tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Kiss <>
Subject codeBase changes if antiResourceLocking is active - Security policy fails
Date Tue, 20 Nov 2007 10:28:12 GMT

I'm using Tomcat 6.0 with the "security" option in order to assign different permissions to
several webapps running within the Tomcat security sandbox. However, I've encountered the
following effect when I activate the antiJARLocking and antiResourceLocking flags in the context.xml
file of my webapp: 

As these flags cause the server to copy all the files of my webapp to the temp directory at
runtime, the codeBase for the webapp also changes - but the SecurityManager doesn't recognise
that it has changed. Consequently, the permissions for the specific webapp that I defined
in catalina.policy actually don't apply and I get an "access denied" exception. I have searched
the web, the security FAQ and newsgroups for a hint or a workaround, but with no success.
With the help of the option I came to the workaround to simply set
the codeBase in the catalina.policy file to the new location within the temp directory:

grant codeBase "file:${catalina.home}/temp/1-foo/-" {
	/* list of assigned permissions */

With this workaround everything works fine. However, the numeric prefix (e.g. "1-") of the
webapp copied to the temp folder eventually changes, for instance when I redeploy the webapp
or when I clear the temp directory. As a result, I always have to keep the catalina.policy
file up-to-date with the current prefix of the webapp, otherwise the permissions fail.

So, my question is, if this behavior is known and if there is a more elegant way to solve
this problem, maybe by an internal mapping of the original codeBase of the webapp in ${catalina.home}/webapps/
to the ${catalina.home}/temp/ directory which then would be transparent for the SecurityManager?

Thanks in advance and best regards,


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message