tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Catalina.policy java.security.AllPermission
Date Thu, 09 May 2013 09:45:27 GMT
Alejandro Garcia wrote:
> Hi,
> I have a problem with the Catalina’s security manager.
> 
> We are using Tomcat 6, with JDK 6 and JSF 2.1 with Spring, JPA and ICEFaces. My app works
very well when I run my app with the security manager disable.
> 
> The problem presents when I enable the security manager of Tomcat. My app fails when
Tomcat start giving me the next log:
> 
> INFO: Checking whether login URL '/security/login.jsf' is accessible with your configuration
> 8/05/2013 12:29:11 PM org.springframework.web.context.ContextLoader initWebApplicationContext
> INFO: Root WebApplicationContext: initialization completed in 1969 ms
> 8/05/2013 12:29:11 PM org.apache.catalina.core.StandardContext start
> SEVERE: Error listenerStart
> 8/05/2013 12:29:11 PM org.apache.catalina.core.StandardContext start
> SEVERE: Falló en arranque del Contexto [/WebRed] debido a errores previos
> 8/05/2013 12:29:11 PM com.sun.faces.config.ConfigureListener contextDestroyed
> SEVERE: Unexpected exception when attempting to tear down the Mojarra runtime
> java.lang.NullPointerException
> at com.sun.faces.config.ConfigureListener.getInitFacesContext(ConfigureListener.java:740)
> at com.sun.faces.config.ConfigureListener.contextDestroyed(ConfigureListener.java:300)
> at org.apache.catalina.core.StandardContext.listenerStop(StandardContext.java:4245)
> at org.apache.catalina.core.StandardContext.stop(StandardContext.java:4886)
> at org.apache.catalina.core.StandardContext.start(StandardContext.java:4750)
> at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799)
> at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:124)
> at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:146)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:777)
> at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601)
> at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:943)
> at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:563)
> at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1399)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:297)
> at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
> at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:762)
> at org.apache.catalina.manager.ManagerServlet.check(ManagerServlet.java:1500)
> at org.apache.catalina.manager.HTMLManagerServlet.doPost(HTMLManagerServlet.java:252)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:643)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:283)
> at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56)
> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
> at org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:194)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277)
> at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
> at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309)
> at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:250)
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
> at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56)
> at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
> at java.security.AccessController.doPrivileged(Native Method)
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> at java.lang.Thread.run(Thread.java:662)
> 
> The app works very when I put this line in the Catalina.policy
> 
> grant codeBase "file:${catalina.home}/webapps/WebRed/-" {
> permission java.security.AllPermission;
> };
> 
> There was other errors because the permissions, but I have been add some and the lines
are the next:
> 
> grant codeBase "file:${catalina.home}/webapps/WebRed/-" {
> permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
> permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
> permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
> permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.core";
> permission java.lang.RuntimePermission "accessClassInPackage.org.springframework.web.context";
> permission java.lang.RuntimePermission "accessClassInPackage.org.springframework.web.context.request";
> permission java.lang.RuntimePermission "accessClassInPackage.org.springframework.web.filter";
> permission java.lang.RuntimePermission "accessClassInPackage.com.sun.faces.config";
> permission java.lang.RuntimePermission "accessClassInPackage.org.icefaces.util";
> permission java.lang.RuntimePermission "accessDeclaredMembers";
> permission org.apache.naming.JndiPermission "jndi://localhost/WebRed/*";
> permission java.io.FilePermission "/WebRed", "read";
> permission java.io.FilePermission "${catalina.home}/webapps/WebRed", "read,write";
> permission java.io.FilePermission "${catalina.home}/webapps/WebRed/-", "read,write,delete";
> permission java.util.PropertyPermission "org.apache.commons.logging.LogFactory.HashtableImpl",
"read";
> permission java.util.PropertyPermission "org.springframework.web.context.request", "read";
> permission java.util.PropertyPermission "org.springframework.web.servlet", "read";
> permission java.util.PropertyPermission "org.springframework.web.context", "read"; 
> permission java.util.PropertyPermission "org.apache.catalina.manager.util", "read";
> permission java.util.PropertyPermission "org.apache.catalina.manager", "read";
> permission java.util.PropertyPermission "org.apache.catalina", "read";
> permission java.util.PropertyPermission "org.apache.catalina.core", "read";
> permission java.util.PropertyPermission "spring.security.strategy", "read";
> permission java.util.PropertyPermission "com.icesoft.faces.webapp", "read";
> permission java.util.PropertyPermission "com.sun.faces.config", "read";
> permission java.util.PropertyPermission "javax.faces.webapp", "read";
> permission java.util.PropertyPermission "catalina.base", "read";
> permission java.util.PropertyPermission "org.icefaces.util", "read";
> };
> 
> But still the app not works and I do not know what other permissions it needs to run.
> 
> As I mentioned I think it’s only permission that are requiered, because with “java.security.AllPermission;”
works very well.
> 

Maybe the first question should be : why do you want to run this with the Security Manager
?
As far as I understand this, the SM only really helps, if otherwise unsecure applications

can be deployed within your JVM.  Is that the case, or do you know and control all the 
applications from the start ?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message