Re: [VOTE] Release Apache Tomcat 8.0.3

[Ognjen Blagojevic]

Mark,

On 10.2.2014 10:07, Mark Thomas wrote:
In 8.0.1, I needed to add the following configuration to catalina.policy
(sensitive parts removed):
     permission java.net.SocketPermission "(dbserver)", "resolve";
     permission java.net.SocketPermission "(dbserver):(port)",
"connect,resolve";

<snip/>

Do you have stack traces for the exceptions related to these? What I
really want to know is if DBCP 2 is on the code path and if so, what is
the stack trace from the entry point to DBCP 2 to this exception. If
DBCP 2 is on the code path, it looks like a PA is required somewhere.


Update: for 8.0.3, I am able to remove not only permissions I initially 
reported, but also the following ones:

//    permission java.util.PropertyPermission 
"javax.mail.Session.Factory", "read";
//    permission java.net.SocketPermission "(mailserver)", "resolve";
//    permission java.net.SocketPermission "(mailserver):(port)", 
"connect,resolve";

//    permission java.net.SocketPermission "(dbserver)", "resolve";
//    permission java.net.SocketPermission "(dbserver):(port)", 
"connect,resolve";

----

In the meantime, I also added one new permission for 8.0.3:

permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.tomcat.jni";

----

Therefore, I guess everything is as you expected in 8.0.3?

----

For clarity, I repeat the list of permissions for 8.0.1, and updated 
list for 8.0.3.


8.0.1:

grant codeBase "file:${catalina.base}/webapps/(context)/-" {
    permission java.lang.RuntimePermission "modifyThread";
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.util.PropertyPermission 
"com.sun.faces.SerializationProvider", "read";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.util.PropertyPermission 
"com.sun.faces.InjectionProvider", "read";
    permission java.io.FilePermission 
"file:(...)\\WEB-INF\\lib\\(...)!\\META-INF\\-", "read";

    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.catalina.util";
    permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.jasper.compiler";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.util.PropertyPermission "openjpa.properties", "read";
    permission java.util.PropertyPermission 
"javax.persistence.properties", "read";
    permission java.util.PropertyPermission "openjpa.slice.properties", 
"read";
    permission java.util.PropertyPermission 
"javax.mail.Session.Factory", "read";
    permission java.net.SocketPermission "(mailserver)", "resolve";
    permission java.net.SocketPermission "(mailserver):(port)", 
"connect,resolve";

    permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.tomcat.dbcp.dbcp2";
    permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.tomcat.dbcp.pool2";
    permission java.net.SocketPermission "(dbserver)", "resolve";
    permission java.net.SocketPermission "(dbserver):(port)", 
"connect,resolve";
    permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.tomcat.dbcp.pool2.impl";
    permission javax.management.MBeanServerPermission "createMBeanServer";
    permission javax.management.MBeanPermission 
"org.apache.tomcat.dbcp.pool2.impl.GenericObjectPool#-[Catalina:class=javax.sql.DataSource,context=/(context),host=localhost,name=\"(jndiname)\",pool=connections,type=DataSource]", 
"registerMBean";

};

----

8.0.3:

grant codeBase "file:${catalina.base}/webapps/(context)/-" {
    permission java.lang.RuntimePermission "modifyThread";
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.util.PropertyPermission 
"com.sun.faces.SerializationProvider", "read";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.util.PropertyPermission 
"com.sun.faces.InjectionProvider", "read";
    permission java.io.FilePermission 
"file:(...)\\WEB-INF\\lib\\(...)!\\META-INF\\-", "read";

    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.catalina.util";
    permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.jasper.compiler";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.util.PropertyPermission "openjpa.properties", "read";
    permission java.util.PropertyPermission 
"javax.persistence.properties", "read";
    permission java.util.PropertyPermission "openjpa.slice.properties", 
"read";
    permission java.lang.RuntimePermission 
"accessClassInPackage.org.apache.tomcat.jni";
};

----

BTW, my webapp is still not 100% functional with security manager, but I 
am at least able to access database server using JNDI and DBCP2. 
Exceptions I get seems to be completely unrelated to DBCP2 (e.g. 
"javax.el.ELException: /(snip).jspx: Property 'contextPath' not found on 
type org.apache.catalina.connector.RequestFacade").

-Ognjen



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org