tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@mail.more.net>
Subject Re: socket permission catalina.policy question
Date Sat, 19 Oct 2002 14:14:12 GMT
Did you ever try running tomcat with the property -Djava.security.debug=access,failure
set? The debug output from that can usually help you track down the source of a
security policy configuration problem.

Regards,

Glenn

Andrew Cheng wrote:
> I am using tomcat version 4.0.  I have tried adding the extra "jar:" and
> "!/-" and restarting tomcat... however it still does not work.  I tried
> removing that extra syntax and it does not work in that case either.  (In
> fact, when I added the extra syntax to all of the jar files in
> catalina.policy, it complained about bootstrap.jar... so I tried three
> different cases.  [1] absolutely no extra syntax anywhere in the file [2]
> extra syntax just for the jar files at the end of the file that have to do
> with my Web applications only [3] extra syntax for every jar file... and
> none of these cases works)
> 
> catalina.policy is definitely being used.  /var/log/tomcat.log says it is
> using the security manager.  There was a time when it was complaining that
> my JDBC driver did not have socket permission to connect to the database.
> However I gave all permission to the JDBC driver and to the code that calls
> it.  That particular socket permission denial was resolved.
> 
> However the original socket permission denial refuses to submit to this
> solution.  Perhaps I will try listing the actual IP address instead of the
> machine's name....
> 
> ***Could my directory structure be an issue?  In ${catalina.home} I have a
> directory/Web-application called myApplication:
> ${catalina.home}/myApplication
> 
> Inside this directory, I have several servlets... each in their own
> directory: myServlet1, myServlet2, etc...
> ${catalina.home}/myApplication/myServlet1
> 
> Inside each of these servlet directories, the classes directory is a
> symbolic link to ${catalina.home}/myApplication/WEB-INF/classes ...
> ${catalina.home}/myApplication/myServlet1/classes ->
> ${catalina.home}/myApplication/WEB-INF/classes
> 
> I am assuming that the following entry in my policy file correctly credits
> the same set of permissions to each of my servlets... is this a good or bad
> assumption?
> 
> grant codeBase "file:${catalina.home}/myApplication/WEB-INF/classes/-" {
>   permission java.security.AllPermission;
> };
> 
> My .policy file is at the very end of this message
> 
> 
>>-----Original Message-----
>>From: Erik Erskine [mailto:erik@sundayta.com]
>>
>>I'm having similar problems which I've tracked down to a bug in Tomcat
>>4.0 (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7319).  If you're
>>using that this may help.
>>
>>Basically if you have grant statements like these the jar files don't
>>get included:
>>
>>grant codeBase "file:/path/to/foo/-"
>>grant codeBase "file:/path/to/foo.jar"
>>
>>You have to explicitly refer to a jar file like this:
>>
>>grant codeBase "jar:file:/path/to/foo.jar!/-"
>>
>>Unfortuanately you get no error, it's just as if you did not specify the
>>grant statement at all :(
>>
>>The "file:/foo/-" version does pick up class files, so you could unpack
>>each jar file into WEB-INF/classes when you build the WAR file.
>>
>>Having read the bug report this seems to have been fixed in Tomcat 4.1
>>so I'm about to try that.
>>
>>Erik
> 
> 
> //
> ============================================================================
> // catalina.corepolicy - Security Policy Permissions for Tomcat 4.0
> //
> // This file contains a default set of security policies to be enforced (by
> the
> // JVM) when Catalina is executed with the "-security" option.  In addition
> // to the permissions granted here, the following additional permissions are
> // granted to the codebase specific to each web application:
> //
> // * Read access to the document root directory
> //
> // $Id: catalina.policy,v 1.14.2.1 2001/10/06 18:51:03 remm Exp $
> //
> ============================================================================
> 
> 
> // ========== SYSTEM CODE PERMISSIONS
> =========================================
> 
> 
> // These permissions apply to javac
> grant codeBase "file:${java.home}/lib/-" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to all shared system extensions
> grant codeBase "file:${java.home}/jre/lib/ext/-" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to javac when ${java.home] points at
> $JAVA_HOME/jre
> grant codeBase "file:${java.home}/../lib/-" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to all shared system extensions when
> // ${java.home} points at $JAVA_HOME/jre
> grant codeBase "file:${java.home}/lib/ext/-" {
>         permission java.security.AllPermission;
> };
> 
> 
> // ========== CATALINA CODE PERMISSIONS
> =======================================
> 
> 
> // These permissions apply to the server startup code
> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to the servlet API classes
> // and those that are shared across all class loaders
> // located in the "common" directory
> grant codeBase "file:${catalina.home}/common/-" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to the container's core code, plus any additional
> // libraries installed in the "server" directory
> grant codeBase "file:${catalina.home}/server/-" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to shared web application libraries
> // including the Jasper page compiler in the "lib" directory
> grant codeBase "file:${catalina.home}/lib/-" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to shared web application classes
> // located in the "classes" directory
> grant codeBase "file:${catalina.home}/classes/-" {
>         permission java.security.AllPermission;
> };
> 
> // ========== WEB APPLICATION PERMISSIONS
> =====================================
> 
> 
> // These permissions are granted by default to all web applications
> // In addition, a web application will be given a read FilePermission
> // and JndiPermission for all files and directories in its document root.
> grant {
>         permission java.security.AllPermission; // will remove and restore
> orig.
> };
> 
> 
> // You can assign additional permissions to particular web applications
> by...snip
> 
> // http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7319
> // EXTRA SYNTAX tomcat 4.0 "jar:file......jar!/-"
> 
> grant codeBase "file:${catalina.home}/myApplication/WEB-INF/classes/-" {
>   permission java.security.AllPermission;
> };
> grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/pgjdbc2.jar"
> {
>   permission java.security.AllPermission;
> };
> grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/jdom.jar" {
>   permission java.security.AllPermission;
> };
> grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/cos.jar" {
>   permission java.security.AllPermission;
> };
> grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/crimson.jar"
> {
>   permission java.security.AllPermission;
> };
> grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/xalan.jar" {
>   permission java.security.AllPermission;
> };
> grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/jaxp.jar" {
>   permission java.security.AllPermission;
> };
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>




--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message