tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: Tomcat 4.0.2-b2 + JSSE + Security Manager
Date Wed, 23 Jan 2002 01:39:53 GMT


On Tue, 22 Jan 2002, Paul Speed wrote:

> Date: Tue, 22 Jan 2002 19:46:06 -0500
> From: Paul Speed <pspeed@progeeks.com>
> Reply-To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
> To: Tomcat Developers List <tomcat-dev@jakarta.apache.org>
> Subject: Re: Tomcat 4.0.2-b2 + JSSE + Security Manager
>
> Important safety note:
>
> >From experience, there seems to be at least one type of access check
> failure that will not be printed with this option.  It bit me when
> I was trying to figure out why the automated tests would fail when
> run with a security manager.  If I remember correctly it turned out
> to be a call to SecurityManager.checkPropertiesAccess().  Individual
> property checks would show up in the log, but the check for access
> to all properties did not.
>
> Some portion of the test code (org.apache.tester.ContextListener02)
> was using the PropertyEditorManager object to set and retrieve a
> PropertyEditor for Date.class.  For what reason, I can only guess.
> (Possibly date to text conversion?)  Anyway, PropertyEditorManager
> is really bad security-wise since using it in user-space requires
> full access to _all_ system properties.
>

The idea was to test the use of PropertyEditors in JSP pages, the way that
the JSP spec requires.  I've commented out this test in the HEAD branch;
looks like I forgot to do so on the 4.0 branch.

> To make a long post short, if you still have problems after trying
> the flags below, try modifying your policy file to give webapps
> full property access.  Although I can't imagine that mattering in
> your case.
>

Craig



> -Paul Speed
>
> Glenn Nielsen wrote:
> >
> > Try starting tomcat 4 with -security and the following properties defined:
> >
> > -Djava.security.debug=access,failure -Djava.net.debug=ssl
> >
> > That should generate alot of debug data to help you track down the source
> > of the problem.
> >
> > Regards,
> >
> > Glenn
> >
> > Renato wrote:
> >
> > > Hi all,
> > >
> > > I'm installing Tomcat 4.0.2B2. Everything is fine except for the following:
> > >
> > > - I try to run a servlet that uses JSSE. If I start Catalina without the '-
> > > security' it works fine, if I start with the '-security' it generates the
> > > error:
> > >
> > > java.net.SocketException: SSL implementation not available
> > > (...)
> > >
> > > The JSSE libraries are on ${java.home}/jre/lib/ext and this path has
> > > permission to all.
> > >
> > > I also tried on Tomcat 3.3 and the servlet works with or without the
> > > security manager.
> > >
> > > Any hint ?
> > >
> > > Thanks
> > > Renato - Brazil
> > >
> > > --
> > > To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> > > For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
> > >
> >
> > --
> > ----------------------------------------------------------------------
> > Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
> > MOREnet System Programming               |  * if iz ina coment.      |
> > Missouri Research and Education Network  |  */                       |
> > ----------------------------------------------------------------------
> >
> > --
> > To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
>
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message