Re: [Stripes-users] catalina.policy file in Tomcat with security manager
Hello, this is caused by the fact that Stripes performs a System.getProperties() call the StripesFilter. There are two ways around it: - subclass StripesFilter to avoid the call; - edit your security settings to allow the call. I'm no SecurityManager expert, but the line you need probably needs a wildcard (*). Levi Op 12 aug 2009 om 19:34 heeft JiangHongTiao het volgende geschreven:\ Hi, please, is there anybody who is using Tomcat with security manager turned on and can send me content of catalina.policy file? Because of my application is working without Security manager. But when I turn it on, my application throws an error. After days of googling I cannot find solution. Please, help. Thanks a lot. jht My catalina.policy file and Tomcat log: // == SYSTEM CODE PERMISSIONS = // These permissions apply to javac grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase "file:${java.home}/jre/lib/ext/-" { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // == CATALINA CODE PERMISSIONS === // These permissions apply to the daemon code grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { permission java.security.AllPermission; }; // These permissions apply to the logging API grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; permission java.io.FilePermission "${java.home}$ {file.separator}lib${file.separator}logging.properties", "read"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.io.FilePermission "${catalina.base}$ {file.separator}conf${file.separator}logging.properties", "read"; permission java.util.PropertyPermission "catalina.base", "read"; permission java.util.logging.LoggingPermission "control"; permission java.io.FilePermission "${catalina.base}$ {file.separator}logs", "read, write"; permission java.io.FilePermission "${catalina.base}$ {file.separator}logs${file.separator}*", "read, write"; permission java.lang.RuntimePermission "getClassLoader"; // To enable per context logging configuration, permit read access to the appropriate file. // Be sure that the logging configuration is secure before enabling such access // eg for the examples web application: // permission java.io.FilePermission "${catalina.base}$ {file.separator}webapps${file.separator}examples${file.separator}WEB- INF${file.separator}classes${file.separator}logging.properties", "read"; }; // These permissions apply to the server startup code grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; // These permissions apply to the servlet API classes // and those that are shared across all class loaders // located in the "lib" directory grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; // == WEB APPLICATION PERMISSIONS = // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "java.naming.*", "read"; permission java.util.PropertyPermission "javax.sql.*", "read"; // OS Specific properties to allow read access permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; // JVM properties to allow read access permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPerm
Re: [Stripes-users] catalina.policy file in Tomcat with security manager
A few corrections to my previous mail: the offending line is a System.getProperty(...) call and is done by the BootstrapPropertyResolver. So that's the class to subclass (and configure) if you would like to override the behaviour. On Wed, Aug 12, 2009 at 8:25 PM, Levi Hoogenberg wrote: > Hello, > > this is caused by the fact that Stripes performs a System.getProperties() > call the StripesFilter. There are two ways around it: > - subclass StripesFilter to avoid the call; > - edit your security settings to allow the call. I'm no SecurityManager > expert, but the line you need probably needs a wildcard (*). > > Levi > > Op 12 aug 2009 om 19:34 heeft JiangHongTiao het > volgende geschreven:\ > > Hi, > please, is there anybody who is using Tomcat with security manager turned > on and can send me content of catalina.policy file? Because of my > application is working without Security manager. But when I turn it on, my > application throws an error. After days of googling I cannot find solution. > Please, help. Thanks a lot. > > jht > > My catalina.policy file and Tomcat log: > > *// == SYSTEM CODE PERMISSIONS > =* > > > *// These permissions apply to javac* > *grant codeBase "file:${java.home}/lib/-" {* > *permission java.security.AllPermission;* > *};* > > *// These permissions apply to all shared system extensions* > *grant codeBase "file:${java.home}/jre/lib/ext/-" {* > *permission java.security.AllPermission;* > *};* > > *// These permissions apply to javac when ${java.home] points at > $JAVA_HOME/jre* > *grant codeBase "file:${java.home}/../lib/-" {* > *permission java.security.AllPermission;* > *};* > > *// These permissions apply to all shared system extensions when* > *// ${java.home} points at $JAVA_HOME/jre* > *grant codeBase "file:${java.home}/lib/ext/-" {* > *permission java.security.AllPermission;* > *};* > > > *// == CATALINA CODE PERMISSIONS > ===* > > > *// These permissions apply to the daemon code* > *grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {* > *permission java.security.AllPermission;* > *};* > > *// These permissions apply to the logging API* > *grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {* > *permission java.util.PropertyPermission > "java.util.logging.config.class", "read";* > *permission java.util.PropertyPermission > "java.util.logging.config.file", "read";* > *permission java.io.FilePermission > "${java.home}${file.separator}lib${file.separator}logging.properties", > "read"; * > *permission java.lang.RuntimePermission "shutdownHooks";* > *permission java.io.FilePermission > "${catalina.base}${file.separator}conf${file.separator}logging.properties", > "read";* > *permission java.util.PropertyPermission "catalina.base", "read";* > *permission java.util.logging.LoggingPermission "control";* > *permission java.io.FilePermission > "${catalina.base}${file.separator}logs", "read, write";* > *permission java.io.FilePermission > "${catalina.base}${file.separator}logs${file.separator}*", "read, write";* > *permission java.lang.RuntimePermission "getClassLoader";* > *// To enable per context logging configuration, permit read > access to the appropriate file.* > *// Be sure that the logging configuration is secure before > enabling such access* > *// eg for the examples web application:* > *// permission java.io.FilePermission > "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", > "read";* > *};* > > *// These permissions apply to the server startup code* > *grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {* > *permission java.security.AllPermission;* > *};* > > *// These permissions apply to the servlet API classes* > *// and those that are shared across all class loaders* > *// located in the "lib" directory* > *grant codeBase "file:${catalina.home}/lib/-" {* > *permission java.security.AllPermission;* > *};* > > > *// == WEB APPLICATION PERMISSIONS > =* > > > *// These permissions are granted by default to all web applications* > *// In addition, a web application will be given a read FilePermission* > *// and JndiPermission for all files and directories in its document root. > * > *grant { * > *// Required for JNDI lookup of named JDBC DataSource's and* > *// javamail named MimePart DataSource used to send mail* > *permission java.util.PropertyPermission "java.home", "read";* > *permission java.util.PropertyPermission "java.naming.*", "read";* > *permission java.util.PropertyPermission "javax.sql.*", "read";* > > *// OS Specific properties to allow read access* > *permission java.util.PropertyPermission "os.name",
Re: [Stripes-users] catalina.policy file in Tomcat with security manager
Thank You for Your answer Levi, but still I don't know how to grant permissions. I was trying to add this lines to the catalina.policy file grant codeBase "file:/home/xjuraj/NetBeansProjects/WebApplication2/build/web/WEB-INF/lib/commons-logging.jar" { permission java.security.AllPermission; }; grant codeBase "file:/home/xjuraj/NetBeansProjects/WebApplication2/build/web/WEB-INF/lib/cos.jar" { permission java.security.AllPermission; }; grant codeBase "file:/home/xjuraj/NetBeansProjects/WebApplication2/build/web/WEB-INF/lib/stripes.jar" { permission java.security.AllPermission; }; grant { permission net.sourceforge.stripes.config.BootstrapPropertyResolver "*", "read"; permission java.security.AccessControlException "*", "read"; permission java.util.PropertyPermission "*", "read"; }; but without success. I also tried to ask on the Tomcat forum but meantime there is no answer. -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july___ Stripes-users mailing list Stripes-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/stripes-users