Tomcat with Security manager
Hello All Hope somebody can help me! I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works fine if started without the security manager. Recently I had to put up a file upload form on one of my web sites, and when I deployed the jsp to accept the form data and save the uploaded file to disk...it came up with the error "File cannot be saved". I am using jspSmartUpload class to handle the multipart form data and to save the file to disk, which can be downloaded from www.jspsmart.com So I read the documentation and figured, the security manager might have to be enabled with appropriate File IO permissions set for the directory to which I was trying to save the file. I proceeded to add the required "grant" directive in the catalina.policy file, and when I started Tomcat with the security manager enabledit wouldn't start! I checked catalina.out and saw that Tomcat is not able to read server.xml. Here is the stacktrace I found in catalina.out Catalina.start: java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkRead(SecurityManager.java:887) at java.io.File.isDirectory(File.java:698) at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:65) at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:148) at java.net.URL.openStream(URL.java:955) at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFactory.java) at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(DefaultEntityHandler.java) at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java) at org.apache.xerces.framework.XMLParser.parse(XMLParser.java) at org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223) at javax.xml.parsers.SAXParser.parse(SAXParser.java:314) at javax.xml.parsers.SAXParser.parse(SAXParser.java:253) at org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228) at org.apache.catalina.startup.Catalina.start(Catalina.java:725) at org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243) Then, I found from the security manager howto on the web site, that if no security manager is enabled, its just like giving all permissions...I am guessing this means that in that case the operating system file permission system only will be in effect. So I made the directory I wanted to save the file into, world writable, just to make sure the OS is not preventing the save operation. Then started Tomcat without the security manager...still the same result! Now I am totally confused! What am I doing wrong? Can anybody help me? Please? Thanks and Regards Harish
Re: Tomcat with Security manager
java.util.PropertyPermission "java.specification.name",
"read";
permission java.util.PropertyPermission
"java.vm.specification.version", "read";
permission java.util.PropertyPermission
"java.vm.specification.vendor", "read";
permission java.util.PropertyPermission
"java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
// Required for getting BeanInfo
permission java.lang.RuntimePermission
"accessClassInPackage.sun.beans.*";
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
};
// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
//
// Different permissions can be granted to JSP pages, classes loaded from
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
// directory, or even to individual jar files in the /WEB-INF/lib/
directory.
//
// For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to
the
// corresponding database and used the scrape taglib to get the weather from
// the NOAA web server. You might create a "grant" entries like this:
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.home}/webapps/examples/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432",
"connect";
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-"
{
// };
//
// The permission granted to your JDBC driver
// grant codeBase
"file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432",
"connect";
// };
// The permission granted to the scrape taglib
// grant codeBase
"file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
grant codeBase "file:/my_jspfolderpath/-" {
permission java.io.FilePermission
"my_jspfolderpath/images/site","read,write";
};
** End of catalina.policy
**
- Original Message -
From: "Jeanfrancois Arcand" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Thursday, February 06, 2003 7:34 AM
Subject: Re: Tomcat with Security manager
> Can you post your catalina.policy file? Your file should contains that
> permission:
>
> // These permissions apply to the server startup code
> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
> permission java.security.AllPermission;
> }
>
> -- Jeanfrancois
>
> Harish Kumar K.K. wrote:
>
> >Hello All
> >
> >Hope somebody can help me!
> >
> >I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27,
and it works fine if started without the security manager. Recently I had to
put up a file upload form on one of my web sites, and when I deployed the
jsp to accept the form data and save the uploaded file to disk...it came up
with the error "File cannot be saved". I am using jspSmartUpload class to
handle the multipart form data and to save the file to disk, which can be
downloaded from www.jspsmart.com
> >
> >So I read the documentation and figured, the security manager might have
to be enabled with appropriate File IO permissions set for the directory to
which I was trying to save the file.
> >
> >I proceeded to add the required "grant" directive in the catalina.policy
file, and when I started Tomcat with the security manager enabledit
wouldn't start! I checked catalina.out and saw that Tomcat is not able to
read server.xml. Here is the stacktrace I found in catalina.out
> >
> >Catalina.start: java.security.AccessControlException: access denied
(java.io.FilePermission /var/tomcat4/conf/server.xml read)
> >java.security.AccessControlException: access denied
(java.io.FilePermission /var/tomcat4/conf/server.xml read)
> >at
java.s
Re: Virtual Hosting Tomcat
Hi Sangam Add this line to your hosts file 127.0.0.1 www.inqbyte.com and then try. Harish - Original Message - From: "Sangam Dash" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Tuesday, February 11, 2003 11:21 AM Subject: Re: Virtual Hosting Tomcat > hi > > I have this > > www.inqbyte.com > directory="logs" prefix="inqbyte." suffix=".log" timestamp="true"/> > > > in the server.xml file now > in the hosts file > it is > 127.0.0.1 inqbyte.com > so now when i say http://www.inqbyte.com:8080/ it says page cant be found > without the alias it works fine > when i say http://inqbyte.com:8080/ it works fine > do u know what happens? > thanks > sangam dash > Sean Dockery wrote: > > >What do you mean that you don't find any errors in the logs folder? Where > >did you look? What about the output of the console window when you start > >Tomcat manually? I'm willing to be that you fatally corrupted your > >server.xml file somehow. > > > >Make a copy of the Host definition for localhost within the same Engine > >definition. Then make changes to the copy. Your Host definition is far > >more sparse than mine. > > > > > >Sean Dockery > >[EMAIL PROTECTED] > >Certified Java Web Component Developer > >Certified Delphi Programmer > >SBD Consultants > >http://www.sbdconsultants.com > > > > > >- Original Message - > >From: "Sangam Dash" <[EMAIL PROTECTED]> > >To: "Tomcat Users List" <[EMAIL PROTECTED]> > >Sent: Tuesday, February 11, 2003 11:31 > >Subject: Re: Virtual Hosting Tomcat > > > > > > > > > >>Hi > >>i added something like you said to the hosts file > >>127.0.0.1 rippleimpact > >>then if i give rippleimpact:8080 it works > >>thanks a lot > >>but then i added > >>this to the server.xml file > >> > >> > >> >>directory="logs" prefix="ripple." suffix=".log" timestamp="true"/> > >> > >> > >> > >>is there something wrong with this ? > >>tomcat doesnt start now... > >>do you have any idea why its doing that? > >>i dont find any error showing in the logs folder? > >>please help > >>thanks > >>sangam dash > >>Sean Dockery wrote: > >> > >> > >> > >>>I have done this in the past. Here's what you can do... > >>> > >>>Open the "hosts" file on your machine (in WinNT\System32\drivers\etc on > >>> > >>> > >my > > > > > >>>Windows 2000 machine--your location may be different) and add the > >>> > >>> > >following > > > > > >>>lines to the end of the file... > >>> > >>>127.0.0.1alpha > >>>127.0.0.1gamma > >>>127.0.0.1omega > >>> > >>>For each Host.name attribute in your server.xml, set it to a machine > >>> > >>> > >name. > > > > > >>>Like this... > >>> > >>> > >>> ... > >>> > >>> > >>> > >>> ... > >>> > >>> > >>> > >>> ... > >>> > >>> > >>>Then you should be able to access your local machine using different > >>> > >>> > >names > > > > > >>>like this... > >>> > >>>http://alpha:8080/ > >>>http://gamma:8080/ > >>>http://omega:8080/ > >>> > >>>Good luck. > >>> > >>>Sean Dockery > >>>[EMAIL PROTECTED] > >>>Certified Java Web Component Developer > >>>Certified Delphi Programmer > >>>SBD Consultants > >>>http://www.sbdconsultants.com > >>> > >>>- Original Message - > >>>From: "Lajos" <[EMAIL PROTECTED]> > >>>To: "Tomcat Users List" <[EMAIL PROTECTED]> > >>>Sent: Monday, February 10, 2003 20:25 > >>>Subject: Re: Virtual Hosting Tomcat > >>> > >>> > >>> > >>> > >>> > >>> > Ouch, windows. I'm not too sure - maybe someone else can provide the > info. On older versions, you could edit some file like lmhosts ... > > I like fronting Tomcat with Apache for security reasons, but I still use > virtual hosts in Tomcat. I have no idea why you are running out of > memory - how much RAM do you have? It may be due to your applications > more than Tomcat itself. > > Regards, > > Lajos > > > Sangam Dash wrote: > > > > > >Hi > > > >Thanks for the mail. > >But do you know how to do that on windows machine? > >The other thing is that when i add this one to the server.xml file the > >tomcat runs out of memory and it gives premature end of file error > >sometimes. :-[ > >Is it better to have apache and tomcat both configured for this kind of > >situations? :-\ > >Thanks a lot > >Sangam Dash :-) > >Lajos wrote: > > > > > > > > > > > >>Hi Sangam - > >> > >>Looks like the examples from my FlashGuide ;) What doesn't work? One > >>thing that you must make sure is that the values of the name attribute > >>of the resolve to your machine. You can do this via your > >>machine's DNS configuration. In the example below, mydomain0.com, > >>mydomain1.com and mydomain2.com must resolve to the same machine. If > >>not, the example won't work. > >> > >>Regards, > >> > >>Lajos > >> > >> > >>Sangam Dash wrote: > >> > >> > >>
Re: Tomcat as a production server?
Hi I have also had this problem of tomcat jumping to high cpu utilization...but restarting is the solution I have also resorted toAnybody else have any clues on this? Thanks Harish - Original Message - From: "Arcadius A." <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, February 15, 2003 4:49 PM Subject: Re: Tomcat as a production server? > the top file can be found here: http://ahouans.sh.cvut.cz/top.txt > > Arcadius. > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
