tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin HaleBoyes <kcbo...@yahoo.com>
Subject -security flag and (oracle) JDBC realms
Date Fri, 18 May 2001 19:58:04 GMT
I've downloaded the 4.0b5 release and noticed the warning/suggestion to start
running with the -security flag.  So, I did just that.  I also uncommented the
Oracle-based JDBCRealm <Realm> element (and commented out the Memory based
realm).  Tomcat wouldn't start since it couldn't find the driver so I made
a symbolic link (running on RedHat Linux 6.2) in the
 $CATALINA_HOME/common/lib directory to the classes111.jar file from the
Oracle distribution.  Is that where the Oracle JDBC driver should be put?  I
also tried it in $CATALINA_HOME/lib but that didn't work.

Once the driver was found I had to make a change to the Realm entry itself.
It has
connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL?user=scott;password=tiger"
so I changed the server, SID, username, and password to suite my installation
but Tomcat complained with 
       java.sql.SQLException: invalid arguments in call
After looking at the JDBCRealm.java source code it seams that it needs the
connectionUser and connectionPassword attributes to be defined (it puts them in
the Properties instance to pass to the connect() call from the open() method).
So I removed the
    ?user=...;password=...
portion of the connectionURL attribute and added the required two.

Things were shaping as Tomcat can now find the JDBC driver and the Oracle
driver isn't complaining about the connection information.  But now I'm getting
another error and this is where
my inexperience with Java security model hinders me.  I'm getting the following
exception when Tomcat starts:

java.security.AccessControlException: access denied (java.net.SocketPermission
localhost resolve)
	at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
	at java.security.AccessController.checkPermission(AccessController.java:399)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
	at java.lang.SecurityManager.checkConnect(SecurityManager.java:1042)
	at java.net.InetAddress.getAllByName0(InetAddress.java:559)
	at java.net.InetAddress.getAllByName0(InetAddress.java:540)
	at java.net.InetAddress.getByName(InetAddress.java:449)
	at java.net.Socket.<init>(Socket.java:100)
	at oracle.net.nt.TcpNTAdapter.connect(TcpNTAdapter.java)
	at oracle.net.nt.ConnOption.connect(ConnOption.java)
	at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java)
	at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java)
	at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java)
	at oracle.net.ns.NSProtocol.connect(NSProtocol.java)
	at oracle.jdbc.ttc7.TTC7Protocol.connect(TTC7Protocol.java)
	at oracle.jdbc.ttc7.TTC7Protocol.logon(TTC7Protocol.java)
	at oracle.jdbc.driver.OracleConnection.<init>(OracleConnection.java)
	at oracle.jdbc.driver.OracleDriver.getConnectionInstance(OracleDriver.java)
	at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java)
	at org.apache.catalina.realm.JDBCRealm.open(JDBCRealm.java:539)
	at org.apache.catalina.realm.JDBCRealm.start(JDBCRealm.java:607)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1108)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:278)
	at org.apache.catalina.core.StandardService.start(StandardService.java:353)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:458)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:725)
	at org.apache.catalina.startup.Catalina.execute(Catalina.java:647)
	at org.apache.catalina.startup.Catalina.process(Catalina.java:177)
	at java.lang.reflect.Method.invoke(Native Method)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:196)

So I had a look at the catalina.policy file but I'm really not sure what I need
to add.  It seems that a DNS resolution is attempted but the security system
denided it.  I found the entry:

// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "common" directory
grant codeBase "file:${catalina.home}/common/-" {
        permission java.security.AllPermission;
};

I thought I could add a similar entry like:

grant codeBase "file:${catalina.home}/common/lib/-" {
        permission java.security.AllPermission;
};

but that didn't work.

I would like to start running with the -security flag but this will obviously
stop me in my tracks.

Any help would be appreciated,
Kevin.

____________________________________________________________
Do You Yahoo!?
Get your free @yahoo.co.uk address at http://mail.yahoo.co.uk
or your free @yahoo.ie address at http://mail.yahoo.ie

Mime
View raw message