tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan <alanwil...@gmail.com>
Subject my webapps and security manager
Date Tue, 29 Sep 2009 16:23:18 GMT
Hi there,

I installed tomcat5 via Fink on Snow Leopard 10.6.1 kernel 64 bits:

amadeus[2249]:/sw/var/log/tomcat5% $CATALINA_HOME/bin/catalina.sh version
Using CATALINA_BASE:   /sw/var/tomcat5
Using CATALINA_HOME:   /sw/var/tomcat5
Using CATALINA_TMPDIR: /sw/var/tomcat5/temp
Using JRE_HOME:       /Library/Java/Home
Server version: Apache Tomcat/5.5.26
Server built:   Jan 28 2008 01:35:23
Server number:  5.5.26.0
OS Name:        Mac OS X
OS Version:     10.6.1
Architecture:   x86_64
JVM Version:    1.6.0_15-b03-219
JVM Vendor:     Apple Inc.

Tomcat's webapps examples works fine now with security manager after
some tweaks in catalina.policy.
(added lines shown below)

grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.lang.RuntimePermission "setContextClassLoader";
         [snip]
        permission java.io.FilePermission
"${catalina.base}${file.separator}webapps${file.separator}jsp-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
"read";
        permission java.io.FilePermission
"${catalina.base}${file.separator}webapps${file.separator}servlets-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
"read";
};

And tomcat webapps examples now works fine with tomcat 5.5.26 and Sun
Java 1.6.0_15-b03-219.

However, what I want is MY application working with security manager.

After some reading and lots (and lots) of try and error (catalina.out
log helps, but it could helps more...) I came to this set of policies
for my application:

grant {
    //PiMS
    permission java.util.PropertyPermission "*", "read,write";
    permission java.lang.RuntimePermission "getProtectionDomain";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper";
    permission javax.management.MBeanPermission "*", "*";
    permission javax.management.MBeanTrustPermission "register";
//    permission java.util.PropertyPermission "cglib.debugLocation", "read";
    permission java.net.SocketPermission "127.0.0.1:5432", "connect,resolve";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks","";
    permission javax.management.MBeanServerPermission "createMBeanServer";
//    permission java.util.PropertyPermission "net.sf.ehcache.*", "read";
//    permission java.util.PropertyPermission "java.io.tmpdir", "read";
    permission java.io.FilePermission "./conf/pims_log4j.properties", "read";
    permission java.io.FilePermission "./conf/Hibernate.log.txt", "read, write";
    permission java.io.FilePermission
"${catalina.base}${file.separator}webapps${file.separator}pims${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
"read";
};

It works now, but the problem is the line:

    permission java.util.PropertyPermission "*", "read,write";

If I comment this line and uncomment the others, I got that in catalina.out:

[snip]
INFO: XML validation disabled
Read of system Properties blocked -- ignoring any configuration via
System properties, and using Empty Properties! (But any configuration
via a resource properties files is still okay!)
java.security.AccessControlException: access denied
(java.util.PropertyPermission * read,write)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
[snip]
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
Read of system Properties blocked -- ignoring any configuration via
System properties, and using Empty Properties! (But any configuration
via a resource properties files is still okay!)
java.security.AccessControlException: access denied
(java.util.PropertyPermission * read,write)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
[snip]
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
16:00:40,027  INFO:MLog -MLog clients using log4j logging.
16:00:40,200  INFO:C3P0Registry -jdk1.5 management interfaces
unavailable... JMX support disabled.
java.security.AccessControlException: access denied
(javax.management.MBeanServerPermission createMBeanServer)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
[snip]
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
16:00:40,223  WARN:PoolConfig -Read of system Properties blocked --
ignoring any c3p0 configuration via System properties! (But any
configuration via a c3p0.properties file is still okay!)
java.security.AccessControlException: access denied
(java.util.PropertyPermission * read,write)
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
[snip]

Is not 'permission java.util.PropertyPermission "*", "read,write";'
too lax? If so, how then can I find out what
"java.security.AccessControlException: access denied
(java.util.PropertyPermission * read,write)" wants to tell me?

Obviously I am doing something wrong, but the fact I've been playing
with that for more than a week and I'm getting really tired, which is
likely weakening my sense of observation and reason and I am probably
skipping something obvious if not the whole thing at all.

Any help would be very very appreciated.

Many thanks in advance,
Alan
-- 
Alan Wilter Sousa da Silva, D.Sc.
PDBe group, PiMS project http://www.pims-lims.org/
EMBL - EBI, Wellcome Trust Genome Campus, Hinxton, Cambridge CB10 1SD, UK
+44 (0)1223 492 583 (office)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message