tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Petr Hracek <phrac...@gmail.com>
Subject Re: Catalina.policy file for security option
Date Tue, 08 Nov 2011 12:51:56 GMT
Yes the tomcat should be run as a back-end server (AJP) with apache2-2.2.21.
I have add to the catalina.policy following permission:
        permission javax.management.MBeanServerPermission "createMBeanServer";
        permission javax.management.MBeamPermission
"com.javamonitor.mbeans.*","*";
        permission javax.management.MBeanTrustPermission "register";
        permission javax.management.MBeanServerPermission "findMBeanServer";
        permission java.net.SocketPermission "java-monitor.com:80", "connect";
        permission java.net.SocketPermission "java-monitor.com:80", "resolve";

In the log of catalina.out I see:
log4j:WARN No appenders could be found for logger
(org.apache.catalina.startup.Embedded).
log4j:WARN Please initialize the log4j system properly.

But as in ps -ef | grep java and lsof -i | grep java I did not see any
8009 and 8005 port or even that tomcat5 is not starting.

Where could be a problem?

Dne 7. listopadu 2011 12:29 André Warnier <aw@ice-sa.com> napsal(a):
> Petr Hracek wrote:
>>
>> Dear tomcat users,
>>
>> I have try to configure my really old tomcat5 configuration (for using
>> -security).
>> but tomcat is not running.
>
> Petr,
> can you be a bit more specific ? what is not running ? does it start ? does
> it crash after starting ? is it just not answering requests ? are there
> error messages anywhere ?
>
> On my system tomcat5 is run only as servlet
>>
>> engine and not as web server.
>>
> Do you mean for example that it runs as a back-end server (through AJP
> e.g.), with a front-end webserver serving all static content ?
>
>
>
>> Do you have any example catalina.policy file?
>> My catalina.policy file is:
>> // ========== SYSTEM CODE PERMISSIONS
>> =========================================
>>
>>
>> // These permissions apply to javac
>> grant codeBase "file:${java.home}/lib/-" {
>>        permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to all shared system extensions
>> grant codeBase "file:${java.home}/jre/lib/ext/-" {
>>        permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to javac when ${java.home] points at
>> $JAVA_HOME/jre
>> grant codeBase "file:${java.home}/../lib/-" {
>>        permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to all shared system extensions when
>> // ${java.home} points at $JAVA_HOME/jre
>> grant codeBase "file:${java.home}/lib/ext/-" {
>>        permission java.security.AllPermission;
>> };
>> // ========== CATALINA CODE PERMISSIONS
>> =======================================
>>
>>
>> // These permissions apply to the launcher code
>> grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
>>        permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the daemon code
>> grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
>>        permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the commons-logging API
>> grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" {
>>        permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the server startup code
>> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
>>        permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the JMX server
>> grant codeBase "file:${catalina.home}/bin/jmx.jar" {
>>        permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to JULI
>> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
>>        permission java.util.PropertyPermission
>> "java.util.logging.config.class", "read";
>>        permission java.util.PropertyPermission
>> "java.util.logging.config.file", "read";
>>        permission java.io.FilePermission
>> "${java.home}${file.separator}lib${file.separator}logging.properties",
>> "read";
>>        permission java.lang.RuntimePermission "shutdownHooks";
>>        permission java.io.FilePermission
>>
>> "${catalina.base}${file.separator}conf${file.separator}logging.properties",
>> "read";
>>        permission java.util.PropertyPermission "catalina.base", "read";
>>        permission java.util.logging.LoggingPermission "control";
>>        permission java.io.FilePermission
>> "${catalina.base}${file.separator}logs", "read, write";
>>        permission java.io.FilePermission
>> "${catalina.base}${file.separator}logs${file.separator}*", "read,
>> write";
>>        permission java.lang.RuntimePermission "getClassLoader";
>>        // To enable per context logging configuration, permit read
>> access to the appropriate file.
>>        // Be sure that the logging configuration is secure before
>> enabling such access
>>        // eg for the examples web application:
>>        // permission java.io.FilePermission
>>
>> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
>> "read";
>> };
>>
>> // These permissions apply to the servlet API classes
>> // and those that are shared across all class loaders
>> // located in the "common" directory
>> grant codeBase "file:${catalina.home}/common/-" {
>>        permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the container's core code, plus any
>> additional
>> // libraries installed in the "server" directory
>> grant codeBase "file:${catalina.home}/server/-" {
>>        permission java.security.AllPermission;
>> };
>>
>> // The permissions granted to the balancer WEB-INF/classes and
>> WEB-INF/lib directory
>> grant codeBase "file:${catalina.home}/webapps/balancer/-" {
>>        permission java.lang.RuntimePermission
>> "accessClassInPackage.org.apache.tomcat.util.digester";
>>        permission java.lang.RuntimePermission
>> "accessClassInPackage.org.apache.tomcat.util.digester.*";
>> };
>> // ========== WEB APPLICATION PERMISSIONS
>> =====================================
>>
>>
>> // These permissions are granted by default to all web applications
>> // In addition, a web application will be given a read FilePermission
>> // and JndiPermission for all files and directories in its document root.
>> grant {
>>    // Required for JNDI lookup of named JDBC DataSource's and
>>    // javamail named MimePart DataSource used to send mail
>>    permission java.util.PropertyPermission "java.home", "read";
>>    permission java.util.PropertyPermission "java.naming.*", "read";
>>    permission java.util.PropertyPermission "javax.sql.*", "read";
>>
>>    // OS Specific properties to allow read access
>>    permission java.util.PropertyPermission "os.name", "read";
>>    permission java.util.PropertyPermission "os.version", "read";
>>    permission java.util.PropertyPermission "os.arch", "read";
>>    permission java.util.PropertyPermission "file.separator", "read";
>>    permission java.util.PropertyPermission "path.separator", "read";
>>    permission java.util.PropertyPermission "line.separator", "read";
>>
>>    // JVM properties to allow read access
>>    permission java.util.PropertyPermission "java.version", "read";
>>    permission java.util.PropertyPermission "java.vendor", "read";
>>    permission java.util.PropertyPermission "java.vendor.url", "read";
>>    permission java.util.PropertyPermission "java.class.version", "read";
>>    permission java.util.PropertyPermission
>> "java.specification.version", "read";
>>    permission java.util.PropertyPermission "java.specification.vendor",
>> "read";
>>    permission java.util.PropertyPermission "java.specification.name",
>> "read";
>>
>>    permission java.util.PropertyPermission
>> "java.vm.specification.version", "read";
>>    permission java.util.PropertyPermission
>> "java.vm.specification.vendor", "read";
>>    permission java.util.PropertyPermission
>> "java.vm.specification.name", "read";
>>    permission java.util.PropertyPermission "java.vm.version", "read";
>>    permission java.util.PropertyPermission "java.vm.vendor", "read";
>>    permission java.util.PropertyPermission "java.vm.name", "read";
>>
>>    // Required for OpenJMX
>>    permission java.lang.RuntimePermission "getAttribute";
>>
>>    // Allow read of JAXP compliant XML parser debug
>>    permission java.util.PropertyPermission "jaxp.debug", "read";
>>
>>    // Precompiled JSPs need access to this package.
>>    permission java.lang.RuntimePermission
>> "accessClassInPackage.org.apache.jasper.runtime";
>>    permission java.lang.RuntimePermission
>> "accessClassInPackage.org.apache.jasper.runtime.*";
>>
>>    // Precompiled JSPs need access to this system property.
>>    permission java.util.PropertyPermission
>> "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
>> };
>>
>>
>> My server.xml configuration file is:
>> <?xml version="1.0" encoding="UTF-8"?>
>> <!--
>>  Licensed to the Apache Software Foundation (ASF) under one or more
>>  contributor license agreements.  See the NOTICE file distributed with
>>  this work for additional information regarding copyright ownership.
>>  The ASF licenses this file to You under the Apache License, Version 2.0
>>  (the "License"); you may not use this file except in compliance with
>>  the License.  You may obtain a copy of the License at
>>
>>      http://www.apache.org/licenses/LICENSE-2.0
>>
>>  Unless required by applicable law or agreed to in writing, software
>>  distributed under the License is distributed on an "AS IS" BASIS,
>>  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>>  See the License for the specific language governing permissions and
>>  limitations under the License.
>> -->
>>
>> <Server port="8005" shutdown="SHUTDOWN">
>>
>>  <Listener className="org.apache.catalina.core.AprLifecycleListener" />
>>  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
>> />
>>  <Listener
>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
>> />
>>  <Listener
>> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
>>
>>  <!-- Global JNDI resources -->
>>  <GlobalNamingResources>
>>
>>    <!-- Test entry for demonstration purposes -->
>>    <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>>
>>    <!-- Editable user database that can also be used by
>>         UserDatabaseRealm to authenticate users -->
>>    <Resource name="UserDatabase" auth="Container"
>>              type="org.apache.catalina.UserDatabase"
>>       description="User database that can be updated and saved"
>>           factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>>          pathname="conf/tomcat-users.xml" />
>>
>>  </GlobalNamingResources>
>>
>>  <!-- Define the Tomcat Stand-Alone Service -->
>>  <Service name="Catalina">
>>
>>    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
>>    <Connector port="8080" maxHttpHeaderSize="8192"
>>               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>>               enableLookups="false" redirectPort="8443" acceptCount="100"
>>               connectionTimeout="20000" disableUploadTimeout="true" />
>>    <!-- Note : To disable connection timeouts, set connectionTimeout value
>>     to 0 -->
>>
>>    <!-- Define an AJP 1.3 Connector on port 8009 -->
>>    <Connector port="8009"
>>               enableLookups="false" redirectPort="8443"
>> protocol="AJP/1.3" address="127.0.0.1" />
>>
>>    <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
>>    <!-- See proxy documentation for more information about using this. -->
>>    <Engine name="Catalina" defaultHost="localhost">
>>
>>      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>>             resourceName="UserDatabase"/>
>>
>>      <!-- Define the default virtual host
>>           Note: XML Schema validation will not work with Xerces 2.2.
>>       -->
>>      <Host name="localhost" appBase="webapps"
>>       unpackWARs="true" autoDeploy="true"
>>       xmlValidation="false" xmlNamespaceAware="false">
>>
>>
>>        <!--
>>        <Valve className="org.apache.catalina.authenticator.SingleSignOn"
>> />
>>        -->
>>
>>        <!--
>>        <Valve className="org.apache.catalina.valves.AccessLogValve"
>>                 directory="logs"  prefix="localhost_access_log."
>> suffix=".txt"
>>                 pattern="common" resolveHosts="false"/>
>>        -->
>>        <!--
>>        <Valve
>> className="org.apache.catalina.valves.FastCommonAccessLogValve"
>>                 directory="logs"  prefix="localhost_access_log."
>> suffix=".txt"
>>                 pattern="common" resolveHosts="false"/>
>>        -->
>>      </Host>
>>
>>    </Engine>
>>
>>  </Service>
>>
>> </Server>
>>
>> Thank you in advance.
>> If any logs will be need I can provide of course.
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>



-- 
Best Regards / S pozdravem
Petr Hracek

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message