tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Harish Kumar K.K." <har...@nevadacenter.com>
Subject Tomcat with Security manager
Date Thu, 06 Feb 2003 04:57:54 GMT
Hello All

Hope somebody can help me!

I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works fine
if started without the security manager. Recently I had to put up a file upload form on one
of my web sites, and when I deployed the jsp to accept the form data and save the uploaded
file to disk...it came up with the error "File cannot be saved". I am using jspSmartUpload
class to handle the multipart form data and to save the file to disk, which can be downloaded
from www.jspsmart.com

So I read the documentation and figured, the security manager might have to be enabled with
appropriate File IO permissions set for the directory to which I was trying to save the file.


I proceeded to add the required "grant" directive in the catalina.policy file, and when I
started Tomcat with the security manager enabled....it wouldn't start! I checked catalina.out
and saw that Tomcat is not able to read server.xml. Here is the stacktrace I found in catalina.out

Catalina.start: java.security.AccessControlException: access denied (java.io.FilePermission
/var/tomcat4/conf/server.xml read)
java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml
read)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
        at java.security.AccessController.checkPermission(AccessController.java:401)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:887)
        at java.io.File.isDirectory(File.java:698)
        at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:65)
        at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:148)
        at java.net.URL.openStream(URL.java:955)
        at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFactory.java)
        at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(DefaultEntityHandler.java)
        at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java)
        at org.apache.xerces.framework.XMLParser.parse(XMLParser.java)
        at org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223)
        at javax.xml.parsers.SAXParser.parse(SAXParser.java:314)
        at javax.xml.parsers.SAXParser.parse(SAXParser.java:253)
        at org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:725)
        at org.apache.catalina.startup.Catalina.execute(Catalina.java:681)
        at org.apache.catalina.startup.Catalina.process(Catalina.java:179)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:324)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)

Then, I found from the security manager howto on the web site, that if no security manager
is enabled, its just like giving all permissions...I am guessing this means that in that case
the operating system file permission system only will be in effect. So I made the directory
I wanted to save the file into, world writable, just to make sure the OS is not preventing
the save operation. Then started Tomcat without the security manager...still the same result!

Now I am totally confused! What am I doing wrong?
Can anybody help me? Please?

Thanks and Regards
Harish
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message