tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@mail.more.net>
Subject Re: DO NOT REPLY [Bug 13907] - security manager does not give read permission on a context by default
Date Fri, 25 Oct 2002 13:40:28 GMT
The ProtectionDomain shows that Jasper2 is creating a read FilePermission for the scratch
(work) dir.  But you are correct, there is no read FilePermission listed for the context
directory.

The same block of code in org.apache.jasper.compiler.JspRuntimeContext which  creates the
scratch (work) dir read FilePermissionalso creates the context dir read FilePermission.
In cases where the context is running from a war file there will be no context directory
so the below getRealPath("/") would return null. When there is no context directory the read
FilePermission is granted to the scratch directory.

I suspect that for some reason the Context does not have a context directory.  Add
String docBase = context.getRealPath("/"); to your test jsp and see if it returns null.
Also try setting the debug attributes in your server.xml to 9 and capture the debug output.

                 // Get the permissions for the web app context
                 String docBase = context.getRealPath("/");
                 if( docBase == null ) {
                     docBase = options.getScratchDir().toString();
                 }
                 if (!docBase.endsWith(File.separator)){
                     docBase = docBase + File.separator;
                 }


Regards,

Glenn

Aditya wrote:
>>On Thu, 24 Oct 2002 22:59:59 -0500, Glenn Nielsen <glenn@mail.more.net> said:
>>Gettting the latest version from CVS won't fix your problem. I still
>>think the problem is somewhere in your configuration.
> 
> 
> I've installed the 4.1.12 tarball from the website and am running it
> without modification other than adding the test jsp to
> webapps/examples/jsp/test.jsp
> 
> I've now tried it under:
> 
>  Solaris/JDK1.4 with 4.1.12-LE 
>  FreeBSD/JDK1.3.1 with 4.1.12
>  Debian/JDK1.3.1 with 4.1.12
> 
> with the same result.
> 
> 
>>You might try posting the SecurityManager debug output when the
>>FilePermission read is denied.  Including the stack trace and the
>>ProtectionDomain which failed.
> 
> 
> Okay, here goes -- as I mentioned before, I see this as the exception:
> 
> org.apache.jasper.JasperException: access denied (java.io.FilePermission /usr/local/tomcat/webapps/examples/test2.new
read)
> 
> and with the following CATALINA_OPTS=-Djava.security.debug=access,failure I get this
in logs/catalina.out:
> 
> access: access denied (java.io.FilePermission /usr/local/tomcat/webapps/examples/test2.new
read)
> java.lang.Exception: Stack trace
>         at java.lang.Thread.dumpStack(Thread.java:1071)
>         at java.security.AccessControlContext.checkPermission(AccessControlContext.java:259)
>         at java.security.AccessController.checkPermission(AccessController.java:401)
>         at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
>         at java.lang.SecurityManager.checkRead(SecurityManager.java:887)
>         at java.io.File.exists(File.java:677)
>         at org.apache.jsp.test_jsp._jspService(test_jsp.java:53)
>         at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:136)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>         at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:204)
>         at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289)
>         at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:247)
>         at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98)
>         at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:172)
>         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:260)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:471)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2396)
>         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641)
>         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174)
>         at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643)
>         at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
>         at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>         at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
>         at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:256)
>         at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:361)
>         at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:563)
>         at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:535)
>         at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:638)
>         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533)
>         at java.lang.Thread.run(Thread.java:536)
> access: access allowed (java.util.PropertyPermission java.security.debug read)
> access: domain that failed ProtectionDomain  (file:/usr/local/tomcat/webapps/examples/
<no certificates>)
>  null
>  <no principals>
>  java.security.Permissions@17aece8 (
>  (java.io.FilePermission /usr/local/tomcat/work/Standalone/localhost/examples/- read)
>  (java.util.PropertyPermission java.specification.vendor read)
>  (java.util.PropertyPermission java.vm.specification.vendor read)
>  (java.util.PropertyPermission path.separator read)
>  (java.util.PropertyPermission java.vm.name read)
>  (java.util.PropertyPermission java.class.version read)
>  (java.util.PropertyPermission java.vendor.url read)
>  (java.util.PropertyPermission os.name read)
>  (java.util.PropertyPermission jaxp.debug read)
>  (java.util.PropertyPermission java.vendor read)
>  (java.util.PropertyPermission java.vm.vendor read)
>  (java.util.PropertyPermission file.separator read)
>  (java.util.PropertyPermission javax.sql.* read)
>  (java.util.PropertyPermission java.naming.* read)
>  (java.util.PropertyPermission os.version read)
>  (java.util.PropertyPermission java.vm.version read)
>  (java.util.PropertyPermission java.version read)
>  (java.util.PropertyPermission line.separator read)
>  (java.util.PropertyPermission java.home read)
>  (java.util.PropertyPermission java.vm.specification.version read)
>  (java.util.PropertyPermission java.specification.name read)
>  (java.util.PropertyPermission java.vm.specification.name read)
>  (java.util.PropertyPermission java.specification.version read)
>  (java.util.PropertyPermission os.arch read)
>  (java.lang.RuntimePermission accessClassInPackage.sun.beans.*)
>  (java.lang.RuntimePermission accessClassInPackage.sun.beans)
>  (java.lang.RuntimePermission getAttribute)
>  (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util.*)
>  (java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime)
>  (java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime.*)
>  (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util)
> )
> 
> Hope that helps?
> 
> Thanks,
> Adi
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>




--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message