tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Webmaster" <>
Subject Tomcat + Hibernate2 + Security Manager
Date Tue, 27 Jan 2004 16:31:25 GMT
Hi all,

I know this is a little bit out of topic, but the general concept is useful for everybody.

I run tomcat with security manager for a dozen users. Recently, people started to use the
hibernate 2 which requires some funky permissions.

I had to put these lines in the 'global' permission to make it work:

grant {


  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission java.lang.RuntimePermission "defineCGLIBClassInJavaPackage";


Note: I DID test using a codebase like:

grant codeBase "file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/-" { 

but the classes hibernate creates after reflection stop obeying the security manager.

Are there any security risks on a security setup with those 3 lines for all classes in the


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message