Re: [Stripes-users] catalina.policy file in Tomcat with security manager
Hello, this is caused by the fact that Stripes performs a System.getProperties() call the StripesFilter. There are two ways around it: - subclass StripesFilter to avoid the call; - edit your security settings to allow the call. I'm no SecurityManager expert, but the line you need probably needs a wildcard (*). Levi Op 12 aug 2009 om 19:34 heeft JiangHongTiao jianghongt...@gmail.com het volgende geschreven:\ Hi, please, is there anybody who is using Tomcat with security manager turned on and can send me content of catalina.policy file? Because of my application is working without Security manager. But when I turn it on, my application throws an error. After days of googling I cannot find solution. Please, help. Thanks a lot. jht My catalina.policy file and Tomcat log: // == SYSTEM CODE PERMISSIONS = // These permissions apply to javac grant codeBase file:${java.home}/lib/- { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase file:${java.home}/jre/lib/ext/- { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase file:${java.home}/../lib/- { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase file:${java.home}/lib/ext/- { permission java.security.AllPermission; }; // == CATALINA CODE PERMISSIONS === // These permissions apply to the daemon code grant codeBase file:${catalina.home}/bin/commons-daemon.jar { permission java.security.AllPermission; }; // These permissions apply to the logging API grant codeBase file:${catalina.home}/bin/tomcat-juli.jar { permission java.util.PropertyPermission java.util.logging.config.class, read; permission java.util.PropertyPermission java.util.logging.config.file, read; permission java.io.FilePermission ${java.home}$ {file.separator}lib${file.separator}logging.properties, read; permission java.lang.RuntimePermission shutdownHooks; permission java.io.FilePermission ${catalina.base}$ {file.separator}conf${file.separator}logging.properties, read; permission java.util.PropertyPermission catalina.base, read; permission java.util.logging.LoggingPermission control; permission java.io.FilePermission ${catalina.base}$ {file.separator}logs, read, write; permission java.io.FilePermission ${catalina.base}$ {file.separator}logs${file.separator}*, read, write; permission java.lang.RuntimePermission getClassLoader; // To enable per context logging configuration, permit read access to the appropriate file. // Be sure that the logging configuration is secure before enabling such access // eg for the examples web application: // permission java.io.FilePermission ${catalina.base}$ {file.separator}webapps${file.separator}examples${file.separator}WEB- INF${file.separator}classes${file.separator}logging.properties, read; }; // These permissions apply to the server startup code grant codeBase file:${catalina.home}/bin/bootstrap.jar { permission java.security.AllPermission; }; // These permissions apply to the servlet API classes // and those that are shared across all class loaders // located in the lib directory grant codeBase file:${catalina.home}/lib/- { permission java.security.AllPermission; }; // == WEB APPLICATION PERMISSIONS = // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission java.home, read; permission java.util.PropertyPermission java.naming.*, read; permission java.util.PropertyPermission javax.sql.*, read; // OS Specific properties to allow read access permission java.util.PropertyPermission os.name, read; permission java.util.PropertyPermission os.version, read; permission java.util.PropertyPermission os.arch, read; permission java.util.PropertyPermission file.separator, read; permission java.util.PropertyPermission path.separator, read; permission java.util.PropertyPermission line.separator, read; // JVM properties to allow read access permission java.util.PropertyPermission java.version, read; permission java.util.PropertyPermission java.vendor, read; permission java.util.PropertyPermission java.vendor.url, read; permission java.util.PropertyPermission
Re: [Stripes-users] catalina.policy file in Tomcat with security manager
A few corrections to my previous mail: the offending line is a System.getProperty(...) call and is done by the BootstrapPropertyResolver. So that's the class to subclass (and configure) if you would like to override the behaviour. On Wed, Aug 12, 2009 at 8:25 PM, Levi Hoogenberg levihoogenb...@gmail.comwrote: Hello, this is caused by the fact that Stripes performs a System.getProperties() call the StripesFilter. There are two ways around it: - subclass StripesFilter to avoid the call; - edit your security settings to allow the call. I'm no SecurityManager expert, but the line you need probably needs a wildcard (*). Levi Op 12 aug 2009 om 19:34 heeft JiangHongTiao jianghongt...@gmail.com het volgende geschreven:\ Hi, please, is there anybody who is using Tomcat with security manager turned on and can send me content of catalina.policy file? Because of my application is working without Security manager. But when I turn it on, my application throws an error. After days of googling I cannot find solution. Please, help. Thanks a lot. jht My catalina.policy file and Tomcat log: *// == SYSTEM CODE PERMISSIONS =* *// These permissions apply to javac* *grant codeBase file:${java.home}/lib/- {* *permission java.security.AllPermission;* *};* *// These permissions apply to all shared system extensions* *grant codeBase file:${java.home}/jre/lib/ext/- {* *permission java.security.AllPermission;* *};* *// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre* *grant codeBase file:${java.home}/../lib/- {* *permission java.security.AllPermission;* *};* *// These permissions apply to all shared system extensions when* *// ${java.home} points at $JAVA_HOME/jre* *grant codeBase file:${java.home}/lib/ext/- {* *permission java.security.AllPermission;* *};* *// == CATALINA CODE PERMISSIONS ===* *// These permissions apply to the daemon code* *grant codeBase file:${catalina.home}/bin/commons-daemon.jar {* *permission java.security.AllPermission;* *};* *// These permissions apply to the logging API* *grant codeBase file:${catalina.home}/bin/tomcat-juli.jar {* *permission java.util.PropertyPermission java.util.logging.config.class, read;* *permission java.util.PropertyPermission java.util.logging.config.file, read;* *permission java.io.FilePermission ${java.home}${file.separator}lib${file.separator}logging.properties, read; * *permission java.lang.RuntimePermission shutdownHooks;* *permission java.io.FilePermission ${catalina.base}${file.separator}conf${file.separator}logging.properties, read;* *permission java.util.PropertyPermission catalina.base, read;* *permission java.util.logging.LoggingPermission control;* *permission java.io.FilePermission ${catalina.base}${file.separator}logs, read, write;* *permission java.io.FilePermission ${catalina.base}${file.separator}logs${file.separator}*, read, write;* *permission java.lang.RuntimePermission getClassLoader;* *// To enable per context logging configuration, permit read access to the appropriate file.* *// Be sure that the logging configuration is secure before enabling such access* *// eg for the examples web application:* *// permission java.io.FilePermission ${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties, read;* *};* *// These permissions apply to the server startup code* *grant codeBase file:${catalina.home}/bin/bootstrap.jar {* *permission java.security.AllPermission;* *};* *// These permissions apply to the servlet API classes* *// and those that are shared across all class loaders* *// located in the lib directory* *grant codeBase file:${catalina.home}/lib/- {* *permission java.security.AllPermission;* *};* *// == WEB APPLICATION PERMISSIONS =* *// These permissions are granted by default to all web applications* *// In addition, a web application will be given a read FilePermission* *// and JndiPermission for all files and directories in its document root. * *grant { * *// Required for JNDI lookup of named JDBC DataSource's and* *// javamail named MimePart DataSource used to send mail* *permission java.util.PropertyPermission java.home, read;* *permission java.util.PropertyPermission java.naming.*, read;* *permission java.util.PropertyPermission javax.sql.*, read;* *// OS Specific properties to allow read access* *permission java.util.PropertyPermission os.name, read;* *permission java.util.PropertyPermission os.version, read;* *permission java.util.PropertyPermission os.arch, read;* *