[ https://issues.apache.org/jira/browse/GERONIMO-4037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12599120#action_12599120 ]
Dan Becker commented on GERONIMO-4037: -------------------------------------- Hi Jacques, It is definitely strange that your security policy would work on Linux but not on Windows. The behavior you mention should be the same on all platforms. >From your stack trace above, it appears that >org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:1056) > is attempting to set a class loader, which is privileged action requiring a >runtime permission, but somehow the policy you have set is not visible to the >security manager. Three possible problems with your security policy client.policy that you might be able to easily test. 1) I thought the grant statement in the policy file required a URL for the code base. You might need to add the URL for the Geronimo code base in order for this permission to be visible. 2) The JVM command line arg -Djava.security.policy=client.policy requires a URL for the location of the policy file. It could be that this file is visible in Linux and not in Windows. You might want to hard code a file URL to test this. 3) The "-Djava.security.policy" policy file value will be ignored if the "policy.allowSystemProperty" property in the security properties file is set to false. The default is true. You can add this to the command line with -Dpolicy.allowSystemProperty=true. You can also get lots of security diagnostics of running with security managers when you add -Djava.security.debug=policy or -Djava.security.debug=all. Report back and let me know if any of these work. > Geronimo 2.0.3 (and I guess at least 2.0.2) can't run with a security > manager settled from the command line using -Djava.security.manager > ------------------------------------------------------------------------------------------------------------------------------------------ > > Key: GERONIMO-4037 > URL: https://issues.apache.org/jira/browse/GERONIMO-4037 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: kernel, security > Affects Versions: 2.0.2 > Environment: Windows Xp Sp2 > Reporter: Jacques Le Roux > Priority: Blocker > > I'm facing an issue on Windows XPsp2: I can't run WASCE with a security > manager settled from the command line using > -Djava.security.manager-Djava.security.policy=client.policy options. I get > the error below. Note that this is working properly under Linux (Ubuntu and > Suze as well). > C:\geronimo-tomcat6-jee5-2.0.3\bin>geronimo run > Using GERONIMO_BASE: C:\geronimo-tomcat6-jee5-2.0.3 > Using GERONIMO_HOME: C:\geronimo-tomcat6-jee5-2.0.3 > Using GERONIMO_TMPDIR: var\temp > Using JRE_HOME: C:\Program Files\Java\jre1.5.0_11 > Listening for transport dt_socket at address: 5005 > Booting Geronimo Kernel (in Java 1.5.0_11)... > Starting Geronimo Application Server v2.0.3-SNAPSHOT > [***> ] 11% 27s Starting > org.apac...15:57:28,625 ERROR [GBeanInstanceState] Error while starting; > GBean is now in the FAILED state: abstractName="org.apache.geronimo.configs/ > j2ee-security/2.0.3-SNAPSHOT/car?ServiceModule=org.apache.geronimo.configs/j2ee-security/2.0.3-SNAPSHOT/car,j2eeType=GBean,name=SecurityService" > java.lang.LinkageError: > org/apache/geronimo/security/jacc/GeronimoPolicyConfigurationFactory > at > org.apache.geronimo.security.jacc.GeronimoPolicy.implies(GeronimoPolicy.java:74) > at java.security.ProtectionDomain.implies(Unknown Source) > at java.security.AccessControlContext.checkPermission(Unknown Source) > at java.security.AccessController.checkPermission(Unknown Source) > at java.lang.SecurityManager.checkPermission(Unknown Source) > at java.lang.Thread.setContextClassLoader(Unknown Source) > at > org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:1056) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:268) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:102) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:124) > at > org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:553) > at > org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:379) > at > org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:448) > at > org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:187) > at > org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:530) > at > org.apache.geronimo.kernel.config.SimpleConfigurationManager$$FastClassByCGLIB$$ce77a924.invoke(<generated>) > at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53) > at > org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38) > at > org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:124) > at > org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:830) > at > org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57) > at > org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35) > at > org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96) > at > org.apache.geronimo.kernel.config.EditableConfigurationManager$$EnhancerByCGLIB$$7e14cd11.startConfiguration(<generated>) > at > org.apache.geronimo.system.main.EmbeddedDaemon.doStartup(EmbeddedDaemon.java:156) > at > org.apache.geronimo.system.main.EmbeddedDaemon.execute(EmbeddedDaemon.java:78) > at > org.apache.geronimo.kernel.util.MainConfigurationBootstrapper.main(MainConfigurationBootstrapper.java:45) > at > org.apache.geronimo.cli.AbstractCLI.executeMain(AbstractCLI.java:67) > at org.apache.geronimo.cli.daemon.DaemonCLI.main(DaemonCLI.java:30) > 15:57:28,640 WARN [BasicLifecycleMonitor] Exception occured while notifying > listener > [...] > This is needed in order to launch the OFBiz RMIDispatcher (in other words to > allow using RMI inside Apache OFBiz). That's why I put this issue as a > blocker. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.