tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 52460] New: Unable to run signed .war files with security manager
Date Thu, 12 Jan 2012 16:42:00 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52460

             Bug #: 52460
           Summary: Unable to run signed .war files with security manager
           Product: Tomcat 7
           Version: 7.0.23
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Servlet & JSP API
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: thomas.toth@oenb.at
    Classification: Unclassified


Hi,

I stumbled upon an issue when trying to run Tomcat 7.0.23 (presumably all
Tomcat versions) with a security manager. 

I managed without any problems to create a servlet, pack it into a .war
containing a signed .jar file and run it with a security manager.

According to the final Java Servlet Specification (November 2009) the
application directory structure of a .war the /WEB-INF/classes/ directory shall
contain the application's .class files. /WEB-INF/lib/*.jar shall contain
servlets, beans, static resources as well as other resources that are useful to
the Web application. 

So in my understanding the .war shall contain my application code under
/WEB-INF/classes/ while utility code shall be placed under /WEB-INF/lib/.

Here is the problem:
If I use this recommended way of files placement, it is impossible to run the
application with a security manager properly. As the .class files reside under
/WEB-INF/classes I can only sign the .war file. But this signature is not
reflected in the security manager. Although the .war file (and also the .class
files) is signed, the security manager is not provided with this information,
making it impossible to create custom policies in catalina.policy.

Is using signed jars the only way of running servlets with a security manager?

Is this a JVM or a Tomcat bug?

Thomas

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message