Mark,
On 10.2.2014 10:07, Mark Thomas wrote:
In 8.0.1, I needed to add the following configuration to catalina.policy
(sensitive parts removed):
permission java.net.SocketPermission "(dbserver)", "resolve";
permission java.net.SocketPermission "(dbserver):(port)",
"connect,resolve";
<snip/>
Do you have stack traces for the exceptions related to these? What I
really want to know is if DBCP 2 is on the code path and if so, what is
the stack trace from the entry point to DBCP 2 to this exception. If
DBCP 2 is on the code path, it looks like a PA is required somewhere.
Update: for 8.0.3, I am able to remove not only permissions I initially
reported, but also the following ones:
// permission java.util.PropertyPermission
"javax.mail.Session.Factory", "read";
// permission java.net.SocketPermission "(mailserver)", "resolve";
// permission java.net.SocketPermission "(mailserver):(port)",
"connect,resolve";
// permission java.net.SocketPermission "(dbserver)", "resolve";
// permission java.net.SocketPermission "(dbserver):(port)",
"connect,resolve";
----
In the meantime, I also added one new permission for 8.0.3:
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.jni";
----
Therefore, I guess everything is as you expected in 8.0.3?
----
For clarity, I repeat the list of permissions for 8.0.1, and updated
list for 8.0.3.
8.0.1:
grant codeBase "file:${catalina.base}/webapps/(context)/-" {
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.util.PropertyPermission
"com.sun.faces.SerializationProvider", "read";
permission java.lang.RuntimePermission "getClassLoader";
permission java.util.PropertyPermission
"com.sun.faces.InjectionProvider", "read";
permission java.io.FilePermission
"file:(...)\\WEB-INF\\lib\\(...)!\\META-INF\\-", "read";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.util";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.compiler";
permission java.lang.RuntimePermission "createClassLoader";
permission java.util.PropertyPermission "openjpa.properties", "read";
permission java.util.PropertyPermission
"javax.persistence.properties", "read";
permission java.util.PropertyPermission "openjpa.slice.properties",
"read";
permission java.util.PropertyPermission
"javax.mail.Session.Factory", "read";
permission java.net.SocketPermission "(mailserver)", "resolve";
permission java.net.SocketPermission "(mailserver):(port)",
"connect,resolve";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.dbcp.dbcp2";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.dbcp.pool2";
permission java.net.SocketPermission "(dbserver)", "resolve";
permission java.net.SocketPermission "(dbserver):(port)",
"connect,resolve";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.dbcp.pool2.impl";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission javax.management.MBeanPermission
"org.apache.tomcat.dbcp.pool2.impl.GenericObjectPool#-[Catalina:class=javax.sql.DataSource,context=/(context),host=localhost,name=\"(jndiname)\",pool=connections,type=DataSource]",
"registerMBean";
};
----
8.0.3:
grant codeBase "file:${catalina.base}/webapps/(context)/-" {
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.util.PropertyPermission
"com.sun.faces.SerializationProvider", "read";
permission java.lang.RuntimePermission "getClassLoader";
permission java.util.PropertyPermission
"com.sun.faces.InjectionProvider", "read";
permission java.io.FilePermission
"file:(...)\\WEB-INF\\lib\\(...)!\\META-INF\\-", "read";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.util";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.compiler";
permission java.lang.RuntimePermission "createClassLoader";
permission java.util.PropertyPermission "openjpa.properties", "read";
permission java.util.PropertyPermission
"javax.persistence.properties", "read";
permission java.util.PropertyPermission "openjpa.slice.properties",
"read";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.jni";
};
----
BTW, my webapp is still not 100% functional with security manager, but I
am at least able to access database server using JNDI and DBCP2.
Exceptions I get seems to be completely unrelated to DBCP2 (e.g.
"javax.el.ELException: /(snip).jspx: Property 'contextPath' not found on
type org.apache.catalina.connector.RequestFacade").
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org