tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <...@pidster.com>
Subject Re: webapps examples and security manager
Date Thu, 24 Sep 2009 13:57:01 GMT
On 24/09/2009 14:11, Alan wrote:
> Hallelujah!
>
> I finally figured out what's going on with tomcat 5.5.26 when running
> webapps in security mode.
>
> In Ubuntu 9.04, with just the addition of 'permission
> java.lang.RuntimePermission "setContextClassLoader";' in
> catalina.policy solved the problem. This is happen because ubuntu has
> its own way of starting the deamon and apparently they fixed some
> problems that in tomcat 5.5.26 official distribution is not.

Really?  Could you let us know what?

p


> Since Fink also use the official distribution, I found out that I need
> to tweak catalina.policy a bit further there. See the patch:
>
> --- catalina.policy	2009-09-24 13:51:41.000000000 +0100
> +++ /Users/alan/SCRIPTS/catalina.policy	2009-09-24 13:50:24.000000000 +0100
> @@ -66,7 +66,7 @@
>   };
>
>   // These permissions apply to the commons-logging API
> -grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" {
> +grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" {
>           permission java.security.AllPermission;
>   };
>
> @@ -82,6 +82,7 @@
>
>   // These permissions apply to JULI
>   grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
> +        permission java.lang.RuntimePermission "setContextClassLoader";
>           permission java.util.PropertyPermission
> "java.util.logging.config.class", "read";
>           permission java.util.PropertyPermission
> "java.util.logging.config.file", "read";
>           permission java.lang.RuntimePermission "shutdownHooks";
> @@ -95,6 +96,8 @@
>           // Be sure that the logging configuration is secure before
> enabling such access
>           // eg for the examples web application:
>           // permission java.io.FilePermission
> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
> "read";
> +        permission java.io.FilePermission
> "${catalina.base}${file.separator}webapps${file.separator}jsp-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
> "read";
> +        permission java.io.FilePermission
> "${catalina.base}${file.separator}webapps${file.separator}servlets-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
> "read";
>   };
>
>   // These permissions apply to the servlet API classes
>
>
> This basic solved my problems.
>
> Alan
>
> On Wed, Sep 23, 2009 at 22:58, Alan<alanwilter@gmail.com>  wrote:
>> Many thanks dear Mark.
>>
>> It's late here too but I finally, with your diligent and precious
>> help, I could figure out what's going on here and even manage to have
>> tomcat with security working for tomcat6.0.20 and tomcat5.5.28 (but
>> not for tomcat5.5.26, last version available for Mac via Fink).
>>
>> Thank you very much.
>>
>> Alan
>>
>> On Wed, Sep 23, 2009 at 21:42, Mark Thomas<markt@apache.org>  wrote:
>>> Mark Thomas wrote:
>>>> Mark Thomas wrote:
>>>>> Alan wrote:
>>>>>> Thanks Mark, let's deal by parts:
>>>>> OK. I've reproduced it. It is happening with 1.6.0_14 and 1.6.0_16 JVMs
>>>>> but not a 1.6.0_00 JVM.
>>>>>
>>>>> The latest 1.5 JVM seems OK too.
>>>>>
>>>>> Time to check the release notes. I'll hopefully have a workaround (other
>>>>> than using Java 1.5) shortly.
>>>>
>>>> Still not clear why it is required for later JVM versions
>>>
>>> <snip/>
>>>
>>> It is late and I have been in front my PC for too long today. This has
>>> already been fixed (by me!) in trunk and proposed for 6.0.x and 5.5.x.
>>> It looks the implementation of LogManager (ClassLoaderLogManager extends
>>> LogManager) has changed - hence the need for the new permission.
>>>
>>> Mark
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message