Re: [JBoss-user] java.io.FilePermission on jboss tmp dir?
Okay, thanks to all who responded via the mail list and directly to me, I've
got a working client. The client is executed outside of JBoss from a
command prompt, so jboss.home is not available. Here is what I found that
worked:
grant
{
permission java.net.SocketPermission "192.168.1.100:1024-",
"connect,resolve";
permission java.io.FilePermission "\\H:\\JBoss-2.2.1\\tmp\\-", "read";
permission java.lang.RuntimePermission "accessDeclaredMembers";
};
So many questions :
(1) What is the 3rd permission?
(2) I still need help in understanding the 2nd permission. Typically, JBoss
and a client will be on different boxes. How can it make sense for the
client to need permission for a temp directory on a completely different
box? The client is simply reading what comes out of its end of an RMI pipe.
The client shouldn't be reading any JBoss directories.
- Original Message -
From: "Vladimir Blagojevic" <[EMAIL PROTECTED]>
To: "JBoss User" <[EMAIL PROTECTED]>
Sent: Monday, April 30, 2001 2:01 PM
Subject: Re: [JBoss-user] java.io.FilePermission on jboss tmp dir?
> Hey,
>
> >permission java.net.SocketPermission "192.168.1.100:*",
> > "connect,resolve";
> >
>
> Consult this: http://www.jboss.org/documentation/HTML/ch10s03.html
> try with "192.168.1.100:1024-", meaning all ports higher than 1024, I
> think you have actual port syntax in javadocs...
>
> > Is there a better way of allocating this permission rather than opening
up
> > all ports? I started with just 1099, but then immediately hit the
> > restriction on the port created for communication.
> >
> > But my current sticking point is the next error I hit:
> >
> > Exception caught: java.security.AccessControlException: access denied
> > (java.io.FilePermission
\H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-
> > read)
> >
> > I tried to resolve this with the following:
> >
> >permission java.io.FilePermission
> > "\H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-", "read";
> >
> > but got the same error again. Two questions:
> >
> > (1) Why doesn't the above permission address the error?
> > (2) I don't understand the required permission. Why is it asking for
read
> > permission on a JBoss temp directory for the client? Notice that it has
a
> > drive letter. This will be completely irrelevant when the client is run
from
> > another computer (which I tried - it does indeed still ask for \H:\.) I
> > haven't implemented any method security in the bean or any logon
> > requirements.
> What do you mean client? JVM executing JBoss instance needs to read your
> filesystems? Do you allow it or not, there is no client in this story...
>
> Try using substitutions - ${jboss.home}\tmp for cross platform
> independence. See java.policy and java.security files in your jdk distro.
>
>
> HTH,
> Vlada
> >
> > Everything works if I have the blanket all permissions.
> >
> >
> >
> >
> > ___
> > JBoss-user mailing list
> > [EMAIL PROTECTED]
> > http://lists.sourceforge.net/lists/listinfo/jboss-user
> >
>
>
> ___
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user
>
___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] java.io.FilePermission on jboss tmp dir?
A permission entry like:
permission java.io.FilePermission
"\H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-", "read";
will not work because the policy file parser needs to see a \\ for each \ in a path
string.
It is better to use the ${jboss.home} and ${/} properties in the path specification as
Vlada indicated to create platform/installation independent policy files.
The jboss.home property is automatically generated if it is not specified so that
you can write policy files without knowing what the deployment environment
looks like.
To determine all of the permissions that are required by a given configuration
its trivial to write a subclass of SecurityManager that simply logs what
permissions are being requested. Here is one I use:
public class TracingSecurityManager extends SecurityManager
{
private static boolean showStackTrace;
private static PrintWriter traceLog = new PrintWriter(new
OutputStreamWriter(System.out));
public static boolean getShowStackTrace()
{
return showStackTrace;
}
public static void setShowStackTrace(boolean showStackTrace)
{
TracingSecurityManager.showStackTrace = showStackTrace;
}
public static PrintWriter getTraceLog()
{
return traceLog;
}
public static void setTraceLog(PrintWriter traceLog)
{
TracingSecurityManager.traceLog = traceLog;
}
public void checkPermission(Permission perm)
{
traceLog.println("Need: "+perm);
if( showStackTrace )
{
SecurityException trace = new SecurityException();
trace.printStackTrace(traceLog);
}
}
}
- Original Message -
From: "Vladimir Blagojevic" <[EMAIL PROTECTED]>
To: "Guy Rouillier" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, April 30, 2001 12:11 PM
Subject: Re: [JBoss-user] java.io.FilePermission on jboss tmp dir?
> Hey,
>
> Ok so when you say
>
> grant {
>
> ...permissions...
> }
>
> what you are saying is that this block of permissions is given to classes
> that come from location . Cool..
>
> Since JVM running JBoss needs to read your application deployed in (/tmp/)
> it makes read write requests on your file system in /tmp.
>
> There is no physical client involved here. Only jboss and application
> classes.
>
> Ok , now try using this:
>
> grant{
>
> permission java.io.FilePermission "${jboss.home}${/}temp${/}-",
> "read,write"
> }
>
> meaning all code being loaded from anywhere (including jBoss classes)can
> read write in /tmp and its subdirectories. You don't want to be specific
> about exact file here. I forgot if jboss.home was declared anywhere but
> you can pass it as an argument to jvm I guess.
>
> HTH,
> Vlada
>
>
>
>
>
>
> So now try using
>
> On Mon, 30 Apr 2001, Guy Rouillier wrote:
>
> > The following is a repost of a message I sent out about a week ago that
> > received no responses. We are getting close to release, so this issue is
> > important to us. Is everyone just taking the easy way out and using grant {
> > permission java.security.AllPermission;};? Has no one actually figured out
> > the permissions that are required?
> >
> >
> > I'm developing on Windows 2000 with JBoss 2.2.1.
> >
> > As we are getting closer to shipping, I turned on security (more accurately,
> > I turned off my easy way out of simply granting all permissions to the
> > world.) Using just a command-line client (i.e., no Tomcat), I first
> > received a java.net.SocketPermission which I resolved with the following:
> >
> >permission java.net.SocketPermission "192.168.1.100:*",
> > "connect,resolve";
> >
> > Is there a better way of allocating this permission rather than opening up
> > all ports? I started with just 1099, but then immediately hit the
> > restriction on the port created for communication.
> >
> > But my current sticking point is the next error I hit:
> >
> > Exception caught: java.security.AccessControlException: access denied
> > (java.io.FilePermission \H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-
> > read)
> >
> > I tried to resolve this with the following:
> >
> >permission java.io.FilePermission
> > "\H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-", "read";
> >
> > but got the same error again. Two questions:
> >
> > (1) Why doesn't the above permission address the error?
> > (2) I don't understand the required permission. Why is it asking for read
> > permission on a JBoss temp directory for the client? Notice that it has a
> > drive letter. This will be completely irrelevant when the client is run from
> > another computer (which I tried - it does indeed still ask for \H:\.) I
> > haven't implemented any method security in the bean or any logon
> > requirements.
> >
> > Everything works if I have the blanket all permissions.
> >
___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] java.io.FilePermission on jboss tmp dir?
Hey,
Ok so when you say
grant {
...permissions...
}
what you are saying is that this block of permissions is given to classes
that come from location . Cool..
Since JVM running JBoss needs to read your application deployed in (/tmp/)
it makes read write requests on your file system in /tmp.
There is no physical client involved here. Only jboss and application
classes.
Ok , now try using this:
grant{
permission java.io.FilePermission "${jboss.home}${/}temp${/}-",
"read,write"
}
meaning all code being loaded from anywhere (including jBoss classes)can
read write in /tmp and its subdirectories. You don't want to be specific
about exact file here. I forgot if jboss.home was declared anywhere but
you can pass it as an argument to jvm I guess.
HTH,
Vlada
So now try using
On Mon, 30 Apr 2001, Guy Rouillier wrote:
> The following is a repost of a message I sent out about a week ago that
> received no responses. We are getting close to release, so this issue is
> important to us. Is everyone just taking the easy way out and using grant {
> permission java.security.AllPermission;};? Has no one actually figured out
> the permissions that are required?
>
>
> I'm developing on Windows 2000 with JBoss 2.2.1.
>
> As we are getting closer to shipping, I turned on security (more accurately,
> I turned off my easy way out of simply granting all permissions to the
> world.) Using just a command-line client (i.e., no Tomcat), I first
> received a java.net.SocketPermission which I resolved with the following:
>
>permission java.net.SocketPermission "192.168.1.100:*",
> "connect,resolve";
>
> Is there a better way of allocating this permission rather than opening up
> all ports? I started with just 1099, but then immediately hit the
> restriction on the port created for communication.
>
> But my current sticking point is the next error I hit:
>
> Exception caught: java.security.AccessControlException: access denied
> (java.io.FilePermission \H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-
> read)
>
> I tried to resolve this with the following:
>
>permission java.io.FilePermission
> "\H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-", "read";
>
> but got the same error again. Two questions:
>
> (1) Why doesn't the above permission address the error?
> (2) I don't understand the required permission. Why is it asking for read
> permission on a JBoss temp directory for the client? Notice that it has a
> drive letter. This will be completely irrelevant when the client is run from
> another computer (which I tried - it does indeed still ask for \H:\.) I
> haven't implemented any method security in the bean or any logon
> requirements.
>
> Everything works if I have the blanket all permissions.
>
>
>
>
> ___
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user
>
___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] java.io.FilePermission on jboss tmp dir?
Hey,
>permission java.net.SocketPermission "192.168.1.100:*",
> "connect,resolve";
>
Consult this: http://www.jboss.org/documentation/HTML/ch10s03.html
try with "192.168.1.100:1024-", meaning all ports higher than 1024, I
think you have actual port syntax in javadocs...
> Is there a better way of allocating this permission rather than opening up
> all ports? I started with just 1099, but then immediately hit the
> restriction on the port created for communication.
>
> But my current sticking point is the next error I hit:
>
> Exception caught: java.security.AccessControlException: access denied
> (java.io.FilePermission \H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-
> read)
>
> I tried to resolve this with the following:
>
>permission java.io.FilePermission
> "\H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-", "read";
>
> but got the same error again. Two questions:
>
> (1) Why doesn't the above permission address the error?
> (2) I don't understand the required permission. Why is it asking for read
> permission on a JBoss temp directory for the client? Notice that it has a
> drive letter. This will be completely irrelevant when the client is run from
> another computer (which I tried - it does indeed still ask for \H:\.) I
> haven't implemented any method security in the bean or any logon
> requirements.
What do you mean client? JVM executing JBoss instance needs to read your
filesystems? Do you allow it or not, there is no client in this story...
Try using substitutions - ${jboss.home}\tmp for cross platform
independence. See java.policy and java.security files in your jdk distro.
HTH,
Vlada
>
> Everything works if I have the blanket all permissions.
>
>
>
>
> ___
> JBoss-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/jboss-user
>
___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] java.io.FilePermission on jboss tmp dir?
The following is a repost of a message I sent out about a week ago that
received no responses. We are getting close to release, so this issue is
important to us. Is everyone just taking the easy way out and using grant {
permission java.security.AllPermission;};? Has no one actually figured out
the permissions that are required?
I'm developing on Windows 2000 with JBoss 2.2.1.
As we are getting closer to shipping, I turned on security (more accurately,
I turned off my easy way out of simply granting all permissions to the
world.) Using just a command-line client (i.e., no Tomcat), I first
received a java.net.SocketPermission which I resolved with the following:
permission java.net.SocketPermission "192.168.1.100:*",
"connect,resolve";
Is there a better way of allocating this permission rather than opening up
all ports? I started with just 1099, but then immediately hit the
restriction on the port created for communication.
But my current sticking point is the next error I hit:
Exception caught: java.security.AccessControlException: access denied
(java.io.FilePermission \H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-
read)
I tried to resolve this with the following:
permission java.io.FilePermission
"\H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-", "read";
but got the same error again. Two questions:
(1) Why doesn't the above permission address the error?
(2) I don't understand the required permission. Why is it asking for read
permission on a JBoss temp directory for the client? Notice that it has a
drive letter. This will be completely irrelevant when the client is run from
another computer (which I tried - it does indeed still ask for \H:\.) I
haven't implemented any method security in the bean or any logon
requirements.
Everything works if I have the blanket all permissions.
___
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] java.io.FilePermission on jboss tmp dir?
I'm developing on Windows 2000 with JBoss 2.2.1. As we are getting closer to shipping, I turned on security (more accurately, I turned off my easy way out of simply granting all permissions to the world.) Using just a command-line client (i.e., no Tomcat), I first received a java.net.SocketPermission which I resolved with the following: permission java.net.SocketPermission "192.168.1.100:*", "connect,resolve"; Is there a better way of allocating this permission rather than opening up all ports? I started with just 1099, but then immediately hit the restriction on the port created for communication. But my current sticking point is the next error I hit: Exception caught: java.security.AccessControlException: access denied (java.io.FilePermission \H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\- read) I tried to resolve this with the following: permission java.io.FilePermission "\H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-", "read"; but got the same error again. Two questions: (1) Why doesn't the above permission address the error? (2) I don't understand the required permission. Why is it asking for read permission on a JBoss temp directory for the client? Notice that it has a drive letter. This will be completely irrelevant when the client is run from another computer (which I tried - it does indeed still ask for \H:\.) I haven't implemented any method security in the bean or any logon requirements. Everything works if I have the blanket all permissions. ___ JBoss-user mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-user
