date:20090812

Re: [Stripes-users] catalina.policy file in Tomcat with security manager

2009-08-12 Thread Levi Hoogenberg


Hello,

this is caused by the fact that Stripes performs a  
System.getProperties() call  the StripesFilter. There are two ways  
around it:

- subclass StripesFilter to avoid the call;
- edit your security settings to allow the call. I'm no  
SecurityManager expert, but the line you need probably needs a  
wildcard (*).


  Levi

Op 12 aug 2009 om 19:34 heeft JiangHongTiao   
het volgende geschreven:\



Hi,
please, is there anybody who is using Tomcat with security manager  
turned on and can send me content of catalina.policy file? Because  
of my application is working without Security manager. But when I  
turn it on, my application throws an error. After days of googling I  
cannot find solution. Please, help. Thanks a lot.


  jht

My catalina.policy file and Tomcat log:

// == SYSTEM CODE PERMISSIONS  
=



// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};

// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};

// These permissions apply to javac when ${java.home] points at  
$JAVA_HOME/jre

grant codeBase "file:${java.home}/../lib/-" {
permission java.security.AllPermission;
};

// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};


// == CATALINA CODE PERMISSIONS  
===



// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
permission java.security.AllPermission;
};

// These permissions apply to the logging API
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission  
"java.util.logging.config.class", "read";
permission java.util.PropertyPermission  
"java.util.logging.config.file", "read";
permission java.io.FilePermission "${java.home}$ 
{file.separator}lib${file.separator}logging.properties", "read";

permission java.lang.RuntimePermission "shutdownHooks";
permission java.io.FilePermission "${catalina.base}$ 
{file.separator}conf${file.separator}logging.properties", "read";
permission java.util.PropertyPermission "catalina.base",  
"read";

permission java.util.logging.LoggingPermission "control";
permission java.io.FilePermission "${catalina.base}$ 
{file.separator}logs", "read, write";
permission java.io.FilePermission "${catalina.base}$ 
{file.separator}logs${file.separator}*", "read, write";

permission java.lang.RuntimePermission "getClassLoader";
// To enable per context logging configuration, permit read  
access to the appropriate file.
// Be sure that the logging configuration is secure before  
enabling such access

// eg for the examples web application:
// permission java.io.FilePermission "${catalina.base}$ 
{file.separator}webapps${file.separator}examples${file.separator}WEB- 
INF${file.separator}classes${file.separator}logging.properties",  
"read";

};

// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};

// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};


// == WEB APPLICATION PERMISSIONS  
=



// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document  
root.

grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.naming.*", "read";
permission java.util.PropertyPermission "javax.sql.*", "read";

// OS Specific properties to allow read access
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";

// JVM properties to allow read access
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPerm

Re: [Stripes-users] catalina.policy file in Tomcat with security manager

2009-08-12 Thread Levi Hoogenberg

A few corrections to my previous mail: the offending line is a
System.getProperty(...) call and is done by the BootstrapPropertyResolver.
So that's the class to subclass (and configure) if you would like to
override the behaviour.

On Wed, Aug 12, 2009 at 8:25 PM, Levi Hoogenberg
wrote:

> Hello,
>
> this is caused by the fact that Stripes performs a System.getProperties()
> call  the StripesFilter. There are two ways around it:
> - subclass StripesFilter to avoid the call;
> - edit your security settings to allow the call. I'm no SecurityManager
> expert, but the line you need probably needs a wildcard (*).
>
>   Levi
>
> Op 12 aug 2009 om 19:34 heeft JiangHongTiao  het
> volgende geschreven:\
>
> Hi,
> please, is there anybody who is using Tomcat with security manager turned
> on and can send me content of catalina.policy file? Because of my
> application is working without Security manager. But when I turn it on, my
> application throws an error. After days of googling I cannot find solution.
> Please, help. Thanks a lot.
>
>   jht
>
> My catalina.policy file and Tomcat log:
>
> *// == SYSTEM CODE PERMISSIONS
> =*
>
>
> *// These permissions apply to javac*
> *grant codeBase "file:${java.home}/lib/-" {*
> *permission java.security.AllPermission;*
> *};*
>
> *// These permissions apply to all shared system extensions*
> *grant codeBase "file:${java.home}/jre/lib/ext/-" {*
> *permission java.security.AllPermission;*
> *};*
>
> *// These permissions apply to javac when ${java.home] points at
> $JAVA_HOME/jre*
> *grant codeBase "file:${java.home}/../lib/-" {*
> *permission java.security.AllPermission;*
> *};*
>
> *// These permissions apply to all shared system extensions when*
> *// ${java.home} points at $JAVA_HOME/jre*
> *grant codeBase "file:${java.home}/lib/ext/-" {*
> *permission java.security.AllPermission;*
> *};*
>
>
> *// == CATALINA CODE PERMISSIONS
> ===*
>
>
> *// These permissions apply to the daemon code*
> *grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {*
> *permission java.security.AllPermission;*
> *};*
>
> *// These permissions apply to the logging API*
> *grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {*
> *permission java.util.PropertyPermission
> "java.util.logging.config.class", "read";*
> *permission java.util.PropertyPermission
> "java.util.logging.config.file", "read";*
> *permission java.io.FilePermission
> "${java.home}${file.separator}lib${file.separator}logging.properties",
> "read"; *
> *permission java.lang.RuntimePermission "shutdownHooks";*
> *permission java.io.FilePermission
> "${catalina.base}${file.separator}conf${file.separator}logging.properties",
> "read";*
> *permission java.util.PropertyPermission "catalina.base", "read";*
> *permission java.util.logging.LoggingPermission "control";*
> *permission java.io.FilePermission
> "${catalina.base}${file.separator}logs", "read, write";*
> *permission java.io.FilePermission
> "${catalina.base}${file.separator}logs${file.separator}*", "read, write";*
> *permission java.lang.RuntimePermission "getClassLoader";*
> *// To enable per context logging configuration, permit read
> access to the appropriate file.*
> *// Be sure that the logging configuration is secure before
> enabling such access*
> *// eg for the examples web application:*
> *// permission java.io.FilePermission
> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
> "read";*
> *};*
>
> *// These permissions apply to the server startup code*
> *grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {*
> *permission java.security.AllPermission;*
> *};*
>
> *// These permissions apply to the servlet API classes*
> *// and those that are shared across all class loaders*
> *// located in the "lib" directory*
> *grant codeBase "file:${catalina.home}/lib/-" {*
> *permission java.security.AllPermission;*
> *};*
>
>
> *// == WEB APPLICATION PERMISSIONS
> =*
>
>
> *// These permissions are granted by default to all web applications*
> *// In addition, a web application will be given a read FilePermission*
> *// and JndiPermission for all files and directories in its document root.
> *
> *grant { *
> *// Required for JNDI lookup of named JDBC DataSource's and*
> *// javamail named MimePart DataSource used to send mail*
> *permission java.util.PropertyPermission "java.home", "read";*
> *permission java.util.PropertyPermission "java.naming.*", "read";*
> *permission java.util.PropertyPermission "javax.sql.*", "read";*
>
> *// OS Specific properties to allow read access*
> *permission java.util.PropertyPermission "os.name",

Re: [Stripes-users] catalina.policy file in Tomcat with security manager

Re: [Stripes-users] catalina.policy file in Tomcat with security manager

2 matches

Site Navigation

Mail list logo

Footer information