions.PagePermission > "*:*", "view"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editPreferences"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editProfile"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "login"; > }; > > > grant signedBy "jspwiki", > principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" { > permission com.ecyrd.jspwiki.auth.permissions.GroupPermission > "*:*", "view"; > permission com.ecyrd.jspwiki.auth.permissions.PagePermission > "*:*", "view"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editPreferences"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editProfile"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "login"; > }; > > grant signedBy "jspwiki", > principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" { > permission com.ecyrd.jspwiki.auth.permissions.GroupPermission > "*:*", "view"; > permission com.ecyrd.jspwiki.auth.permissions.PagePermission > "*:*", "view"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editPreferences"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editProfile"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "login"; > }; > > grant signedBy "jspwiki", > principal com.ecyrd.jspwiki.auth.authorize.Role "Validated" { > permission com.ecyrd.jspwiki.auth.permissions.GroupPermission > "*:*", "view"; > // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission > "*:", "edit"; > permission com.ecyrd.jspwiki.auth.permissions.PagePermission > "*:*", "modify,rename"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "createPages,createGroups"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editPreferences"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editProfile"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "login"; > }; > > grant signedBy "jspwiki", > principal com.ecyrd.jspwiki.auth.GroupPrincipal "Validated" { > permission com.ecyrd.jspwiki.auth.permissions.GroupPermission > "*:*", "view"; > // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission > "*:", "edit"; > permission com.ecyrd.jspwiki.auth.permissions.PagePermission > "*:*", "modify,rename"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "createPages,createGroups"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editPreferences"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editProfile"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "login"; > }; > > grant signedBy "jspwiki", > principal com.ecyrd.jspwiki.auth.GroupPrincipal "ServletSpec" { > permission com.ecyrd.jspwiki.auth.permissions.GroupPermission > "*:*", "view"; > permission com.ecyrd.jspwiki.auth.permissions.GroupPermission > "*:", "edit"; > permission com.ecyrd.jspwiki.auth.permissions.PagePermission > "*:*", "modify,rename"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "createPages,createGroups"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editPreferences"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editProfile"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "login"; > }; > > grant signedBy "jspwiki", > principal com.ecyrd.jspwiki.auth.GroupPrincipal "Sip" { > permission com.ecyrd.jspwiki.auth.permissions.GroupPermission > "*:*", "view"; > permission com.ecyrd.jspwiki.auth.permissions.GroupPermission > "*:", "edit"; > permission com.ecyrd.jspwiki.auth.permissions.PagePermission > "*:*", "modify,rename"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "createPages,createGroups"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editPreferences"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "editProfile"; > permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", > "login"; > }; > > // Administrators (principals or roles possessing AllPermission) > // are allowed to delete any page, and can edit, rename and delete > // groups. You should match the permission target (here, 'JSPWiki') > // with the value of the 'jspwiki.applicationName' property in > // jspwiki.properties. Two administative groups are set up below: > // the wiki group "Admin" (stored by default in wiki page GroupAdmin) > // and the container role "Admin" (managed by the web container). > > grant signedBy "jspwiki", > principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" { > permission com.ecyrd.jspwiki.auth.permissions.AllPermission > "GlassFish Wiki"; > permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open > ESB Wiki"; > permission com.ecyrd.jspwiki.auth.permissions.AllPermission > "Slynkr Wiki"; > permission com.ecyrd.jspwiki.auth.permissions.AllPermission > "Update Center Wiki"; > permission com.ecyrd.jspwiki.auth.permissions.AllPermission > "SocialSite Wiki"; > }; > grant signedBy "jspwiki", > principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" { > permission com.ecyrd.jspwiki.auth.permissions.AllPermission > "GlassFish Wiki"; > permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open > ESB Wiki"; > permission com.ecyrd.jspwiki.auth.permissions.AllPermission > "Slynkr Wiki"; > permission com.ecyrd.jspwiki.auth.permissions.AllPermission > "Update Center Wiki"; > permission com.ecyrd.jspwiki.auth.permissions.AllPermission > "SocialSite Wiki"; > };