tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan <alanwil...@gmail.com>
Subject Re: webapps examples and security manager
Date Thu, 24 Sep 2009 13:11:25 GMT
Hallelujah!

I finally figured out what's going on with tomcat 5.5.26 when running
webapps in security mode.

In Ubuntu 9.04, with just the addition of 'permission
java.lang.RuntimePermission "setContextClassLoader";' in
catalina.policy solved the problem. This is happen because ubuntu has
its own way of starting the deamon and apparently they fixed some
problems that in tomcat 5.5.26 official distribution is not.

Since Fink also use the official distribution, I found out that I need
to tweak catalina.policy a bit further there. See the patch:

--- catalina.policy	2009-09-24 13:51:41.000000000 +0100
+++ /Users/alan/SCRIPTS/catalina.policy	2009-09-24 13:50:24.000000000 +0100
@@ -66,7 +66,7 @@
 };

 // These permissions apply to the commons-logging API
-grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" {
+grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" {
         permission java.security.AllPermission;
 };

@@ -82,6 +82,7 @@

 // These permissions apply to JULI
 grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
+        permission java.lang.RuntimePermission "setContextClassLoader";
         permission java.util.PropertyPermission
"java.util.logging.config.class", "read";
         permission java.util.PropertyPermission
"java.util.logging.config.file", "read";
         permission java.lang.RuntimePermission "shutdownHooks";
@@ -95,6 +96,8 @@
         // Be sure that the logging configuration is secure before
enabling such access
         // eg for the examples web application:
         // permission java.io.FilePermission
"${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
"read";
+        permission java.io.FilePermission
"${catalina.base}${file.separator}webapps${file.separator}jsp-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
"read";
+        permission java.io.FilePermission
"${catalina.base}${file.separator}webapps${file.separator}servlets-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
"read";
 };

 // These permissions apply to the servlet API classes


This basic solved my problems.

Alan

On Wed, Sep 23, 2009 at 22:58, Alan <alanwilter@gmail.com> wrote:
> Many thanks dear Mark.
>
> It's late here too but I finally, with your diligent and precious
> help, I could figure out what's going on here and even manage to have
> tomcat with security working for tomcat6.0.20 and tomcat5.5.28 (but
> not for tomcat5.5.26, last version available for Mac via Fink).
>
> Thank you very much.
>
> Alan
>
> On Wed, Sep 23, 2009 at 21:42, Mark Thomas <markt@apache.org> wrote:
>> Mark Thomas wrote:
>>> Mark Thomas wrote:
>>>> Alan wrote:
>>>>> Thanks Mark, let's deal by parts:
>>>> OK. I've reproduced it. It is happening with 1.6.0_14 and 1.6.0_16 JVMs
>>>> but not a 1.6.0_00 JVM.
>>>>
>>>> The latest 1.5 JVM seems OK too.
>>>>
>>>> Time to check the release notes. I'll hopefully have a workaround (other
>>>> than using Java 1.5) shortly.
>>>
>>> Still not clear why it is required for later JVM versions
>>
>> <snip/>
>>
>> It is late and I have been in front my PC for too long today. This has
>> already been fixed (by me!) in trunk and proposed for 6.0.x and 5.5.x.
>> It looks the implementation of LogManager (ClassLoaderLogManager extends
>> LogManager) has changed - hence the need for the new permission.
>>
>> Mark
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message