Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Message-ID: <39E4BCCF.6101C716@ni4u.com>
Date: Wed, 11 Oct 2000 12:17:35 -0700
From: Rick Horowitz <rhorowitz@ni4u.com>
MIME-Version: 1.0
To: tomcat-user@jakarta.apache.org
Subject: Re: Java security with Tomcat?
References: <39D11263.A2D41280@ni4u.com> <39E4ADF4.8A3F9A50@digitalfocus.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi Dan,

Thanks for your reply, but I've already given up on using JAAS with
Tomcat for the time being. Don't want to spend any more time on it.  I
believe that my codebase in the security policy file does cover the
correct directory and/or jar files.  I plan to get back to this after
the release of jdk 1.4, which is supposed to contain the JAAS source
files.  I figure I have a better chance of figuring this out if I can
see why JAAS is actually rejecting this...

Rick Horowitz

Daniel Barclay wrote:
> 
> Rick Horowitz wrote:
> >
> ...
> > When I traced into the java system code, I discovered that the
> > ProtectionDomain for the jaas.jar file (which contains the
> > javax.security.auth.Policy class) does not have the
> > java.security.auth.AuthPermission "getPolicy" permission, even though I
> > have the following grant entry in my policy file.
> >
> > grant {
> >         permission java.util.PropertyPermission "tomcat.sessionid.randomclass",
> > "read";
> >         permission java.security.auth.AuthPermission "getPolicy";
> > };
> >
> > Does anyone know if this *should* work, or is it not yet implemented or
> > broken?
> 
> I'm not sure about this, but you might want to check your codebase
> specifications in the security policy file.  (Make sure that it
> covers whichever directory holds your class or jar files.)
> 
> --
> Daniel Barclay
> Digital Focus
> Daniel.Barclay@digitalfocus.com