tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bedell, Kevin" <KBed...@cmgi.com>
Subject RE: Java 2 Security Manager and JSP
Date Mon, 19 Jun 2000 14:40:09 GMT
Tracy -

This may not help, but here goes:

-	When you access a .JSP, the first thing that happens is that the
.JSP is "compiled" into a .java file which is written to disk in the "work"
directory for the context (webapp sub-directory) you are in. 

- 	This .java file extends class servlet. It is then compiled and a
.class file is written into the same "work" subdirectory.

- 	The .class file is then loaded from the work directory.

My guess is that somewhere between the compiling, writing files to disk, and
loading these classes all in this work directory your problem should be able
to be isolated.

Since your error trace indicated that it was in the work directory
"localhost_8080", it seems that you are using the default ROOT context. If
you were using some other context the work directory would be somthing like
"localhost_8080%2FContextName".

Try isolating the work directory. If that doesn't work, try creating a
context in your server.xml file and putting your .jsp and classes inside the
context - then focus on the work directory created for the context.

Best of luck - hope this helps.

Kevin




> -----Original Message-----
> From: Tristan Austin [mailto:Tristan.Austin@authentic8.com]
> Sent: Sunday, June 18, 2000 8:10 PM
> To: tomcat-user@jakarta.apache.org
> Subject: FW: Java 2 Security Manager and JSP
> 
> 
> (resubmitting in hope of a response)
> 
> Hi,
> 
> One of the features of the system I'm building is that it 
> needs to allow
> Java code uploaded from trusted (still need security) sources 
> to run on the
> web server.
> 
> I have a security manager and policies set up so that this 
> code isn't able
> to execute anything involving system resources (its just a text file
> converter). It works fine on the standalone java server when 
> my "malicious"
> testing code tries to do anything it shouldn't, but when I 
> try to enforce
> this with Tomcat I get into trouble.
> 
> The problem is that the code source of the servlets that are 
> compiled from
> the jsp (as is my understanding) is not simply the directory 
> tomcat resides
> in. I've set up a security policy allowing anything contained 
> in a jar or
> class file in any sub-directory of / and it still doesn't 
> work. The problem
> being that when tomcat tries to load the classes, it gets an
> AccessControlException (see stack trace below).
> 
> I've tried setting the code source to
> http://localhost/css/-
> http://sunjava.dev.au.a8/css-
> http://sunjava/css/-
> to no avail.
> 
> The options I'm adding to JAVACMD variable in the tomcat script is:
> 
> JAVACMD="$JAVA_HOME/bin/java -Djava.security.manager 
> -Djava.security.policy=
> file:/views/tna-sunjava.dev.au.a8/dev/css/cssjsp.policy"
> 
> I'm running this on Solaris 2.6 with Java 1.2.2 on a Sun Ultra Sparc.
> 
> Can someone tell me what the code source for these classes 
> should be so I
> can give them the required permissions? Thanks.
> 
> The stack trace it outputs in the browser is below:
> 
> Error: 500
> 
> Location: /css/css-nav-disable.jsp
> 
> Internal Servlet Error:
> 
> java.security.AccessControlException: access denied 
> (java.io.FilePermission
> /usr/local/jakarta-tomcat/work/localhost_8080/_0002fcss_0002fc
> ss_0002dnav_00
> 02ddisable_0002ejspcss_0002dnav_0002ddisable.class read)
>         at java.lang.Throwable.fillInStackTrace(Native Method)
>         at java.lang.Throwable.fillInStackTrace(Compiled Code)
>         at java.lang.Throwable.(Compiled Code)
>         at java.lang.Exception.(Compiled Code)
>         at java.lang.RuntimeException.(RuntimeException.java:47)
>         at java.lang.SecurityException.(SecurityException.java:39)
>         at
> java.security.AccessControlException.(AccessControlException.java:57)
>         at 
> java.security.AccessControlContext.checkPermission(Compiled Code)
>         at 
> java.security.AccessController.checkPermission(Compiled Code)
>         at java.lang.SecurityManager.checkPermission(Compiled Code)
>         at java.lang.SecurityManager.checkRead(Compiled Code)
>         at java.io.File.exists(Compiled Code)
>         at
> org.apache.jasper.compiler.JspCompiler.computeClassFileData(Js
> pCompiler.java
> :300)
>         at 
> org.apache.jasper.compiler.JspCompiler.(JspCompiler.java:97)
>         at
> org.apache.jasper.JspEngineContext.createCompiler(JspEngineCon
> text.java:312)
>         at 
> org.apache.jasper.runtime.JspServlet.loadJSP(JspServlet.java:410)
>         at
> org.apache.jasper.runtime.JspServlet$JspServletWrapper.loadIfN
> ecessary(JspSe
> rvlet.java:149)
>         at
> org.apache.jasper.runtime.JspServlet$JspServletWrapper.service
> (JspServlet.ja
> va:161)
>         at
> org.apache.jasper.runtime.JspServlet.serviceJspFile(JspServlet
> .java:261)
>         at org.apache.jasper.runtime.JspServlet.service(Compiled Code)
>         at javax.servlet.http.HttpServlet.service(Compiled Code)
>         at 
> org.apache.tomcat.core.ServletWrapper.handleRequest(Compiled
> Code)
>         at
> org.apache.tomcat.core.RequestDispatcherImpl.forward(RequestDi
> spatcherImpl.j
> ava:163)
>         at
> org.apache.jasper.runtime.PageContextImpl.forward(PageContextI
> mpl.java:357)
>         at
> css._0002fcss_0002fcss_0002dnav_0002ejspcss_0002dnav_jsp_17._j
> spService(_000
> 2fcss_0002fcss_0002dnav_0002ejspcss_0002dnav_jsp_17.java:123)
>         at
> org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:126)
>         at 
> javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>         at
> org.apache.jasper.runtime.JspServlet$JspServletWrapper.service
> (JspServlet.ja
> va:174)
>         at
> org.apache.jasper.runtime.JspServlet.serviceJspFile(JspServlet
> .java:261)
>         at org.apache.jasper.runtime.JspServlet.service(Compiled Code)
>         at 
> javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>         at 
> org.apache.tomcat.core.ServletWrapper.handleRequest(Compiled
> Code)
>         at
> org.apache.tomcat.core.ContextManager.service(ContextManager.java:559)
>         at
> org.apache.tomcat.service.connector.Ajp12ConnectionHandler.pro
> cessConnection
> (Ajp12ConnectionHandler.java:156)
>         at
> org.apache.tomcat.service.TcpConnectionThread.run(SimpleTcpEnd
> point.java:338
> )
>         at java.lang.Thread.run(Thread.java:479)
> 
> 
> 
> Tristan Austin.
> 
> ------------------------------------------
> Software Engineer
> Authentic8 Pty Ltd
> Phone: +61 3 9843 8811
> http://www.authentic8.com
> tristan.austin@authentic8.com
> 
> 
> --------------------------------------------------------------
> ------------
> To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commmands, email: tomcat-user-help@jakarta.apache.org
> 

Mime
View raw message