tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Frank Lawlor" <>
Subject FW: Xerces Parser Security and Path Problems
Date Wed, 14 Nov 2001 20:10:17 GMT

> > There seems to be a problem related to security when loading
> > jars from WEB-INF/lib.  This was reported earlier by Sergey
> V. Udaltsov
> > in the post titled "policy for classes in WEB-INF/lib/my.jar".
> >
> It's not clear to me that this is a bug.
> The exception goes away because the default catalina.policy grants all
> permissions to code loaded from the common/lib directory.  If
> you want an
> individual webapp to access files, you need to grant specific file
> permissions to it -- see the examples at the bottom of
> "conf/catalina.policy" for hints on how to do this.
> Note that this would be required even if you wanted to use file I/O
> directly in your servlet (as opposed to indirectly via the
> parser) -- the
> default policy file completely disables file access for classes loaded
> from /WEB-INF/classes or /WEB-INF/lib of your webapp.

I don't think this is correct.
As I indicated, I granted my application All Permissions.
It does do a lot of file access (including to the file
to be parsed).  Without the permissions it gets access
errors, so it seems to be working.  If I open the target
file for the parser, it can access it:
  xr.parse(new InputSource(new;

I did try specific file permissions granted to the app
and to the xerces.jar and that didn't help.  Is there
some special way that the file permission needs to
be granted (BTW there are no examples of FILE permissions
in my version of catalina.policy).

This seems like a fairly basic problem that should be
easy to verify.

Here is the actual error info:
   access denied (
     D:\jakarta-tomcat-4.0-rc2\webapps\AGCW\agcw.xml read)
  at org.apache.xerces.framework.XMLParser.parse(
  at org.apache.xerces.framework.XMLParser.parse(


  -- Frank

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message