I read somewhere here <http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/rsec_rsecmgr2.html>that there's a file called filter.policy that can override the settings in the was.policy file.
filter.policy reads:
filterMask {
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "setPolicy";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
};runtimeFilterMask {
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "setPolicy";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
};
My was.policy reads:
grant codeBase "file:${application}" {
permission java.security.AllPermission;
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.beans.infos";
};grant codeBase "" {
permission java.security.AllPermission;
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.beans.infos";
};
{application} is expanded to mean all parts of the ear (ejb's jars etc)
I think the problem is that the genereated class does not belong to the codeBase's given...
-----Original Message----- From: David J. M. Karlsen [mailto:[EMAIL PROTECTED] Sent: Thursday, May 12, 2005 5:10 PM To: [email protected] Subject: Re: Serious Java2 sercurity problem
James Carman wrote:
>What do you have in your filter.policy file?
> >
Hmm, took a look at: http://publib.boulder.ibm.com/infocenter/ws60help/index.jsp?topic=/com.ibm.websphere.nd.doc/info/ae/ae/tsec_filterpolicy.html
(it's for WAS6, but I guess a lot or all of the setting apply for 5.0.x as well). I'll have a try expreimenting with the file:${jars}, what file:${application} means isn't stated - may'be it doesn't cover all parts of the EAR?
>-----Original Message-----
>From: David J. M. Karlsen [mailto:[EMAIL PROTECTED]
>Sent: Thursday, May 12, 2005 4:39 PM
>To: [email protected]
>Subject: Serious Java2 sercurity problem
>
>
>Hi list!
>
>I've been running my HM app inside a WebSphere 5.0.x container for a
>long time - and all well.
>
>BUT, when we turn on security things start to fail. The application has
>a was.policy (WebSphere's naming of a java.security file) in the EAR,
>granting:
>
>grant codeBase "java:${application}" {
> java.security.AllPermission
>};
>
>(taken from memory - but it's valid syntax)
>
>I've tried to add:
>
> grant {
> java.security.AllPermission;
>}
>
>which should grant all permissions regardless of signing of code or
>where the code came from.
>
>But still, I end up with this:
>
>[12.05.05 21:46:26:392 CEST] 6f98ac SecurityManag W SECJ0314W: Current
>Java 2 Security policy reported a potential violation of Java 2
>Security Permission. Please refer to Problem Determination Guide for
>further information.
>
>Permission:
>
> accessClassInPackage.sun.beans.infos : access denied
>(java.lang.RuntimePermission accessClassInPackage.sun.beans.infos)
>
>Code:
>
> $InnerProxy_103d2718b8e_1 in {null code URL}
>
>Stack Trace:
>
>java.security.AccessControlException: access denied
>(java.lang.RuntimePermission accessClassInPackage.sun.beans.infos)
> at
>java.security.AccessControlContext.checkPermission(AccessControlContext
>.
>java:267)
> at
>java.security.AccessController.checkPermission(AccessController.java:394
>)
> at
>java.lang.SecurityManager.checkPermission(SecurityManager.java:540)
> at
>com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager
>.java:168)
> at
>java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1496)
> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:285)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:287)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
> at
>com.ibm.ws.classloader.ProtectionClassLoader.loadClass(ProtectionClassLo
>ader.java:43)
> at
>com.ibm.ws.classloader.ProtectionClassLoader.loadClass(ProtectionClassLo
>ader.java:39)
> at
>com.ibm.ws.classloader.CompoundClassLoader.loadClass(CompoundClassLoader
>.java:318)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
> at
>com.ibm.ws.classloader.CompoundClassLoader.loadClass(CompoundClassLoader
>.java:294)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
> at
>com.ibm.ws.classloader.CompoundClassLoader.loadClass(CompoundClassLoader
>.java:318)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
> at java.beans.Introspector.instantiate(Introspector.java:1294)
> at java.beans.Introspector.findInformant(Introspector.java:335)
> at java.beans.Introspector.<init>(Introspector.java:264)
> at java.beans.Introspector.getBeanInfo(Introspector.java:89)
> at
>org.apache.hivemind.util.PropertyUtils.buildClassAdaptor(PropertyUtils.j
>ava:148)
> at
>org.apache.hivemind.util.PropertyUtils.getAdaptor(PropertyUtils.java:137
>)
> at
>org.apache.hivemind.util.PropertyUtils.getPropertyType(PropertyUtils.jav
>a:91)
> at
>org.apache.hivemind.schema.rules.ReadAttributeRule.begin(ReadAttributeRu
>le.java:78)
> at
>org.apache.hivemind.impl.SchemaElement.fireBegin(SchemaElement.java:209)
> at
>org.apache.hivemind.impl.SchemaProcessorImpl.processElement(SchemaProces
>sorImpl.java:213)
> at
>org.apache.hivemind.impl.SchemaProcessorImpl.processRootElement(SchemaPr
>ocessorImpl.java:188)
> at
>org.apache.hivemind.impl.SchemaProcessorImpl.process(SchemaProcessorImpl
>.java:176)
> at
>org.apache.hivemind.impl.InvokeFactoryServiceConstructor.constructCoreSe
>rviceImplementation(InvokeFactoryServiceConstructor.java:82)
>
>
>
>known problem? Any workarounds? I'm going in for acceptance-test for my
>customer - so I'm kind of in a hurry. All help will be very much
>appreciated.
>
>Regs,
>David K.
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
> >
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- David J. M. Karlsen - +47 90 68 22 43 http://www.davidkarlsen.com http://mp3.davidkarlsen.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
