Re: Security Policy while running as a windows service
Start the tomcat5w.exe and open the configure options. Open the java tab and add your jvm parameters. -Djava.security.SecurityManager -Djava.security.policy==/conf/catalina.policy Two "==" signs is right to overide the complete policy :-) Peter Asim Alp schrieb: Hello everyone, I'm running my Tomcat 5.5.4 as a Windows Service. Is there a way to put the -security option to the GUI application? I'm trying to get my service to start with the catalina.policy file for extra security. Thanks, Asim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security Policy while running as a windows service
Hello everyone, I'm running my Tomcat 5.5.4 as a Windows Service. Is there a way to put the -security option to the GUI application? I'm trying to get my service to start with the catalina.policy file for extra security. Thanks, Asim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: reload security policy without Tomcat restart?
Hi, >I want to be able to make changes to my catalina.policy and to apply >those changes without restarting Tomcat. Is this possible, and how would >I go about it? This is not a tomcat issue, but rather a general java one. The SecurityManager reads the policy file once, upon its construction. So you can't reset it or anything. However, you can construct a new one and call System.setSecurityManager with your new one. So the overall answer to your question is yes, but you need to write a bit of code, e.g. a servlet, to do it. The above is only AFAIK, I haven't played around with this in a very long time (a couple of major java releases), so it could be wrong, out of date, or both ;) Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
q: reload security policy without Tomcat restart?
I want to be able to make changes to my catalina.policy and to apply those changes without restarting Tomcat. Is this possible, and how would I go about it? TIA!
Re: Security Policy
Kwok Peng Tuck wrote: Hi list , With regards to the security manager in tomcat, is it possible to ship a policy file with each webapp ? No it is not. You have to put those permission in catalina.policy. -- Jeanfrancois - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security Policy
Hi list , With regards to the security manager in tomcat, is it possible to ship a policy file with each webapp ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security policy files
Hi, I know that when Tomcat starts it uses the catalina.policy file. Does anyone know if it is possible to set a security policy file for individual WebApps? Thanks Jim. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email you must not copy, distribute or take any further action in reliance on it and you should delete it and notify the sender immediately. Email is not a secure method of communication and Nomura International plc cannot accept responsibility for the accuracy or completeness of this message or any attachment(s). Please examine this email for virus infection, for which Nomura International plc accepts no responsibility. If verification of this email is sought then please request a hard copy. Unless otherwise stated any views or opinions presented are solely those of the author and do not represent those of Nomura International plc. This email is intended for informational purposes only and is not a solicitation or offer to buy or sell securities or related financial instruments. Nomura International plc is regulated by the Financial Services Authority and is a member of the London Stock Exchange. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
Security Policy problem - need to specify ALL jar files with a codebase wildcard
Hi,
We are having trouble using security policies (catalina.policy) to
grant access to a codebase that has multiple jar files.
I am able to get folder-based codebases to work correctly:
eg: grant "file://d:/webapps/-"
This successfully grants access to all the permissions I
set, which works fine for Servlets and JSP files, but JAR
files in the WEB-INF/lib folder cannot access the
permissions.
Using a jar:file URL works:
For example: jar:file:/D:/webapps/ROOT/WEB-INF/lib/myjar.jar!/
However: jar:file:/D:/webapps/-
... fails being an invalid JAR URL as it doesn't end in "!/"
While this works on a file-by-file workaround, it means we have
to set the permissions for every jar file, in every context of the
webapps folder in order to enforce the security policy effectively.
As we host different customers uploading different applications,
and different contexts, this makes the security policies unusable
for JAR files.
Is there a way to specify these as a wildcard URL
like the server libraries do?
eg:
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
Any suggestions?
FURTHER NOTES - For Tomcat Developers
===
I have investigated this further with policy dumps of the security
logs, and jave noticed Tomcat creates CodeSource objects
using the "jar:file:/jar-path.jar!/" url format when deploying jar
files
from the webapps folder. When deploying the system jar files
however, it seems to use the "file:/jar-file.jar" format, which allows
the master permissions (catalina.home/lib/-) to work as wildcards.
Thanks in advance,
Neale Rudd
metawerx
http://www.metawerx.net
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
JNDI / Tomcat Security Policy
Folks,
I am trying to deploy a PoolMan DataSource with JNDI, accessible from
Tomcat.
I'm running Tomcat 3.2.1, Linux, Postgresql 7.0.?, and Apache (using
mod_jk.so).
I seem to be having trouble with my security policies--
Poolman 1.4.1 (the most recent version I could make work--2.0 was a crashing
failure) comes with a DeployDataSource tool that is used to attach a
DataSource to a JNDI server.
It is run with the command line
java -Djava.security.policy=poolman.policy DeployDataSource userdb
This policy is very simple:
grant {
permission java.security.AllPermission;
};
If I understand this correctly, this should give ANY codeBase access to
whatever is run in this process (basically, everything).
However...
When I try to run from my servlet, I get an AccessControl Exception (stack
dump attached to the bottom of this email).
1) Has ANYBODY gotten this working? I can make Poolman work with standard
datasource stuff (the test servlet works fine, reads my database, etc.)
2) Has anyone used JNDI for other things along with PoolMan? Is it standard
practice to deploy resources (such as Data Sources) to JNDI servers from
external (non-Tomcat) applications, and then have them be read by Tomcat (I
would assume this is standard--I would assume this is what JNDI is for...)
3) Am I wrong about my understanding of the way Policies work?
Interesting Note: This may help--after an attempt to run the code that
causes this exception, Tomcat stops working has has to be bounced.
Basically, ANY attempt to play with tomcat (to reload a previously loaded
JSP, for example) results in an access control error...
Interesting... in the ancient curse sense of the word ;)
Thanks,
E.
Failed to get datasource: dataSourceName =
e=java.security.AccessControlExceptio
n: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve)
java.security.AccessControlException: access denied
(java.net.SocketPermission 1
27.0.0.1:1099 connect,resolve)
at
java.security.AccessControlContext.checkPermission(AccessControlConte
xt.java:272)
at
java.security.AccessController.checkPermission(AccessController.java:
399)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1044)
at java.net.Socket.(Socket.java:262)
at java.net.Socket.(Socket.java:100)
at
sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirect
SocketFactory.java:25)
at
sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMaster
SocketFactory.java:120)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:499)
at
sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:190
)
at
sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:174)
at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:318)
at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
at
com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java
:91)
at
com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java
:101)
at javax.naming.InitialContext.lookup(InitialContext.java:350)
at org.eric.cserve.db.DSSingleton.initialize(DSSingleton.java:91)
at org.eric.cserve.db.DSSingleton.getDataSource(DSSingleton.java:43)
at org.eric.cserve.db.UserDB.executeSQL(UserDB.java:14)
at
org.eric.mysite.authenticate.Authenticate.isAuthenticated(Authenticat
e.java:17)
at
org.eric.mysite.authenticate.AuthenticateServlet.doService(Authentica
teServlet.java:33)
at
org.eric.mysite.authenticate.AuthenticateServlet.doPost(AuthenticateS
ervlet.java:14)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:4
04)
at org.apache.tomcat.core.Handler.service(Handler.java:286)
at
org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372
)
at
org.apache.tomcat.core.ContextManager.internalService(ContextManager.
java:797)
at
org.apache.tomcat.core.ContextManager.service(ContextManager.java:743
)
at
org.apache.tomcat.service.connector.Ajp12ConnectionHandler.processCon
nection(Ajp12ConnectionHandler.java:166)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
416)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
:498)
at java.lang.Thread.run(Thread.java:484)
Could not find 'poolman.props' -- now attempting to read deprecated file
name 'p
ool.props'... failed.
java.sql.SQLException:
ERROR: Unable to find and read a valid PoolMan properties file. Please
ensure th
at 'poolman.props' is in a directory that is in your CLASSPATH.
at com.codestudio.sql.PoolMan.connect(PoolMan.java
Re: ODP: Security Policy problem
I believe that it's all controlled by the security policy settings on the local machine. Untrusted applets (by default all applets are untrusted) are only allowed to make connections back to the host from which they were loaded as stated below. To get around that, the applets should be signed, and the appropriate grant entries made into the local policy files. But be aware that this is all much easier said than done. Depending on the version of the browser, it may or may not support the Java 2 API. The original question was re: an applet running on internet explorer, but if in reality that was just a particular instance and the applet must really run on both ie and netscape, they each have their own browser-specific extensions to the JDK, in which case you need to deal with each vendor's product differently, or make sure everybody is using the Java plug-in. -- Rob --On Wednesday, March 21, 2001 08:38:45 AM +0100 Herchel Wojciech <[EMAIL PROTECTED]> wrote: > i think applets are only allowed to connect back to the server they > originate from. this might be the problem, or better, consult JDBC > faq from www.jguru.com > > vVolf > > >> -Oryginalna wiadomooeæ- >> Od: Sunny SJ [mailto:[EMAIL PROTECTED]] >> Wys³ano: 21 marca 2001 04:19 >> Do: [EMAIL PROTECTED] >> Temat: Security Policy problem >> >> >> I am creating a Java Applet (running on Internet Explorer web >> browser) that >> can access a database located in a remote machine (server). >> The connection to >> the remote database is established using JDBC-ODBC bridge. However, >> I encounter java security problem that restricted me to access the >> database >> across the network. Is there anyway I can overcome this problem? >> >> Thanks for your help >> SSJ >> >> >> Get free email and a permanent address at > http://www.netaddress.com/?N=1 _ _ _ _ __ _ _ _ _ /\_\_\_\_\/\_\ /\_\_\_\_\_\ /\/_/_/_/_/ /\/_/ \/_/_/_/_/_/ QUIDQUID LATINE DICTUM SIT, /\/_/__\/_/ __/\/_//\/_/ PROFUNDUM VIDITUR /\/_/_/_/_/ /\_\ /\/_//\/_/ /\/_/ \/_/ /\/_/_/\/_//\/_/ (Whatever is said in Latin \/_/ \/_/ \/_/_/_/_/ \/_/ appears profound) Rob Tanner McMinnville, Oregon [EMAIL PROTECTED]
ODP: Security Policy problem
i think applets are only allowed to connect back to the server they originate from. this might be the problem, or better, consult JDBC faq from www.jguru.com vVolf > -Oryginalna wiadomooeæ- > Od: Sunny SJ [mailto:[EMAIL PROTECTED]] > Wys³ano: 21 marca 2001 04:19 > Do: [EMAIL PROTECTED] > Temat: Security Policy problem > > > I am creating a Java Applet (running on Internet Explorer web > browser) that > can access a database located in a remote machine (server). > The connection to > the remote database is established using JDBC-ODBC bridge. However, I > encounter java security problem that restricted me to access > the database > across the network. Is there anyway I can overcome this problem? > > Thanks for your help > SSJ > > > Get free email and a permanent address at http://www.netaddress.com/?N=1
Security Policy problem
I am creating a Java Applet (running on Internet Explorer web browser) that can access a database located in a remote machine (server). The connection to the remote database is established using JDBC-ODBC bridge. However, I encounter java security problem that restricted me to access the database across the network. Is there anyway I can overcome this problem? Thanks for your help SSJ Get free email and a permanent address at http://www.netaddress.com/?N=1
