tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Francois Arcand <jfarc...@apache.org>
Subject Re: socket permission catalina.policy question
Date Thu, 17 Oct 2002 20:07:46 GMT
Well, then let go back and do something simple. First, set:

grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/jdom.jar"
{
 permission java.net.SocketPermission "the.third.machine:8080", "accept,
connect, listen, resolve";
 permission java.security.AllPermission;
};

Then in your code, just try:

try {

 doc = (org.jdom.Document)AccessController.doPrivileged

   (new PrivilegedExceptionAction() {

      public Object run() throws org.jdom.JDOMException {

		new java.io.StringReader(fs);
		return null;

      }

    }

   );


Let me know if you still have some exception. We need to find which resource is causing the
problem. I'm not convinved regarding the doPrivilege block, but that doesn't make a difference.

We're coming :-)

-- jeanfrancois




Andrew Cheng wrote:

>I corrected the extra "!"... however it still gives the same exception.
>
>Then I tried directly calling builder.build() outside the AccessController.
>However it still gives the same exception, just from a different line number
>which corresponds to the invocation of builder.build()
>
>Below is an excerpt of why I was using a privileged block.  I hope I
>had the right idea..........................
>"...whenever a resource access is attempted, all code traversed by the
>execution thread up to that point must have permission for that resource
>access, unless some code on the thread has been marked as "privileged". That
>is, suppose access control checking occurs in a thread of execution that has
>a chain of multiple callers. (Think of this as multiple method calls that
>potentially cross the protection domain boundaries.) When the
>AccessController checkPermission method is invoked by the most recent
>caller, the basic algorithm for deciding whether to allow or deny the
>requested access is as follows:
>
>If the code for any caller in the call chain does not have the requested
>permission, AccessControlException is thrown, unless the following is true -
>a caller whose code is granted the said permission has been marked as
>"privileged" (see below) and all parties subsequently called by this caller
>(directly or indirectly) all have the said permission.
>
>Marking code as "privileged" enables a piece of trusted code to temporarily
>enable access to more resources than are available directly to the code that
>called it. This is necessary in some situations. For example, an application
>may not be allowed direct access to files that contain fonts, but the system
>utility to display a document must obtain those fonts, on behalf of the
>user. In order to do this, the system utility becomes privileged while
>obtaining the fonts."
>
>  
>
>>-----Original Message-----
>>
>>Have you try to directly invoke builder.build outside the
>>AccessController? Also, I think you have an extra ! at the end of the
>>jdom jar file:
>>
>>grant codeBase
>>"file:${catalina.home}/myApplication/WEB-INF/lib/jdom.jar!/-"
>>{
>> permission java.net.SocketPermission "the.third.machine:8080", "accept,
>>connect, listen, resolve";
>> permission java.security.AllPermission;
>>};
>>
>>
>>should be
>>
>>grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/jdom.jar"
>>{
>> permission java.net.SocketPermission "the.third.machine:8080", "accept,
>>connect, listen, resolve";
>> permission java.security.AllPermission;
>>};
>>
>>--Jeanfrancois
>>    
>>
>
>
>--
>To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
>
>
>  
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message