Re: ProtectionDomain failure

Mon, 20 Jul 2009 16:31:52 -0700 

On 7/20/2009 3:03 PM, Andrew Jaquith wrote:
The easiest way to fix this problem is to turn off Java security policy enforcement. JSPWiki wasn't really ever fully tuned to run with a SecurityManager installed.
I checked the GlassFish Security pane and the Security Manager is unchecked. Is there more I need to do? 


Your might also experiment (instead) with removing the 'signedBy 
JSPWiki' clauses in the policy files -- these are causing the search 
for the .jks file.



I did this.  I changed the file in domains/domain1/config and in 
WEB-INF. I am seeing the same problem.


What else can I check?  Should I resign the jar file?

Paul


Andrew

On Jul 20, 2009, at 17:33, Paul Sterk <[email protected]> wrote:



Hi,


I am in the process of moving a JSPWiki 2.2 instance from one host to 
another using version GlassFish 9.1_u01 and have come across the 
following failure displayed in the log file:



context(null)- 
permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish 
Wiki")) domain that failed(ProtectionDomain  
(file:/storage/glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar 




More details are shown below. After some searching, I found out that 
I must have jspwiki.jks located in (app name)/WEB-INF and in the app 
server's domains/domain1/config directory.  I have done that.  I also 
found out that I had to append the JSPWiki server.policy section to 
the app server's server.policy file (see below). I have done that also.



I still get the domain protection failure.  What did I miss?  BTW, I 
do not have the option to upgrade the JSPWiki.


Paul


[#|2009-07-19T17:41:38.727-0700|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-80-0;|JACC 
Policy Provider: PolicyWrapper.implies, context(null)- 
permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish 
Wiki")) domain that failed(ProtectionDomain  
(file:/storage/glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar 
[

[
 Version: V1

 Subject: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, 
O=jspwiki.org, C=FI

 Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3


 Key:  SunPKCS11-Solaris DSA public key, 1024 bits (id 143695096, 
session object)
 y: 
685336709211189479978176481322996401882667342822443461375871414904657271343827072933994730697972525463287186110312511525703609990543636216407479486 





03057873733660321330081871201176281154664912732522693955389713650625161330397090864782939712676489034956390674378204731139907826475282246840419508442831 





762130982

 p: 
178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668 





38814403412974522117181850604723115003930107995935806739534871706631980226201971496652413506094591370759495651467285569060679413583754270737172742955134 





3320695239
 q: 864205495604807476120572616017955259175325408501

 g: 
174068207532402095185811980123523436538604490794561350978495831040599953488455823147851597408940950725307797094915759492368300574252438761037084473 





46718014887611810308304375498519098347260155049469132948808339549231385000036164648264460849230407872181895999905649609776936801774927370896200668918795 





6744210730
 Validity: [From: Fri Mar 02 09:35:56 PST 2007,
              To: Thu May 31 10:35:56 PDT 2007]

 Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, 
O=jspwiki.org, C=FI

 SerialNumber: [    45e8607c]

]
 Algorithm: [SHA1withDSA]
 Signature:

0000: 30 2C 02 14 37 83 53 EC   47 39 1B 73 EE 7C 7E 39  
0,..7.S.G9.s...9
0010: 89 78 04 31 86 22 DF 1C   02 14 5A CB CE 61 E3 F8  
.x.1."....Z..a..

0020: 8F 73 70 E7 47 DA 5A D9   28 2C DE E0 4C F2        .sp.G.Z.(,..L.

])
WebappClassLoader
 delegate: true
 repositories:
   /WEB-INF/classes/
----------> Parent Classloader:
EJBClassLoader :
urlSet = []
doneCalled = false
Parent -> java.net.urlclassloa...@1f0cf51


(principals com.ecyrd.jspwiki.auth.WikiPrincipal "Guest",
com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
com.ecyrd.jspwiki.auth.authorize.Role "All")


------------------------------------------------------------------------------------------------------- 



keystore "jspwiki.jks";

// JSPWiki itself needs some basic privileges in order to operate.

// If you are running JSPWiki with a security manager, don't change 
these,

// because it will totally b0rk the system.

grant signedBy "jspwiki" {
   permission java.security.SecurityPermission   "getPolicy";
   permission java.security.SecurityPermission   "setPolicy";

   permission java.util.PropertyPermission       
"java.security.auth.login.config", "write";
   permission java.util.PropertyPermission       
"java.security.policy", "read,write";
   permission javax.security.auth.AuthPermission 
"getLoginConfiguration";
   permission javax.security.auth.AuthPermission 
"setLoginConfiguration";

};

grant signedBy "jspwiki",
 principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {

   permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
"*:*", "view";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editPreferences";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editProfile";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"login";

};


grant signedBy "jspwiki",
 principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {

   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
"*:*", "view";
   permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
"*:*", "view";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editPreferences";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editProfile";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"login";

};

grant signedBy "jspwiki",
 principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {

   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
"*:*", "view";
   permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
"*:*", "view";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editPreferences";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editProfile";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"login";

};

grant signedBy "jspwiki",
 principal com.ecyrd.jspwiki.auth.authorize.Role "Validated" {

   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
"*:*", "view";
   // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
"*:<groupmember>", "edit";
   permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
"*:*", "modify,rename";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"createPages,createGroups";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editPreferences";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editProfile";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"login";

};

grant signedBy "jspwiki",
 principal com.ecyrd.jspwiki.auth.GroupPrincipal "Validated" {

   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
"*:*", "view";
   // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
"*:<groupmember>", "edit";
   permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
"*:*", "modify,rename";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"createPages,createGroups";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editPreferences";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editProfile";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"login";

};

grant signedBy "jspwiki",
 principal com.ecyrd.jspwiki.auth.GroupPrincipal "ServletSpec" {

   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
"*:*", "view";
   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
"*:<groupmember>", "edit";
   permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
"*:*", "modify,rename";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"createPages,createGroups";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editPreferences";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editProfile";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"login";

};

grant signedBy "jspwiki",
 principal com.ecyrd.jspwiki.auth.GroupPrincipal "Sip" {

   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
"*:*", "view";
   permission com.ecyrd.jspwiki.auth.permissions.GroupPermission 
"*:<groupmember>", "edit";
   permission com.ecyrd.jspwiki.auth.permissions.PagePermission 
"*:*", "modify,rename";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"createPages,createGroups";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editPreferences";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"editProfile";
   permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", 
"login";

};

// Administrators (principals or roles possessing AllPermission)
// are allowed to delete any page, and can edit, rename and delete
// groups. You should match the permission target (here, 'JSPWiki')
// with the value of the 'jspwiki.applicationName' property in
// jspwiki.properties. Two administative groups are set up below:
// the wiki group "Admin" (stored by default in wiki page GroupAdmin)
// and the container role "Admin" (managed by the web container).

grant signedBy "jspwiki",
 principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {

   permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
"GlassFish Wiki";
   permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open 
ESB Wiki";
   permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
"Slynkr Wiki";
   permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
"Update Center Wiki";
   permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
"SocialSite Wiki";

};
grant signedBy "jspwiki",
 principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {

   permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
"GlassFish Wiki";
   permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open 
ESB Wiki";
   permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
"Slynkr Wiki";
   permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
"Update Center Wiki";
   permission com.ecyrd.jspwiki.auth.permissions.AllPermission 
"SocialSite Wiki";

};
























					Reply via email to