Re: ProtectionDomain failure

Mon, 20 Jul 2009 19:47:07 -0700

If anything, you should "unsign" the jar. I can't remember off the top of my head if there is a jarsigner command to do this. At worst you could expand the jar, remove the signature manifest file from META- INF, then re-jar. 

Andrew

On Jul 20, 2009, at 19:31, Paul Sterk <[email protected]> wrote:


On 7/20/2009 3:03 PM, Andrew Jaquith wrote:
The easiest way to fix this problem is to turn off Java security policy enforcement. JSPWiki wasn't really ever fully tuned to run with a SecurityManager installed.
I checked the GlassFish Security pane and the Security Manager is unchecked. Is there more I need to do?
Your might also experiment (instead) with removing the 'signedBy JSPWiki' clauses in the policy files -- these are causing the search for the .jks file.
I did this. I changed the file in domains/domain1/config and in WEB- INF. I am seeing the same problem. 

What else can I check?  Should I resign the jar file?

Paul


Andrew

On Jul 20, 2009, at 17:33, Paul Sterk <[email protected]> wrote:



Hi,
I am in the process of moving a JSPWiki 2.2 instance from one host to another using version GlassFish 9.1_u01 and have come across the following failure displayed in the log file:
context(null)- permission (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish Wiki")) domain that failed(ProtectionDomain (file:/storage/ glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/ j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
More details are shown below. After some searching, I found out that I must have jspwiki.jks located in (app name)/WEB-INF and in the app server's domains/domain1/config directory. I have done that. I also found out that I had to append the JSPWiki server.policy section to the app server's server.policy file (see below). I have done that also.
I still get the domain protection failure. What did I miss? BTW, I do not have the option to upgrade the JSPWiki. 

Paul
[#|2009-07-19T17:41:38.727-0700|INFO|sun-appserver9.1| javax.enterprise.system.core.security| _ThreadID=15;_ThreadName=httpSSLWorkerThread-80-0;|JACC Policy Provider: PolicyWrapper.implies, context(null)- permission (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish Wiki")) domain that failed(ProtectionDomain (file:/storage/ glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/ j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar [ 
[
Version: V1
Subject: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, O=jspwiki.org, C=FI 
Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
Key: SunPKCS11-Solaris DSA public key, 1024 bits (id 143695096, session object) y: 685336709211189479978176481322996401882667342822443461375871414904657271343827072933994730697972525463287186110312511525703609990543636216407479486
03057873733660321330081871201176281154664912732522693955389713650625161330397090864782939712676489034956390674378204731139907826475282246840419508442831 





762130982
p: 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668
38814403412974522117181850604723115003930107995935806739534871706631980226201971496652413506094591370759495651467285569060679413583754270737172742955134 





3320695239
q: 864205495604807476120572616017955259175325408501
g: 174068207532402095185811980123523436538604490794561350978495831040599953488455823147851597408940950725307797094915759492368300574252438761037084473
46718014887611810308304375498519098347260155049469132948808339549231385000036164648264460849230407872181895999905649609776936801774927370896200668918795 





6744210730
Validity: [From: Fri Mar 02 09:35:56 PST 2007,
             To: Thu May 31 10:35:56 PDT 2007]
Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division, O=jspwiki.org, C=FI 
SerialNumber: [    45e8607c]

]
Algorithm: [SHA1withDSA]
Signature:
0000: 30 2C 02 14 37 83 53 EC 47 39 1B 73 EE 7C 7E 39 0,..7.S.G9.s...9 0010: 89 78 04 31 86 22 DF 1C 02 14 5A CB CE 61 E3 F8 .x. 1."....Z..a.. 0020: 8F 73 70 E7 47 DA 5A D9 28 2C DE E0 4C F2 .sp.G.Z. (,..L. 

])
WebappClassLoader
delegate: true
repositories:
  /WEB-INF/classes/
----------> Parent Classloader:
EJBClassLoader :
urlSet = []
doneCalled = false
Parent -> java.net.urlclassloa...@1f0cf51


(principals com.ecyrd.jspwiki.auth.WikiPrincipal "Guest",
com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
com.ecyrd.jspwiki.auth.authorize.Role "All")
--- --- --- --- --- --- --- --- --- --- --- --- ------------------------------------------------------------------- 

keystore "jspwiki.jks";

// JSPWiki itself needs some basic privileges in order to operate.
// If you are running JSPWiki with a security manager, don't change these, 
// because it will totally b0rk the system.

grant signedBy "jspwiki" {
  permission java.security.SecurityPermission   "getPolicy";
  permission java.security.SecurityPermission   "setPolicy";
permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "java.security.policy", "read,write"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; 
};

grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; 
};


grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view"; permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; 
};

grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view"; permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "view"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; 
};

grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.authorize.Role "Validated" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view"; // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:<groupmember>", "edit"; permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; 
};

grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.GroupPrincipal "Validated" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view"; // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:<groupmember>", "edit"; permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; 
};

grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.GroupPrincipal "ServletSpec" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view"; permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:<groupmember>", "edit"; permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; 
};

grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.GroupPrincipal "Sip" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:*", "view"; permission com.ecyrd.jspwiki.auth.permissions.GroupPermission "*:<groupmember>", "edit"; permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*", "modify,rename"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "createPages,createGroups"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editPreferences"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "editProfile"; permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*", "login"; 
};

// Administrators (principals or roles possessing AllPermission)
// are allowed to delete any page, and can edit, rename and delete
// groups. You should match the permission target (here, 'JSPWiki')
// with the value of the 'jspwiki.applicationName' property in
// jspwiki.properties. Two administative groups are set up below:
// the wiki group "Admin" (stored by default in wiki page GroupAdmin) 
// and the container role "Admin" (managed by the web container).

grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "GlassFish Wiki"; permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open ESB Wiki"; permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Slynkr Wiki"; permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Update Center Wiki"; permission com.ecyrd.jspwiki.auth.permissions.AllPermission "SocialSite Wiki"; 
};
grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "GlassFish Wiki"; permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open ESB Wiki"; permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Slynkr Wiki"; permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Update Center Wiki"; permission com.ecyrd.jspwiki.auth.permissions.AllPermission "SocialSite Wiki"; 
};

Reply via email to