tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tristan Austin" <Tristan.Aus...@authentic8.com>
Subject Java 2 Security Manager and JSP
Date Fri, 16 Jun 2000 01:41:12 GMT
Hi,

One of the features of the system I'm building is that it needs to allow
Java code uploaded from trusted (still need security) sources to run on the
web server.

I have a security manager and policies set up so that this code isn't able
to execute anything involving system resources (its just a text file
converter). It works fine on the standalone java server when my "malicious"
testing code tries to do anything it shouldn't, but when I try to enforce
this with Tomcat I get into trouble.

The problem is that the code source of the servlets that are compiled from
the jsp (as is my understanding) is not simply the directory tomcat resides
in. I've set up a security policy allowing anything contained in a jar or
class file in any sub-directory of / and it still doesn't work. The problem
being that when tomcat tries to load the classes, it gets an
AccessControlException (see stack trace below).

I've tried setting the code source to
http://localhost/css/-
http://sunjava.dev.au.a8/css-
http://sunjava/css/-
to no avail.

The options I'm adding to JAVACMD variable in the tomcat script is:

JAVACMD="$JAVA_HOME/bin/java -Djava.security.manager -Djava.security.policy=
file:/views/tna-sunjava.dev.au.a8/dev/css/cssjsp.policy"

I'm running this on Solaris 2.6 with Java 1.2.2 on a Sun Ultra Sparc.

Can someone tell me what the code source for these classes should be so I
can give them the required permissions? Thanks.

The stack trace it outputs in the browser is below:

Error: 500

Location: /css/css-nav-disable.jsp

Internal Servlet Error:

java.security.AccessControlException: access denied (java.io.FilePermission
/usr/local/jakarta-tomcat/work/localhost_8080/_0002fcss_0002fcss_0002dnav_00
02ddisable_0002ejspcss_0002dnav_0002ddisable.class read)
        at java.lang.Throwable.fillInStackTrace(Native Method)
        at java.lang.Throwable.fillInStackTrace(Compiled Code)
        at java.lang.Throwable.(Compiled Code)
        at java.lang.Exception.(Compiled Code)
        at java.lang.RuntimeException.(RuntimeException.java:47)
        at java.lang.SecurityException.(SecurityException.java:39)
        at
java.security.AccessControlException.(AccessControlException.java:57)
        at java.security.AccessControlContext.checkPermission(Compiled Code)
        at java.security.AccessController.checkPermission(Compiled Code)
        at java.lang.SecurityManager.checkPermission(Compiled Code)
        at java.lang.SecurityManager.checkRead(Compiled Code)
        at java.io.File.exists(Compiled Code)
        at
org.apache.jasper.compiler.JspCompiler.computeClassFileData(JspCompiler.java
:300)
        at org.apache.jasper.compiler.JspCompiler.(JspCompiler.java:97)
        at
org.apache.jasper.JspEngineContext.createCompiler(JspEngineContext.java:312)
        at org.apache.jasper.runtime.JspServlet.loadJSP(JspServlet.java:410)
        at
org.apache.jasper.runtime.JspServlet$JspServletWrapper.loadIfNecessary(JspSe
rvlet.java:149)
        at
org.apache.jasper.runtime.JspServlet$JspServletWrapper.service(JspServlet.ja
va:161)
        at
org.apache.jasper.runtime.JspServlet.serviceJspFile(JspServlet.java:261)
        at org.apache.jasper.runtime.JspServlet.service(Compiled Code)
        at javax.servlet.http.HttpServlet.service(Compiled Code)
        at org.apache.tomcat.core.ServletWrapper.handleRequest(Compiled
Code)
        at
org.apache.tomcat.core.RequestDispatcherImpl.forward(RequestDispatcherImpl.j
ava:163)
        at
org.apache.jasper.runtime.PageContextImpl.forward(PageContextImpl.java:357)
        at
css._0002fcss_0002fcss_0002dnav_0002ejspcss_0002dnav_jsp_17._jspService(_000
2fcss_0002fcss_0002dnav_0002ejspcss_0002dnav_jsp_17.java:123)
        at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:126)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at
org.apache.jasper.runtime.JspServlet$JspServletWrapper.service(JspServlet.ja
va:174)
        at
org.apache.jasper.runtime.JspServlet.serviceJspFile(JspServlet.java:261)
        at org.apache.jasper.runtime.JspServlet.service(Compiled Code)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at org.apache.tomcat.core.ServletWrapper.handleRequest(Compiled
Code)
        at
org.apache.tomcat.core.ContextManager.service(ContextManager.java:559)
        at
org.apache.tomcat.service.connector.Ajp12ConnectionHandler.processConnection
(Ajp12ConnectionHandler.java:156)
        at
org.apache.tomcat.service.TcpConnectionThread.run(SimpleTcpEndpoint.java:338
)
        at java.lang.Thread.run(Thread.java:479)



Tristan Austin.

------------------------------------------
Software Engineer
Authentic8 Pty Ltd
Phone: +61 3 9843 8811
http://www.authentic8.com
tristan.austin@authentic8.com


Mime
View raw message