tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Sexton <gsex...@mhsoftware.com>
Subject Re: Security Policy Error
Date Thu, 24 May 2007 18:51:07 GMT
I'm really not sure if it's a bug or not. Here's exactly what's 
happening. I have an error handler 
com.mhsoftware.cdaily.servlet.ErrorServlet.based on a class  
com.MHSoftware.servlet.BaseServlet.

The base class has a method called dumpRequest which dumps an 
HTTPServletRequestObject to a string for troubleshooting purposes.

When an error is triggered, the Error Servlet gets invoked and this 
error happens:

 java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
	at java.security.AccessController.checkPermission(AccessController.java:427)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
	at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
	at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
	at org.apache.catalina.core.ApplicationHttpRequest.getAttributeNames(ApplicationHttpRequest.java:243)
	at com.MHSoftware.servlet.BaseServlet.dumpRequest(BaseServlet.java:805)
	at com.mhsoftware.cdaily.servlet.ErrorServlet.doGet(ErrorServlet.java:36)
	at com.mhsoftware.cdaily.servlet.ErrorServlet.doPost(ErrorServlet.java:105)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)


MHS.jar which contains BaseServlet is located in 
$CATALINA_BASE/shared/lib, while cdaily.jar, which contains ErrorServlet 
is located in Application/WEB-INF/classes

I have a policy entry:

//      Add files in the shared classloader hierarchy
//      as well.
grant codeBase "file:${catalina.base}/shared/-" {
        permission java.security.AllPermission;    
};

If I create a simple JSP, and call request.setAttribute() followed by 
request.getAttributeNames(), things work OK.

So, I'm really uncertain what's exactly going on. I'm kind of thinking 
now that it's class loader related.

I have another class that I noticed was doing something similar. I have 
a base object in MHS.jar, and in cdaily.jar, I have child classes. For 
reflection to work in those child classes, I had to add a policy entry:
grant {
        permission java.lang.RuntimePermission 
"accessClassInPackage.com.MHSoftware.db.*";
};

Bill Barker wrote:
> It pretty obviously a bug.  It looks like we need another PA :(. 
>
>   
>> -----Original Message-----
>> From: yoavshapira@gmail.com [mailto:yoavshapira@gmail.com] On 
>> Behalf Of Yoav Shapira
>> Sent: Thursday, May 24, 2007 8:34 AM
>> To: Tomcat Developers List
>> Subject: Re: Security Policy Error
>>
>> George,
>> Did anyone get back to you about this?
>>
>> I myself don't have much of a clue, as I haven't run Tomcat 5.5.x
>> Tomcat under a security manager.
>>
>> Yoav
>>
>> On 5/21/07, George Sexton <gsexton@mhsoftware.com> wrote:
>>     
>>> I'm running Tomcat 5.5.23 under a security manager, and I'm 
>>>       
>> hitting this
>>     
>>> error on a call to HttpServletRequest.getAttributeNames()
>>>
>>> I'm only starting to understand security policies, so I 
>>>       
>> would appreciate
>>     
>>> some insights on what the best way to approach this issue is.
>>>
>>> If it's a genuine bug, let me know and I'll open a ticket 
>>>       
>> on bugzilla.
>>     
>>> Servlet.service() for servlet ErrorServlet threw exception
>>>  java.security.AccessControlException: access denied 
>>>       
>> (java.lang.RuntimePermission 
>> accessClassInPackage.org.apache.catalina.core)
>>     
>>>         at 
>>>       
>> java.security.AccessControlContext.checkPermission(AccessContr
>> olContext.java:264)
>>     
>>>         at 
>>>       
>> java.security.AccessController.checkPermission(AccessControlle
>> r.java:427)
>>     
>>>         at 
>>>       
>> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>>     
>>>         at 
>>>       
>> java.lang.SecurityManager.checkPackageAccess(SecurityManager.j
>> ava:1512)
>>     
>>>         at 
>>>       
>> sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)
>>     
>>>         at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
>>>         at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
>>>         at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
>>>         at 
>>>       
>> java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
>>     
>>>         at 
>>>       
>> org.apache.catalina.core.ApplicationHttpRequest.getAttributeNa
>> mes(ApplicationHttpRequest.java:243)
>>     
>>> --
>>> George Sexton
>>> MH Software, Inc.
>>> Voice: +1 303 438 9585
>>> URL:   http://www.mhsoftware.com/
>>>
>>>
>>>
>>>       
>> ---------------------------------------------------------------------
>>     
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>>
>>>       
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>>
>>
>>     
>
>
>
> This message is intended only for the use of the person(s) listed above as the intended
recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL.  If you are
not an intended recipient, you may not read, copy, or distribute this message or any attachment.
If you received this communication in error, please notify us immediately by e-mail and then
delete all copies of this message and any attachments.
>
> In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet
is not secure. Do not send confidential or sensitive information, such as social security
numbers, account numbers, personal identification numbers and passwords, to us via ordinary
(unencrypted) e-mail.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>   

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message