tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stephen Pegg" <stephenpe...@gmail.com>
Subject Re: tomcat5.5 and mysql5 permission problem on Ubuntu 7.04 (Fiesty)
Date Tue, 07 Aug 2007 13:44:05 GMT
My 50user.policy currently shows...

grant codeBase "file:/var/lib/tomcat5.5/webapps/DBTest/-" {
      //permission java.net.SocketPermission "localhost", "resolve";
      //permission java.net.SocketPermission "127.0.0.1:3306", "connect";
      permission java.security.AllPermission;
 };

 grant codeBase "jar:file:/usr/share/tomcat5.5/common/lib/mysql-
connector-java-5.0.4.jar!/-" {
    //permission java.net.SocketPermission "localhost:", "connect";
      //permission java.net.SocketPermission "127.0.0.1:3306", "connect";
         //permission java.net.SocketPermission "127.0.0.1:3306", "resolve";
    permission java.security.AllPermission ;
};

NOTE: The webapp address (i think) was file:${catalina.home}/webapps/DBTest/-
and is now file:/var/lib/tomcat5.5/webapps/DBTest/-

In Ubuntu both catalina home and base are set to /usr/share/tomcat5.5, the
webapps are not stored here!

Anywho's, it works with all the permissions, I will now try and restrict it.

Thanks for your responses and help David, I'll reply when / if i restrict
it.

On 07/08/07, David Smith <dns4@cornell.edu> wrote:
>
> So what does your 50user.policy show now?  What you posted below grants
> all permissions to both your webapp and the mysql driver jar file.
>
> --David
>
> Stephen Pegg wrote:
>
> >David,
> >
> >I can verify that the 50user.policy file is sufficient for making the
> >catalina.policy. In the Ubuntu install there are 5 seperate .policy files
> >that form the catalina.policy file. The catalina.policy file is
> uneditable
> >as any changes made are overwritten by the 5 seperate files.
> >
> >One update on the first post, if i change localhost to 127.0.0.1 rather
> than
> >just saying "MESSAGE: access denied (java.net.SocketPermission localhost
> >resolve)" it says "MESSAGE: access denied (java.net.SocketPermission
> >127.0.0.1 connect, resolve)"
> >
> >I did change all references of localhost to 127.0.0.1.
> >
> >Stephen
> >
> >On 07/08/07, David Smith <dns4@cornell.edu> wrote:
> >
> >
> >>The problem is most definitely in the security manager configuration.
> >>I'm not familiar with 50user.policy though -- this must be a Ubuntu
> >>thing.  Can you verify this is really the security policy config file
> >>tomcat is using?
> >>
> >>The policy settings I see toward the bottom looks good on the suface.
> >>Just wondering if that file is really the active tomcat policy file.  A
> >>tomcat download binary uses catalina.policy in the tomcat/conf folder.
> >>Admittedly the rpm install may be different.
> >>
> >>--David
> >>
> >>Stephen Pegg wrote:
> >>
> >>
> >>
> >>>I am having a very bad time trying to get a webapp to connect to a
> MySQL
> >>>database. I am using tomcat 5.5 and mysql 5 on a Ubuntu Server 7.04
> (Fiesty
> >>>Fawn)
> >>>
> >>>As far as i am aware i have set everything up okay and the webapp does
> >>>actually try and connect to the database.
> >>>
> >>>However, it doesn't! See tracestack below.
> >>>
> >>>org.apache.jasper.JasperException: Unable to get connection,
> >>>DataSource invalid: "org.apache.commons.dbcp.SQLNestedException:
> >>>Cannot create PoolableConnectionFactory (Communications link failure
> >>>due to underlying exception:
> >>>
> >>>
> >>>** BEGIN NESTED EXCEPTION **
> >>>
> >>>java.security.AccessControlException
> >>>MESSAGE: access denied (java.net.SocketPermission localhost resolve)
> >>>
> >>>STACKTRACE:
> >>>
> >>>java.security.AccessControlException: access denied (
> >>>java.net.SocketPermission localhost resolve)
> >>>      at java.security.AccessControlContext.checkPermission(
> >>>
> >>>
> >>AccessControlContext.java:264)
> >>
> >>
> >>>      at java.security.AccessController.checkPermission(
> >>>
> >>>
> >>AccessController.java:427)
> >>
> >>
> >>>      at
> >>>java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> >>>      at java.lang.SecurityManager.checkConnect(SecurityManager.java
> >>>
> >>>
> >>:1031)
> >>
> >>
> >>>      at java.net.InetAddress.getAllByName0(InetAddress.java:1117)
> >>>      at java.net.InetAddress.getAllByName0
> >>>(InetAddress.java:1098)
> >>>      at java.net.InetAddress.getAllByName(InetAddress.java:1061)
> >>>      at com.mysql.jdbc.StandardSocketFactory.connect(
> >>>
> >>>
> >>StandardSocketFactory.java:138)
> >>
> >>
> >>>      at com.mysql.jdbc.MysqlIO.<init>(MysqlIO.java
> >>>:277)
> >>>      at com.mysql.jdbc.Connection.createNewIO(Connection.java:2668)
> >>>      at com.mysql.jdbc.Connection.<init>(Connection.java:1531)
> >>>      at com.mysql.jdbc.NonRegisteringDriver.connect(
> >>>
> >>>
> >>NonRegisteringDriver.java:266)
> >>
> >>
> >>>      at
> >>>
> >>>
> >>org.apache.commons.dbcp.DriverConnectionFactory.createConnection(
> >>DriverConnectionFactory.java:37)
> >>
> >>
> >>>      at org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(
> >>>
> >>>
> >>PoolableConnectionFactory.java:290)
> >>
> >>
> >>>      at
> >>>
> >>>
> >>org.apache.commons.dbcp.BasicDataSource.validateConnectionFactory
> >>
> >>
> >>>(BasicDataSource.java:877)
> >>>      at org.apache.commons.dbcp.BasicDataSource.createDataSource(
> >>>
> >>>
> >>BasicDataSource.java:851)
> >>
> >>
> >>>      at org.apache.commons.dbcp.BasicDataSource.getConnection(
> >>>
> >>>
> >>BasicDataSource.java:540)
> >>
> >>
> >>>      at
> >>>
> >>>
> >>org.apache.taglibs.standard.tag.common.sql.QueryTagSupport.getConnection
> >>
> >>
> >>>(QueryTagSupport.java:274)
> >>>      at
> >>>
> >>>
> >>org.apache.taglibs.standard.tag.common.sql.QueryTagSupport.doStartTag(
> >>QueryTagSupport.java:159)
> >>
> >>
> >>>      at org.apache.jsp.index_jsp._jspx_meth_sql_query_0
> >>>
> >>>
> >>(index_jsp.java:100)
> >>
> >>
> >>>      at org.apache.jsp.index_jsp._jspService
> >>>(index_jsp.java:58)
> >>>      at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java
> >>>
> >>>
> >>:97)
> >>
> >>
> >>>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
> >>>      at org.apache.jasper.servlet.JspServletWrapper.service(
> >>>JspServletWrapper.java:334)
> >>>      at org.apache.jasper.servlet.JspServlet.serviceJspFile(
> >>>
> >>>
> >>JspServlet.java:314)
> >>
> >>
> >>>      at org.apache.jasper.servlet.JspServlet.service(JspServlet.java
> >>>
> >>>
> >>:264)
> >>
> >>
> >>>      at javax.servlet.http.HttpServlet.service
> >>>(HttpServlet.java:802)
> >>>      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >>>      at sun.reflect.NativeMethodAccessorImpl.invoke(
> >>>
> >>>
> >>NativeMethodAccessorImpl.java:39)
> >>
> >>
> >>>      at sun.reflect.DelegatingMethodAccessorImpl.invoke
> >>>(DelegatingMethodAccessorImpl.java:25)
> >>>      at java.lang.reflect.Method.invoke(Method.java:585)
> >>>      at org.apache.catalina.security.SecurityUtil$1.run(
> >>>
> >>>
> >>SecurityUtil.java:243)
> >>
> >>
> >>>      at java.security.AccessController.doPrivileged
> >>>(Native Method)
> >>>      at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
> >>>      at org.apache.catalina.security.SecurityUtil.execute(
> >>>
> >>>
> >>SecurityUtil.java:275)
> >>
> >>
> >>>      at org.apache.catalina.security.SecurityUtil.doAsPrivilege
> >>>(SecurityUtil.java:161)
> >>>      at
> >>>
> >>>
> >>org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> >>ApplicationFilterChain.java:245)
> >>
> >>
> >>>      at org.apache.catalina.core.ApplicationFilterChain.access$0(
> >>>
> >>>
> >>ApplicationFilterChain.java:177)
> >>
> >>
> >>>      at org.apache.catalina.core.ApplicationFilterChain$1.run(
> >>>
> >>>
> >>ApplicationFilterChain.java:156)
> >>
> >>
> >>>      at java.security.AccessController.doPrivileged(Native Method)
> >>>      at org.apache.catalina.core.ApplicationFilterChain.doFilter
> >>>(ApplicationFilterChain.java:152)
> >>>      at org.apache.catalina.core.StandardWrapperValve.invoke(
> >>>
> >>>
> >>StandardWrapperValve.java:213)
> >>
> >>
> >>>      at org.apache.catalina.core.StandardContextValve.invoke(
> >>>
> >>>
> >>StandardContextValve.java:178)
> >>
> >>
> >>>      at
> >>>org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java
> >>>
> >>>
> >>:126)
> >>
> >>
> >>>      at org.apache.catalina.valves.ErrorReportValve.invoke(
> >>>
> >>>
> >>ErrorReportValve.java:105)
> >>
> >>
> >>>      at org.apache.catalina.core.StandardEngineValve.invoke
> >>>(StandardEngineValve.java:107)
> >>>      at org.apache.catalina.connector.CoyoteAdapter.service(
> >>>
> >>>
> >>CoyoteAdapter.java:148)
> >>
> >>
> >>>      at org.apache.coyote.http11.Http11Processor.process(
> >>>
> >>>
> >>Http11Processor.java:869)
> >>
> >>
> >>>      at
> >>>
> >>>
> >>
> org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection
> >>
> >>
> >>>(Http11BaseProtocol.java:664)
> >>>      at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(
> >>>
> >>>
> >>PoolTcpEndpoint.java:527)
> >>
> >>
> >>>      at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(
> >>>
> >>>
> >>LeaderFollowerWorkerThread.java:80)
> >>
> >>
> >>>      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
> >>>
> >>>
> >>ThreadPool.java:684)
> >>
> >>
> >>>      at java.lang.Thread.run(Thread.java:595)
> >>>
> >>>
> >>>** END NESTED EXCEPTION **
> >>>
> >>>
> >>>
> >>>Last packet sent to the server was 6 ms ago.)"
> >>>
> >>>      org.apache.jasper.servlet.JspServletWrapper.handleJspException(
> >>>
> >>>
> >>JspServletWrapper.java:512)
> >>
> >>
> >>>      org.apache.jasper.servlet.JspServletWrapper.service(
> >>>
> >>>
> >>JspServletWrapper.java:377)
> >>
> >>
> >>>      org.apache.jasper.servlet.JspServlet.serviceJspFile
> >>>(JspServlet.java:314)
> >>>      org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
> >>>      javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
> >>>      sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >>>
> >>>      sun.reflect.NativeMethodAccessorImpl.invoke(
> >>>
> >>>
> >>NativeMethodAccessorImpl.java:39)
> >>
> >>
> >>>      sun.reflect.DelegatingMethodAccessorImpl.invoke(
> >>>
> >>>
> >>DelegatingMethodAccessorImpl.java:25)
> >>
> >>
> >>>      java.lang.reflect.Method.invoke(Method.java:585)
> >>>
> >>>      org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java
> >>>
> >>>
> >>:243)
> >>
> >>
> >>>      java.security.AccessController.doPrivileged(Native Method)
> >>>      javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
> >>>      org.apache.catalina.security.SecurityUtil.execute
> >>>(SecurityUtil.java:275)
> >>>      org.apache.catalina.security.SecurityUtil.doAsPrivilege(
> >>>
> >>>
> >>SecurityUtil.java:161)
> >>
> >>
> >>>I can connect to the database in command line, MySQL admin and query
> >>>
> >>>
> >>browser
> >>
> >>
> >>>with the same user and pass that i am using for the webapp. I gave this
> >>>
> >>>
> >>user
> >>
> >>
> >>>full permissions from any host. I have read about the security manager
> >>>possible stopping it from working even though i'm working with
> localhost.
> >>>The webapp itself has the resource in its /META-INF/context.xml (see
> >>>
> >>>
> >>below)
> >>
> >>
> >>>as i want to stay away from tomcats server.xml. I have a resource
> >>>
> >>>
> >>reference
> >>
> >>
> >>>in the webapps /WEB-INF/web.xml (See below). I have a copy of
> >>>mysql-connector-java-5.0.4.jar in the /common/lib/ directory as
> >>>
> >>>
> >>suggested.
> >>
> >>
> >>>There is no mysql jar in the webapps /WEB-INF/lib dir. I created the
> >>>
> >>>
> >>webapp
> >>
> >>
> >>>in netbeans5.5 on a windows platform, built it and deployed the
> >>>webapp.jarusing tomcat manager.
> >>>
> >>>---- Context.xml ----
> >>><Context path="/DBTest" docBase="DBTest">
> >>><Resource name="jdbc/time_management" auth="Container" type="
> >>>javax.sql.DataSource" maxActive="100" maxIdle="30" maxWait="10000"
> >>>username="timemanaccess" password="timeman101" driverClassName="
> >>>com.mysql.jdbc.Driver"
> >>>url="jdbc:mysql://localhost:3306/time_management_db"/>
> >>></Context>
> >>>-----------------
> >>>
> >>>---- Web.xml ----
> >>><resource-ref>
> >>><res-ref-name>jdbc/time_management</res-ref-name>
> >>><res-type>javax.sql.DataSource</res-type>
> >>><res-auth>Application</res-auth>
> >>><res-sharing-scope>Shareable</res-sharing-scope>
> >>></resource-ref>
> >>>-----------------
> >>>
> >>>I have been editing the 50user.policy to try and give permissions to
> >>>localhost. See below.
> >>>
> >>>grant codeBase "file:${catalina.home}/webapps/DBTest/-" {
> >>>     //permission java.net.SocketPermission "localhost", "resolve";
> >>>     //permission java.net.SocketPermission "localhost:3306",
> >>>"connect,resolve";
> >>>   permission java.security.AllPermission;
> >>>};
> >>>
> >>>grant codeBase "file:/usr/share/tomcat5.5/common/lib/mysql-
> >>>connector-java-5.0.4.jar" {
> >>>   //permission java.net.SocketPermission "localhost", "resolve";
> >>>     //permission java.net.SocketPermission "localhost:3306",
> >>>"connect,resolve";
> >>>   permission java.security.AllPermission ;
> >>>};
> >>>
> >>>I have tried a number of variations of the permissions below. None
> >>>
> >>>
> >>worked.
> >>
> >>
> >>>Can somebody please help? I can provide more information if needed.
> >>>
> >>>Thanks in advance,
> >>>Stephen
> >>>
> >>>
> >>>
> >>>
> >>>
> >>---------------------------------------------------------------------
> >>To start a new topic, e-mail: users@tomcat.apache.org
> >>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >>
> >>
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message