AW: jconsole security manager
Thanks for the reply, I got it running, but I don't understand it, maybe you can help me: Giving following permission to my tomcat (5.5.9) grant { permission javax.management.MBeanPermission *, *; permission java.lang.management.ManagementPermission monitor; permission java.util.PropertyPermission java.class.path, read; permission java.util.PropertyPermission java.library.path, read; permission java.net.SocketPermission intranet-lx1, resolve; }; and I can monitor my tomcat with jconsole. But this means I give the above permissions to all jars webapps on my tomcat. So guessed, giving these permissions only to $JAVA_HOME jars (lib, lib/ext) and tomcat jars (common,server,bin) should have the same result - but no I got a security excpetion: access: access denied (javax.management.MBeanPermission sun.management.RuntimeImpl#-[java.lang:type=Runtime] isInstanceOf) java.lang.Exception: Stack trace at java.lang.Thread.dumpStack(Thread.java:1158) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:253) at java.security.AccessController.checkPermission(AccessController.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.checkMBeanPermission(DefaultMBeanServerInterceptor.java:1707) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.isInstanceOf(DefaultMBeanServerInterceptor.java:1328) at com.sun.jmx.mbeanserver.JmxMBeanServer.isInstanceOf(JmxMBeanServer.java:1074) at com.sun.jmx.remote.security.MBeanServerAccessController.isInstanceOf(MBeanServerAccessController.java:439) at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1414) at javax.management.remote.rmi.RMIConnectionImpl.access$100(RMIConnectionImpl.java:81) at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1245) at java.security.AccessController.doPrivileged(Native Method) at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1348) And now I was surprised - all the packaeges in the stack trace (above doPrivileged) are contained in rt.jar, which do have AllPermission (and additional permissions described above - for the paranoid)!! Why can the above access denied exception occur?? This excpetion is also thrown, when no webapp is deployed - this means that only $JAVA_HOME tomcat core jars are found and loaded and all of these jars does have AllPermission?! I'm confused, Gernot -Ursprüngliche Nachricht- Von: Peter Rossbach [mailto:[EMAIL PROTECTED] Gesendet: Sonntag, 18. September 2005 10:55 An: Tomcat Users List Betreff: Re: jconsole security manager You can find detail information here: http://java.sun.com/j2se/1.5.0/docs/api/javax/management/MBeanPermission.html Very simple config example: http://mx4j.sourceforge.net/docs/ch03s10.html Peter Pfingstl Gernot schrieb: I like to monitor my tomcat 5.5 (running on jdk 1.5.0) with jconsole. If I run tomcat without security manager everything works well. If I run tomcat with security manager, monitoring the tomcat mbeans works well - but jconsoles memory view doensn't work! Sun's doc says: If your application runs a security manager, then additional permissions are required in the security permissions file. But I have not found which permissions are required? Has somebody have solved this? Which permissions are required? Thanks, Gernot - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: jconsole security manager
You can find detail information here: http://java.sun.com/j2se/1.5.0/docs/api/javax/management/MBeanPermission.html Very simple config example: http://mx4j.sourceforge.net/docs/ch03s10.html Peter Pfingstl Gernot schrieb: I like to monitor my tomcat 5.5 (running on jdk 1.5.0) with jconsole. If I run tomcat without security manager everything works well. If I run tomcat with security manager, monitoring the tomcat mbeans works well - but jconsoles memory view doensn't work! Sun's doc says: If your application runs a security manager, then additional permissions are required in the security permissions file. But I have not found which permissions are required? Has somebody have solved this? Which permissions are required? Thanks, Gernot - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
jconsole security manager
I like to monitor my tomcat 5.5 (running on jdk 1.5.0) with jconsole. If I run tomcat without security manager everything works well. If I run tomcat with security manager, monitoring the tomcat mbeans works well - but jconsoles memory view doensn't work! Sun's doc says: If your application runs a security manager, then additional permissions are required in the security permissions file. But I have not found which permissions are required? Has somebody have solved this? Which permissions are required? Thanks, Gernot - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security manager w/ manager app
All: Is it possible to start Tomcat w/ the security manager enabled if I were to use the Tomcat Web Application Manager? -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Manager
Am Dienstag, 19. Juli 2005 23:55 schrieb Ralf Schneider: Hi, I have some problems when turning the security manager of Tomcat 5.5.9 on. When I load a JSP that has to be compiled after being changed I get a strange exception: ERROR [19.07.2005 23:30:45] (ApplicationDispatcher.java:704) - Servlet.service() for servlet jsp threw exception org.xml.sax.SAXException: Internal Error: File /javax/servlet/resources/web-app_2_3.dtd not found at Hi, I found the solution by myself. The reason for this problem was the JAR file xercesImpl.jar in my WEB-INF/lib dir. Don't know why this was there, but after removing it everything works fine again. Ralf. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Manager
maybe you must include web-app_2_3_2.dtd in your WEB-INF directory, and then reload it ? On 7/31/05, Ralf Schneider [EMAIL PROTECTED] wrote: Am Dienstag, 19. Juli 2005 23:55 schrieb Ralf Schneider: Hi, I have some problems when turning the security manager of Tomcat 5.5.9on. When I load a JSP that has to be compiled after being changed I get a strange exception: ERROR [19.07.2005 23:30:45] (ApplicationDispatcher.java:704) - Servlet.service() for servlet jsp threw exception org.xml.sax.SAXException: Internal Error: File /javax/servlet/resources/web-app_2_3.dtd not found at Hi, I found the solution by myself. The reason for this problem was the JAR file xercesImpl.jar in my WEB-INF/lib dir. Don't know why this was there, but after removing it everything works fine again. Ralf. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- --- http://www.psychotazkia.or.id
Security Manager
Hi, I have some problems when turning the security manager of Tomcat 5.5.9 on. When I load a JSP that has to be compiled after being changed I get a strange exception: ERROR [19.07.2005 23:30:45] (ApplicationDispatcher.java:704) - Servlet.service() for servlet jsp threw exception org.xml.sax.SAXException: Internal Error: File /javax/servlet/resources/web-app_2_3.dtd not found at org.apache.jasper.xmlparser.MyEntityResolver.resolveEntity(ParserUtils.java:205) at org.apache.xerces.util.EntityResolverWrapper.resolveEntity(Unknown Source) at org.apache.xerces.impl.XMLEntityManager.resolveEntity(Unknown Source) at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.DOMParser.parse(Unknown Source) at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source) at org.apache.jasper.xmlparser.ParserUtils.parseXMLDocument(ParserUtils.java:95) at org.apache.jasper.compiler.JspConfig.processWebDotXml(JspConfig.java:76) at org.apache.jasper.compiler.JspConfig.init(JspConfig.java:197) at org.apache.jasper.compiler.JspConfig.findJspProperty(JspConfig.java:249) at org.apache.jasper.compiler.Compiler.generateJava(Compiler.java:103) These are only the first few lines of the callstack. The whole exception is very long. I also turned debugging on (java.security.debug=access), but there's no AccessControlException before the SAXException above. Any ideas what might be the problem? Best regards, Ralf. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
security manager unpackWAR=false
Switching on security manger I can add permissions to my webapp calsses e.g. with grant codeBase file:${catalina.base}/webapps/examples/WEB-INF/classes/- If I choose to use 'unpackWAR=false', I don't have anything in my ${catalina.base}/webapps directory and my 'docBase' (my example.war) is somewhere else in my filesystem. Using codeBase as described above doesn't work. How do I grant permissions to my apps when using unpackWAR=false ('codeBase jar:file:/xxx/example.war!/-' or 'codeBase file:/xxx/example.war' doesn't work)? I'm using tomcat 5.5 Gernot - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Help needed: Setting Tomcat5.5 to run with security manager in Windows XP
I cannot figure out how to set Tomcat 5.5.7 to be running under security manager. Standard Tomcat help gives option as: %CATALINA_HOME%\bin\catalina start -security however there is no file named catalina.bat in this directory. In fact there are only these 4 files: bootstrap.jar, commons-logging-api.jar, tomcat5.exe and tomcat5w.exe. There is no single *.bat file anywhere under %CATALINA_HOME%. Any help? Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Help needed: Setting Tomcat5.5 to run with security manager in Windows XP
From: Nikolay Karasev [mailto:[EMAIL PROTECTED] Subject: Help needed: Setting Tomcat5.5 to run with security manager in Windows XP however there is no file named catalina.bat in this directory. The .bat files are only in the zip download. If you're running Tomcat as a service, there is no .bat file to edit; instead you can use the Tomcat5w.exe program to set additional parameters (under the Java tab), or edit the registry. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
xalan problem with security manager
Hi all, I can't make xalan work when I run tomcat with security manager. All I get is java.lang.ExceptionInInitializerError (see stack trace below). It works fine without security manager. Has any of you used xalan on tomcat with secuirity manager? What privileges should I grant to the code? I tried: grant { permission java.util.PropertyPermission *, read; permission java.net.SocketPermission *, connect; permission java.lang.RuntimePermission getClassLoader; }; grant { permission java.io.FilePermission ${catalina.home}/temp/*, read, write, delete; }; But it doesn't help. Any ideas? Thank you very much in advance, Michal. My setup is tomcat 5.0.28 on jdk 1.4.2_06, it behaves the same on win xp or linux. Here's the code: File xmlFileObj = new File(xmlFile); File xslFileObj = new File(xslFile); this.out = out; TransformerFactory tFactory = TransformerFactory.newInstance(); Transformer transformer = tFactory.newTransformer(new StreamSource(xslFileObj)); transformer.setParameter(serviceName, serviceName); transformer.transform(new StreamSource(xmlFileObj), new StreamResult(out)); out.flush(); And the stack trace. javax.servlet.ServletException org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageCont extImpl.java:825) org.apache.jasper.runtime.PageContextImpl.access$1100(PageContextImpl.ja va:64) org.apache.jasper.runtime.PageContextImpl$12.run(PageContextImpl.java:74 5) java.security.AccessController.doPrivileged(Native Method) org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContex tImpl.java:743) org.apache.jsp.tree_jsp._jspService(tree_jsp.java:98) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja va:324) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) java.lang.reflect.Method.invoke(Method.java:324) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:500) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.jav a:157) root cause java.lang.ExceptionInInitializerError java.lang.Class.forName0(Native Method) java.lang.Class.forName(Class.java:141) org.apache.xalan.serialize.SerializerFactory.getSerializer(SerializerFac tory.java:131) org.apache.xalan.transformer.TransformerImpl.createResultContentHandler( TransformerImpl.java:1048) org.apache.xalan.transformer.TransformerImpl.createResultContentHandler( TransformerImpl.java:975) org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.j ava:1124) org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.j ava:1107) circeos.xml.XslHtmlConverter.Display(XslHtmlConverter.java:29) org.apache.jsp.tree_jsp._jspService(tree_jsp.java:84) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja va:324) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) java.lang.reflect.Method.invoke(Method.java:324) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:500) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.jav a:157) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
Re: xalan problem with security manager
Michael- If you suspect the error is related to the security manager, run tomcat with the following environment variable set: export CATALINA_OPTS=-Djava.security.debug=access:failure This will put logging for the security manager in your catalina.out file (or your applications log file if you defined a new logger for your webapp). It will show all the access checks (in short form) and a stack trace and domain that caused the failure when a failure occurs. It will tell you what permission was denied, and the codebase it was denied to. I used it extensively yesterday to set up my security policy. For more info see http://jakarta.apache.org/tomcat/tomcat-5.0-doc/security-manager- howto.html Greg On Jan 14, 2005, at 4:58 AM, Michal Kwiatek wrote: Hi all, I can't make xalan work when I run tomcat with security manager. All I get is java.lang.ExceptionInInitializerError (see stack trace below). It works fine without security manager. Has any of you used xalan on tomcat with secuirity manager? What privileges should I grant to the code? I tried: grant { permission java.util.PropertyPermission *, read; permission java.net.SocketPermission *, connect; permission java.lang.RuntimePermission getClassLoader; }; grant { permission java.io.FilePermission ${catalina.home}/temp/*, read, write, delete; }; But it doesn't help. Any ideas? Thank you very much in advance, Michal. My setup is tomcat 5.0.28 on jdk 1.4.2_06, it behaves the same on win xp or linux. Here's the code: File xmlFileObj = new File(xmlFile); File xslFileObj = new File(xslFile); this.out = out; TransformerFactory tFactory = TransformerFactory.newInstance(); Transformer transformer = tFactory.newTransformer(new StreamSource(xslFileObj)); transformer.setParameter(serviceName, serviceName); transformer.transform(new StreamSource(xmlFileObj), new StreamResult(out)); out.flush(); And the stack trace. javax.servlet.ServletException org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageCon t extImpl.java:825) org.apache.jasper.runtime.PageContextImpl.access$1100(PageContextImpl.j a va:64) org.apache.jasper.runtime.PageContextImpl$12.run(PageContextImpl.java: 74 5) java.security.AccessController.doPrivileged(Native Method) org.apache.jasper.runtime.PageContextImpl.handlePageException(PageConte x tImpl.java:743) org.apache.jsp.tree_jsp._jspService(tree_jsp.java:98) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.j a va:324) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java: 292) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja v a:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso r Impl.java:25) java.lang.reflect.Method.invoke(Method.java:324) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:500) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java: 268) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.ja v a:157) root cause java.lang.ExceptionInInitializerError java.lang.Class.forName0(Native Method) java.lang.Class.forName(Class.java:141) org.apache.xalan.serialize.SerializerFactory.getSerializer(SerializerFa c tory.java:131) org.apache.xalan.transformer.TransformerImpl.createResultContentHandler ( TransformerImpl.java:1048) org.apache.xalan.transformer.TransformerImpl.createResultContentHandler ( TransformerImpl.java:975) org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl. j ava:1124) org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl. j ava:1107) circeos.xml.XslHtmlConverter.Display(XslHtmlConverter.java:29) org.apache.jsp.tree_jsp._jspService(tree_jsp.java:84) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.j a va:324) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java: 292) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja v a:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso r Impl.java:25) java.lang.reflect.Method.invoke(Method.java
Re: problem with security manager, plesk and mysql (catalina.policy ignored?)
I see now where my problem can be. If I extract the war file to directory ${catalina.home}/psa-webapps/mydomain.com/myapplication/ and insert in the policy file grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/ { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; I can then connect to the database, so I guess my problem is I'm not using the proper syntax in the policy file for the .war I will google for a while :-) Alfonso. El sáb, 30-10-2004 a las 00:21, Alfonso Alba García escribió: Hi everybody, I have problems when connecting to mysql. I'm getting the following exception when trying to connect to a mysql database: (SQLException): java.sql.SQLException: Unable to connect to any hosts due to exception: java.security.AccessControlException: access denied (java.net.SocketPermission localhost resolve) I have read about similar problems in google and tried to modify the catalina.policy without success. I deploy applications via a Plesk web interface which loads my .war file, sets it in /var/tomcat4/psa-wars/mydomain.com/ creates a symlink to the war file in /var/tomcat4/psa-webapps/mydomain.com/ and makes the application available via mydomain.com/myapplication. It works fine except when an application tries to access a mysql database. I´m getting the exception above, even though I tried the following lines in catalina.policy without success (found similar exeptions to this one in google): grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/- { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/WEB-INF/lib/mysql-connector-java-3.0.9-stable-bin.jar { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; I tried both of them one at a time and I restarted tomcat after every modification made to the catalina.policy I´m using tomcat 4.1.24 on a redhat linux Enterprise server, with /mysql-connector-java-3.0.9 and jre 1.4.2. Tomcat and mysql are in the same server. The way I´m trying to access the database in a jsp is conexion = DriverManager.getConnection(jdbc:mysql://localhost/DATABASE?user=USERpassword=PASSWORD); I've checked that the database exists, I can connect to the database from a console as user USER with password PASSWORD. The application works perfectly well in another server (debian woody with tomcat 4.0) where it was not necessary to modify the security policy. I talked to a friend of mine who also knows something about tomcat and told me that to access a database in the same server where tomcat is, it should not be necessary to modify the catalina.policy file. I have some experience with tomcat but i run out of ideas and things to try. Any help to open my eyes would be appreciated. Thanks a lot in advance, Alfonso signature.asc Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
problem with security manager, plesk and mysql (catalina.policy ignored?)
Hi everybody, I have problems when connecting to mysql. I'm getting the following exception when trying to connect to a mysql database: (SQLException): java.sql.SQLException: Unable to connect to any hosts due to exception: java.security.AccessControlException: access denied (java.net.SocketPermission localhost resolve) I have read about similar problems in google and tried to modify the catalina.policy without success. I deploy applications via a Plesk web interface which loads my .war file, sets it in /var/tomcat4/psa-wars/mydomain.com/ creates a symlink to the war file in /var/tomcat4/psa-webapps/mydomain.com/ and makes the application available via mydomain.com/myapplication. It works fine except when an application tries to access a mysql database. I´m getting the exception above, even though I tried the following lines in catalina.policy without success (found similar exeptions to this one in google): grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/- { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/WEB-INF/lib/mysql-connector-java-3.0.9-stable-bin.jar { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; I tried both of them one at a time and I restarted tomcat after every modification made to the catalina.policy I´m using tomcat 4.1.24 on a redhat linux Enterprise server, with /mysql-connector-java-3.0.9 and jre 1.4.2. Tomcat and mysql are in the same server. The way I´m trying to access the database in a jsp is conexion = DriverManager.getConnection(jdbc:mysql://localhost/DATABASE?user=USERpassword=PASSWORD); I've checked that the database exists, I can connect to the database from a console as user USER with password PASSWORD. The application works perfectly well in another server (debian woody with tomcat 4.0) where it was not necessary to modify the security policy. I talked to a friend of mine who also knows something about tomcat and told me that to access a database in the same server where tomcat is, it should not be necessary to modify the catalina.policy file. I have some experience with tomcat but i run out of ideas and things to try. Any help to open my eyes would be appreciated. Thanks a lot in advance, Alfonso signature.asc Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
Is it possible to configure the security manager such that my servlet can write into the tomcat-home/logs directory?
Hi -- With tomcat 5.0.16, I could write into that directory (Windows), But with tomcat 5.0.27, I can no longer do so. I've tried all sorts of stuff in catalina.policy, but I still cannot configure it such that I can write my own log file into the logs directory. Thanks Betty
problem with security manager.
I am running Tomcat4.1.30 on windows 2000, with security option turned on. My java application which is using JDK 1.4, connects to the the credit card authorizing company called verisign, and returns the approval authorization code. I have installed the digital certificate on $TOMCAT_HOME\certs directory. There are read permissions on the cert file. But still for some reason the verisign is not able to read the cert file due to the below error. RESULT=-31RESPMSG=The certificate chain did not validate, no local certificate found, java.security.AccessControlException: access denied (java.io.FilePermissi on C:\Program Files\Apache Group\Tomcat 4.1\certs read) However when i run Tomcat server without security, everything is file. Somehow tomcat is restricting the permission to read the cert file. Verisign uses Jsse.jar to do the security authentication. I have modofied both java.policy and catalina.policy to grant permission on the cert file as below. permission java.io.FilePermission C:\\Program Files\\Apache Group\\Tomcat 4.1\\certs\\-, read; But this does not help, is there anything else i should do to the server.xml file... How does the security manager runs in Tomcat4.1 Please help... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Using catalina security manager in embedded tomcat application?
Our application has several catalina engines embedded in it and I am trying to determine if it makes sense or is even possible to use the catalina security manager in this setting. Specifically, what takes the place of the '-security' switch on tomcat in an embedded scenario? BH
Re: Using catalina security manager in embedded tomcat application?
Bill Hughey a écrit : Our application has several catalina engines embedded in it and I am trying to determine if it makes sense or is even possible to use the catalina security manager in this setting. Specifically, what takes the place of the '-security' switch on tomcat in an embedded scenario? BH Make sence. SJSAS PE 8.0 ships with Tomcat 5 embedded and security turned on. You just need to call: System.setSecurityManager() (see J2SE API docs) somewhere in your code. -- Jeanfrancois - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Tomcat 4.1.24 + Security Manager + weird Exceptions
I'm experiencing this same issue. I've got Tomcat 5.0.27, Apache 2.0.46, and jk2 version 2.0.4. Has there been any solution? It occurs primarily under heavy load. -Joshua Szmajda We've got a similar issue, though this in on Linux and using channelUnix/JNI instead of normal tcp channelSocket. We're using Apache2/mod_jk2 (built from tomcat-connectors-1.1M1). On heavy load, there are over 3000 sockets open by one Tomcat/JVM, they don't seem to go down again too while Tomcat is running. (since File Descriptor limit on Solaris is lower normally (1024 or summat i think) this would cause us heavy problems there too) The Tomcats and Apache are restarted during the night to free up Memory, so socket count goes down then. However the application doesn't seem to be affected by this. In catalina.out there are many errors like this: org.apache.jk.common.ChannelUn receive SEVERE: receive error: 12 java.lang.Throwable at org.apache.jk.common.ChannelUn.receive(ChannelUn.java:230) at org.apache.jk.common.ChannelUn.processConnection(ChannelUn.java:282) at org.apache.jk.common.AprConnection.runIt(ChannelUn.java:350) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:631) at java.lang.Thread.run(Thread.java:536) org.apache.jk.common.JniHandler nativeDispatch SEVERE: nativeDispatch: error -3 java.lang.Throwable at org.apache.jk.common.JniHandler.nativeDispatch(JniHandler.java:312) at org.apache.jk.common.ChannelUn.send(ChannelUn.java:221) at org.apache.jk.common.ChannelUn.invoke(ChannelUn.java:306) at org.apache.jk.server.JkCoyoteHandler.doWrite(JkCoyoteHandler.java:249) at org.apache.coyote.Response.doWrite(Response.java:530) at org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.java:384) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:439) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:359) at org.apache.coyote.tomcat4.OutputBuffer.writeBytes(OutputBuffer.java:411) at org.apache.coyote.tomcat4.OutputBuffer.write(OutputBuffer.java:398) at org.apache.coyote.tomcat4.CoyoteOutputStream.write(CoyoteOutputStream.java:110) at org.apache.catalina.servlets.DefaultServlet.copyRange(DefaultServlet.java:1996) at org.apache.catalina.servlets.DefaultServlet.copy(DefaultServlet.java:1745) at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:1073) at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:506) . - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Tomcat 4.1.24 + Security Manager + weird Exceptions
I'm experiencing this same issue. I've got Tomcat 5.0.27, Apache 2.0.46, and jk2 version 2.0.4. Has there been any solution? It occurs primarily under heavy load. -Joshua Szmajda We've got a similar issue, though this in on Linux and using channelUnix/JNI instead of normal tcp channelSocket. We're using Apache2/mod_jk2 (built from tomcat-connectors-1.1M1). On heavy load, there are over 3000 sockets open by one Tomcat/JVM, they don't seem to go down again too while Tomcat is running. (since File Descriptor limit on Solaris is lower normally (1024 or summat i think) this would cause us heavy problems there too) The Tomcats and Apache are restarted during the night to free up Memory, so socket count goes down then. However the application doesn't seem to be affected by this. In catalina.out there are many errors like this: org.apache.jk.common.ChannelUn receive SEVERE: receive error: 12 java.lang.Throwable at org.apache.jk.common.ChannelUn.receive(ChannelUn.java:230) at org.apache.jk.common.ChannelUn.processConnection(ChannelUn.java:282) at org.apache.jk.common.AprConnection.runIt(ChannelUn.java:350) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:631) at java.lang.Thread.run(Thread.java:536) org.apache.jk.common.JniHandler nativeDispatch SEVERE: nativeDispatch: error -3 java.lang.Throwable at org.apache.jk.common.JniHandler.nativeDispatch(JniHandler.java:312) at org.apache.jk.common.ChannelUn.send(ChannelUn.java:221) at org.apache.jk.common.ChannelUn.invoke(ChannelUn.java:306) at org.apache.jk.server.JkCoyoteHandler.doWrite(JkCoyoteHandler.java:249) at org.apache.coyote.Response.doWrite(Response.java:530) at org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.java:384) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:439) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:359) at org.apache.coyote.tomcat4.OutputBuffer.writeBytes(OutputBuffer.java:411) at org.apache.coyote.tomcat4.OutputBuffer.write(OutputBuffer.java:398) at org.apache.coyote.tomcat4.CoyoteOutputStream.write(CoyoteOutputStream.java:110) at org.apache.catalina.servlets.DefaultServlet.copyRange(DefaultServlet.java:1996) at org.apache.catalina.servlets.DefaultServlet.copy(DefaultServlet.java:1745) at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:1073) at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:506) . - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Mysql connector and security manager
Hi, I try to run the mysql connector with Tomcat with security enabled (NT4, jakarta-tomcat-5.0.25, j2sdk1.4.2_05, mysql-connector-java-3.1.2-alpha-bin.jar) With the rule grant { permission java.net.SocketPermission localhost:3306, connect,resolve; }; it works. But this rule is not specific enough, any code could connect to the database. I put the driver jar into ${catalina.home}/common/lib, so the default rule in the Tomcat distribution policy file grant codeBase file:${catalina.home}/common/- { permission java.security.AllPermission; }; should trigger, but there is the exception given far below. I wonder if the actual database call is done by code, that has no rule. So, has anybody succeded with a specific rule that allows the driver to connect to the database? Btw, how do I call catalina.bat to have JPDA and -security ? Thanks in advance for your help, Juergen ** BEGIN NESTED EXCEPTION ** java.security.AccessControlException MESSAGE: access denied (java.net.SocketPermission 127.0.0.1:3306 connect,resolve ) STACKTRACE: java.security.AccessControlException: access denied (java.net.SocketPermission 1 27.0.0.1:3306 connect,resolve) at java.security.AccessControlContext.checkPermission(AccessControlConte xt.java:269) at java.security.AccessController.checkPermission(AccessController.java: 401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) at java.lang.SecurityManager.checkConnect(SecurityManager.java:1026) at java.net.Socket.connect(Socket.java:446) at java.net.Socket.connect(Socket.java:402) at java.net.Socket.init(Socket.java:309) at java.net.Socket.init(Socket.java:124) at com.mysql.jdbc.StandardSocketFactory.connect(StandardSocketFactory.ja va:130) at com.mysql.jdbc.MysqlIO.init(MysqlIO.java:265) at com.mysql.jdbc.Connection.createNewIO(Connection.java:1796) at com.mysql.jdbc.Connection.init(Connection.java:400) __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
flush buffer security manager
Hi Appended is a simple servlet and the errors I get back to the browser. The errors are produced the first time the servlet is called after a Tomcat restart under security manager, subsequent calls to the servelt and a restart with security manager run OK. The error points to the res.flushBuffer(); line. Running Tomcat 4.1.30 under Linux Any ideas what I'm doing wrong? Mike ERRORS --- HTTP Status 500 - type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: Servlet execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2422) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:163) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:199) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:700) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683) at java.lang.Thread.run(Thread.java:536) root cause java.lang.NoClassDefFoundError: org/apache/coyote/http11/Http11Processor$1 at org.apache.coyote.http11.Http11Processor.prepareResponse(Http11Processor.java:1513) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:921) at org.apache.coyote.Response.action(Response.java:224) at org.apache.coyote.http11.InternalOutputBuffer.doWrite(InternalOutputBuffer.java:605) at org.apache.coyote.Response.doWrite(Response.java:586) at org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.java:405) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:436) at org.apache.coyote.tomcat4.OutputBuffer.doFlush(OutputBuffer.java:354) at org.apache.coyote.tomcat4.OutputBuffer.flush(OutputBuffer.java:336) at org.apache.coyote.tomcat4.CoyoteResponse.flushBuffer(CoyoteResponse.java:541) at org.apache.coyote.tomcat4.CoyoteResponseFacade.flushBuffer(CoyoteResponseFacade.java:225) at Flush.doGet(Flush.java:13) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853
RE: JNDI Datasource receives AccessControlException with Security Manager
Debugging with Security manager can be challenging. You probably want to take a look at Tomcat Security Manager HowTo. Regards, Daniel -Original Message- From: Juergen Weber [mailto:[EMAIL PROTECTED] Sent: Saturday, April 03, 2004 2:55 AM To: [EMAIL PROTECTED] Subject: JNDI Datasource receives AccessControlException with Security Manager I got database connection up and running as described in tomcat-docs/jndi-datasource-examples-howto.html But it does not run with the Security Manager enabled. The mysql driver and commons-dbcp are in common/lib, so grant codeBase file:${catalina.home}/common/- { permission java.security.AllPermission; }; should trigger. What permissions are needed, too? BTW, I test with Windows. Thanks, J|rgen org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFact ory, cause: java.sql.SQLException: Server connection failure during transaction. Due to unde rlying exception: 'java.security.AccessControlException: access denied (java.net .SocketPermission 127.0.0.1:3306 connect,resolve)'. Attempted reconnect 3 times. Giving up. at com.mysql.jdbc.Connection.createNewIO(Connection.java:1811) at com.mysql.jdbc.Connection.init(Connection.java:432) at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java :400) at org.apache.commons.dbcp.DriverConnectionFactory.createConnection(Driv erConnectionFactory.java:82) at org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(Poolable ConnectionFactory.java:300) at org.apache.commons.dbcp.BasicDataSource.validateConnectionFactory(Bas icDataSource.java:838) at org.apache.commons.dbcp.BasicDataSource.createDataSource(BasicDataSou rce.java:821) at org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource .java:518) at de.jwi.jgallery.db.DBManager.getAndIncFolderCounter(DBManager.java:47 ) at de.jwi.jgallery.Folder.getCounter(Folder.java:975) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.el.ArraySuffix.evaluate(ArraySuffix.java:314) at org.apache.commons.el.ComplexValue.evaluate(ComplexValue.java:145) at org.apache.commons.el.ExpressionEvaluatorImpl.evaluate(ExpressionEval uatorImpl.java:263) at org.apache.commons.el.ExpressionEvaluatorImpl.evaluate(ExpressionEval uatorImpl.java:190) at org.apache.jasper.runtime.PageContextImpl$13.run(PageContextImpl.java :926) at java.security.AccessController.doPrivileged(Native Method) at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageCon textImpl.java:922) at org.apache.jsp.skins.Standard.slide_jsp._jspx_meth_jg_if_6(slide_jsp. java:846) at org.apache.jsp.skins.Standard.slide_jsp._jspService(slide_jsp.java:17 7) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:133) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper .java:311) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3 01) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:284 ) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:500) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:3 06) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil. java:200) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:278) at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicatio nFilterChain.java:97) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilt erChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:183) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDisp atcher.java:750) at org.apache.catalina.core.ApplicationDispatcher.processRequest(Applica tionDispatcher.java:510
JNDI Datasource receives AccessControlException with Security Manager
I got database connection up and running as described in tomcat-docs/jndi-datasource-examples-howto.html But it does not run with the Security Manager enabled. The mysql driver and commons-dbcp are in common/lib, so grant codeBase file:${catalina.home}/common/- { permission java.security.AllPermission; }; should trigger. What permissions are needed, too? BTW, I test with Windows. Thanks, Jürgen org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFact ory, cause: java.sql.SQLException: Server connection failure during transaction. Due to unde rlying exception: 'java.security.AccessControlException: access denied (java.net .SocketPermission 127.0.0.1:3306 connect,resolve)'. Attempted reconnect 3 times. Giving up. at com.mysql.jdbc.Connection.createNewIO(Connection.java:1811) at com.mysql.jdbc.Connection.init(Connection.java:432) at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java :400) at org.apache.commons.dbcp.DriverConnectionFactory.createConnection(Driv erConnectionFactory.java:82) at org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(Poolable ConnectionFactory.java:300) at org.apache.commons.dbcp.BasicDataSource.validateConnectionFactory(Bas icDataSource.java:838) at org.apache.commons.dbcp.BasicDataSource.createDataSource(BasicDataSou rce.java:821) at org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource .java:518) at de.jwi.jgallery.db.DBManager.getAndIncFolderCounter(DBManager.java:47 ) at de.jwi.jgallery.Folder.getCounter(Folder.java:975) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.commons.el.ArraySuffix.evaluate(ArraySuffix.java:314) at org.apache.commons.el.ComplexValue.evaluate(ComplexValue.java:145) at org.apache.commons.el.ExpressionEvaluatorImpl.evaluate(ExpressionEval uatorImpl.java:263) at org.apache.commons.el.ExpressionEvaluatorImpl.evaluate(ExpressionEval uatorImpl.java:190) at org.apache.jasper.runtime.PageContextImpl$13.run(PageContextImpl.java :926) at java.security.AccessController.doPrivileged(Native Method) at org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageCon textImpl.java:922) at org.apache.jsp.skins.Standard.slide_jsp._jspx_meth_jg_if_6(slide_jsp. java:846) at org.apache.jsp.skins.Standard.slide_jsp._jspService(slide_jsp.java:17 7) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:133) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper .java:311) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:3 01) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:248) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:284 ) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:500) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:3 06) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil. java:200) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:278) at org.apache.catalina.core.ApplicationFilterChain.access$000(Applicatio nFilterChain.java:97) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilt erChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:183) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDisp atcher.java:750) at org.apache.catalina.core.ApplicationDispatcher.processRequest(Applica tionDispatcher.java:510) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationD ispatcher.java:445) at org.apache.catalina.core.ApplicationDispatcher.access$000(Application Dispatcher.java:118) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedForward.run( ApplicationDispatcher.java:133
problem with security manager and manager webapp
Hi. I've been using the manager webapp, but after enabling the security manager (-security on tomcat startup), the manager doesn't run any longer, giving this error: type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: Wrapper cannot find servlet class org.apache.catalina.manager.ManagerServlet or a class it depends on And in the log file, I see that: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1491) at java.lang.ClassLoader$1.run(ClassLoader.java:313) at java.security.AccessController.doPrivileged(Native Method) at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:311) at java.lang.ClassLoader.defineClass0(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:537) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123) at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1677) at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230) at org.apache.catalina.core.StandardWrapper$1.run(StandardWrapper.java:962) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:958) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:712) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:187) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:587) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) --- In the default Catalina.policy file, I see: // libraries installed in the server directory grant codeBase file:${catalina.home}/server/- { permission java.security.AllPermission; }; Why can I not get the manager app to work with the security manager enabled? Thanks, Jason Keltz [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with security manager and manager webapp
Jason Keltz wrote: Hi. I've been using the manager webapp, but after enabling the security manager (-security on tomcat startup), the manager doesn't run any longer, giving this error: type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: Wrapper cannot find servlet class org.apache.catalina.manager.ManagerServlet or a class it depends on And in the log file, I see that: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina) That's abug bug on our side. I will take a look latter today. As a workaround, you can do: permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina; or remove that package in catalina.properties. -- Jeanfrancois at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1491) at java.lang.ClassLoader$1.run(ClassLoader.java:313) at java.security.AccessController.doPrivileged(Native Method) at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:311) at java.lang.ClassLoader.defineClass0(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:537) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123) at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1677) at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230) at org.apache.catalina.core.StandardWrapper$1.run(StandardWrapper.java:962) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:958) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:712) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:187) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:587) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) --- In the default Catalina.policy file, I see: // libraries installed in the server directory grant codeBase file:${catalina.home}/server/- { permission java.security.AllPermission; }; Why can I not get the manager app to work with the security manager enabled? Thanks, Jason Keltz [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with security manager and manager webapp
Hi Jeanfrancois, I'm not sure now if it's a bug or not. I realized that the problem is that the code in catalina.policy to allow access refers to ${catalina.home}: // These permissions apply to the container's core code, plus any additional // libraries installed in the server directory grant codeBase file:${catalina.home}/server/- { permission java.security.AllPermission; }; I had copied the server directory to CATALINA_BASE to get the manager app working a while ago. The default context for the manager app refers to ../server, which, of course wouldn't otherwise exist in CATALINA_BASE unless copied. When the conf directory along with Catalina/localhost/manager.xml was copied to CATALINA_BASE, the manager app couldn't be found. I've tried these two things and they both work: 1) Change ${catalina.home}/server to ${catalina.base}/server 2) Get rid of the server directory in CATALINA_BASE, and change the context descriptor for the manager app in the CATALINA_BASE directory to refer to the full path to the manager in CATALINA_HOME. Now, the existing security policy works. Jason. On Tue, 16 Mar 2004, Jeanfrancois Arcand wrote: Jason Keltz wrote: Hi. I've been using the manager webapp, but after enabling the security manager (-security on tomcat startup), the manager doesn't run any longer, giving this error: type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: Wrapper cannot find servlet class org.apache.catalina.manager.ManagerServlet or a class it depends on And in the log file, I see that: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina) That's abug bug on our side. I will take a look latter today. As a workaround, you can do: permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina; or remove that package in catalina.properties. -- Jeanfrancois at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1491) at java.lang.ClassLoader$1.run(ClassLoader.java:313) at java.security.AccessController.doPrivileged(Native Method) at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:311) at java.lang.ClassLoader.defineClass0(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:537) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123) at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1677) at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230) at org.apache.catalina.core.StandardWrapper$1.run(StandardWrapper.java:962) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:958) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:712) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:187) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:587) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) --- In the default Catalina.policy file, I see
Re: problem with security manager and manager webapp
Jason Keltz wrote: Hi Jeanfrancois, I'm not sure now if it's a bug or not. I realized that the problem is that the code in catalina.policy to allow access refers to ${catalina.home}: // These permissions apply to the container's core code, plus any additional // libraries installed in the server directory grant codeBase file:${catalina.home}/server/- { permission java.security.AllPermission; }; I had copied the server directory to CATALINA_BASE to get the manager app working a while ago. The default context for the manager app refers to ../server, which, of course wouldn't otherwise exist in CATALINA_BASE unless copied. When the conf directory along with Catalina/localhost/manager.xml was copied to CATALINA_BASE, the manager app couldn't be found. I've tried these two things and they both work: 1) Change ${catalina.home}/server to ${catalina.base}/server 2) Get rid of the server directory in CATALINA_BASE, and change the context descriptor for the manager app in the CATALINA_BASE directory to refer to the full path to the manager in CATALINA_HOME. Now, the existing security policy works. Yes, except it is not supposed to work like that. I will try to fix it tonigh or tomorrow. Thanks -- Jeanfrancois Jason. On Tue, 16 Mar 2004, Jeanfrancois Arcand wrote: Jason Keltz wrote: Hi. I've been using the manager webapp, but after enabling the security manager (-security on tomcat startup), the manager doesn't run any longer, giving this error: type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: Wrapper cannot find servlet class org.apache.catalina.manager.ManagerServlet or a class it depends on And in the log file, I see that: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina) That's abug bug on our side. I will take a look latter today. As a workaround, you can do: permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina; or remove that package in catalina.properties. -- Jeanfrancois at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1491) at java.lang.ClassLoader$1.run(ClassLoader.java:313) at java.security.AccessController.doPrivileged(Native Method) at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:311) at java.lang.ClassLoader.defineClass0(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:537) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123) at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1677) at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230) at org.apache.catalina.core.StandardWrapper$1.run(StandardWrapper.java:962) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:958) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:712) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:187) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:587) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) --- In the default Catalina.policy file
Re: Tomcat as a Windows Service and the security manager
Thanks... The following worked: -Djava.security.manager -Djava.security.policy==c:\path\to\catalina\conf\catalina.policy Thanks. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, March 08, 2004 8:50 PM Subject: Re: Tomcat as a Windows Service and the security manager Try adding '-Djava.security.manager' and '-Djava.security.manager==c:\path\to\catalina\conf\catalina.policy' to your JavaOptions. A.J. Ostman [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello All, Platform: Windows XP / Tomcat 4.1 and 5.0 If I invoke Tomcat from the command line as catalina run -security, then the security manager loads, however how do I get the Tomcat running as a service to invoke the security manager? I have tried putting -security in the optional parameters and even in the imagepath in the registry. Please let me know what works. Thanks -A.J. Ostman ajo at dpzone.com --- [This E-mail scanned for viruses by digiposs.com] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- [This E-mail scanned for viruses by digiposs.com] --- [This E-mail scanned for viruses by digiposs.com] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat as a Windows Service and the security manager
Hello All, Platform: Windows XP / Tomcat 4.1 and 5.0 If I invoke Tomcat from the command line as catalina run -security, then the security manager loads, however how do I get the Tomcat running as a service to invoke the security manager? I have tried putting -security in the optional parameters and even in the imagepath in the registry. Please let me know what works. Thanks -A.J. Ostman ajo at dpzone.com --- [This E-mail scanned for viruses by digiposs.com] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat as a Windows Service and the security manager
Try adding '-Djava.security.manager' and '-Djava.security.manager==c:\path\to\catalina\conf\catalina.policy' to your JavaOptions. A.J. Ostman [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello All, Platform: Windows XP / Tomcat 4.1 and 5.0 If I invoke Tomcat from the command line as catalina run -security, then the security manager loads, however how do I get the Tomcat running as a service to invoke the security manager? I have tried putting -security in the optional parameters and even in the imagepath in the registry. Please let me know what works. Thanks -A.J. Ostman ajo at dpzone.com --- [This E-mail scanned for viruses by digiposs.com] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Startup exception using security manager on TC 5.0.18
When I startup Tomcat 5.0.18 with a security manager, I get the following exception. It talks about persisted sessions, something I didn't even realize existed. No doubt there's a permissions problem if it cannot read where the sessions are stored. Is there a way to make sure sessions are not persisted? In general, we wouldn't want that unless we were doing some sort of clustering or the like. Or is this problem something else? David Feb 8, 2004 4:30:05 PM org.apache.catalina.session.StandardManager doLoad SEVERE: IOException while loading persisted sessions: java.io.EOFException java.io.EOFException at java.io.ObjectInputStream$PeekInputStream.readFully(ObjectInputStream.java:2 165) at java.io.ObjectInputStream$BlockDataInputStream.readShort(ObjectInputStream.j ava:2631) at java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:734) at java.io.ObjectInputStream.init(ObjectInputStream.java:253) at org.apache.catalina.util.CustomObjectInputStream.init(CustomObjectInputStr eam.java:104) at org.apache.catalina.session.StandardManager.doLoad(StandardManager.java:431) at org.apache.catalina.session.StandardManager$PrivilegedDoLoad.run(StandardMan ager.java:123) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.session.StandardManager.load(StandardManager.java:377) at org.apache.catalina.session.StandardManager.start(StandardManager.java:703) at org.apache.catalina.core.ContainerBase.setManager(ContainerBase.java:542) at org.apache.catalina.startup.ContextConfig.managerConfig(ContextConfig.java:3 49) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:654) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java: 253) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSuppor t.java:166) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4224) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:8 66) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:164) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase. java:186) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:848) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:638) at org.apache.catalina.core.StandardHostDeployer.install(StandardHostDeployer.j ava:320) at org.apache.catalina.core.StandardHost.install(StandardHost.java:875) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:727 ) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:477) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1008) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:394) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSuppor t.java:166) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133) at org.apache.catalina.core.StandardHost.start(StandardHost.java:832) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1125) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:518) at org.apache.catalina.core.StandardService.start(StandardService.java:519) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2345) at org.apache.catalina.startup.Catalina.start(Catalina.java:598) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:297) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:398) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat + Hibernate2 + Security Manager
Hi ! On Tue, 27 Jan 2004 12:14:16 -0500, Jeanfrancois Arcand [EMAIL PROTECTED] escreveu: De: Jeanfrancois Arcand [EMAIL PROTECTED] Data: Tue, 27 Jan 2004 12:14:16 -0500 Para: Tomcat Users List [EMAIL PROTECTED] Assunto: Re: Tomcat + Hibernate2 + Security Manager Webmaster wrote: Hi all, I know this is a little bit out of topic, but the general concept is useful for everybody. I run tomcat with security manager for a dozen users. Recently, people started to use the hibernate 2 which requires some funky permissions. I had to put these lines in the 'global' permission to make it work: grant { ... permission java.lang.RuntimePermission accessDeclaredMembers; permission java.lang.reflect.ReflectPermission suppressAccessChecks; permission java.lang.RuntimePermission defineCGLIBClassInJavaPackage; ... } Note: I DID test using a codebase like: grant codeBase file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/- { but the classes hibernate creates after reflection stop obeying the security manager. Do you have the exception? Which Tomcat version are you using? I'm using 4.1.29. The classes that hibernate creates dinamically are the ones that don't follow the codebase anymore, it's like they have a 'null' codebase after they are created. Are there any security risks on a security setup with those 3 lines for all classes in the JVM ? Yes. It will now allow a Servlet to load tomcat internal classes and maybe do malicious things. Right now, my clients don't have permissions to read the classes in /server/lib directory ( I don't give file io permission to this directory, only to /common/lib ). Would that be enough to stop these malicious things ? -- Jeanfrancois Thanks Renato. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat + Hibernate2 + Security Manager
Webmaster wrote: Hi ! On Tue, 27 Jan 2004 12:14:16 -0500, Jeanfrancois Arcand [EMAIL PROTECTED] escreveu: De: Jeanfrancois Arcand [EMAIL PROTECTED] Data: Tue, 27 Jan 2004 12:14:16 -0500 Para: Tomcat Users List [EMAIL PROTECTED] Assunto: Re: Tomcat + Hibernate2 + Security Manager Webmaster wrote: Hi all, I know this is a little bit out of topic, but the general concept is useful for everybody. I run tomcat with security manager for a dozen users. Recently, people started to use the hibernate 2 which requires some funky permissions. I had to put these lines in the 'global' permission to make it work: grant { ... permission java.lang.RuntimePermission accessDeclaredMembers; permission java.lang.reflect.ReflectPermission suppressAccessChecks; permission java.lang.RuntimePermission defineCGLIBClassInJavaPackage; ... } Note: I DID test using a codebase like: grant codeBase file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/- { but the classes hibernate creates after reflection stop obeying the security manager. Do you have the exception? Which Tomcat version are you using? I'm using 4.1.29. The classes that hibernate creates dinamically are the ones that don't follow the codebase anymore, it's like they have a 'null' codebase after they are created. Are there any security risks on a security setup with those 3 lines for all classes in the JVM ? Yes. It will now allow a Servlet to load tomcat internal classes and maybe do malicious things. Right now, my clients don't have permissions to read the classes in /server/lib directory ( I don't give file io permission to this directory, only to /common/lib ). Would that be enough to stop these malicious things ? Yes. But you should only grant those permission to the Hibernate jar files, not the entire folder. -- Jeanfrancois -- Jeanfrancois Thanks Renato. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat + Hibernate2 + Security Manager
Hi all, I know this is a little bit out of topic, but the general concept is useful for everybody. I run tomcat with security manager for a dozen users. Recently, people started to use the hibernate 2 which requires some funky permissions. I had to put these lines in the 'global' permission to make it work: grant { ... permission java.lang.RuntimePermission accessDeclaredMembers; permission java.lang.reflect.ReflectPermission suppressAccessChecks; permission java.lang.RuntimePermission defineCGLIBClassInJavaPackage; ... } Note: I DID test using a codebase like: grant codeBase file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/- { but the classes hibernate creates after reflection stop obeying the security manager. Are there any security risks on a security setup with those 3 lines for all classes in the JVM ? Thanks Renato. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat + Hibernate2 + Security Manager
Howdy, I know this is a little bit out of topic, but the general concept is useful for everybody. I agree this is useful for everyone. Posting off-topic is fine as long as you mark it by placing [OFF-TOPIC] at the beginning of the subject line. Note: I DID test using a codebase like: grant codeBase file:/home//client/public_html/WEB- INF/lib/hibernate2.jar!/- { but the classes hibernate creates after reflection stop obeying the security manager. Yeah, that's too bad. The SuppressAccessChecks permission is dangerous, if malicious code is running inside your VM. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] RE: Tomcat + Hibernate2 + Security Manager
Could you give an example of how a malicious code could affect the security of the JVM ? Usually I have a codebase policy like this for each user: permission java.io.FilePermission /home/client/public_html/-, read,write,delete; I guess that if someone writes a piece of code that tries to acess private functions, static variables, etc from other libraries in different directories, this policy will intercept the request and the malicious code will not work. Am I right ? Is there a way that somebody could write code that uses the catalina classes in order to do something bad ? On Tue, 27 Jan 2004 12:04:21 -0500, Shapira, Yoav [EMAIL PROTECTED] escreveu: De: Shapira, Yoav [EMAIL PROTECTED] Data: Tue, 27 Jan 2004 12:04:21 -0500 Para: Tomcat Users List [EMAIL PROTECTED] Assunto: RE: Tomcat + Hibernate2 + Security Manager Howdy, I know this is a little bit out of topic, but the general concept is useful for everybody. I agree this is useful for everyone. Posting off-topic is fine as long as you mark it by placing [OFF-TOPIC] at the beginning of the subject line. Note: I DID test using a codebase like: grant codeBase file:/home//client/public_html/WEB- INF/lib/hibernate2.jar!/- { but the classes hibernate creates after reflection stop obeying the security manager. Yeah, that's too bad. The SuppressAccessChecks permission is dangerous, if malicious code is running inside your VM. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [OT] RE: Tomcat + Hibernate2 + Security Manager
Howdy, Could you give an example of how a malicious code could affect the security of the JVM ? You mean in general? How about System.exit()? Usually I have a codebase policy like this for each user: permission java.io.FilePermission /home/client/public_html/-, read,write,delete; I guess that if someone writes a piece of code that tries to acess private functions, static variables, etc from other libraries in different directories, this policy will intercept the request and the malicious code will not work. Am I right ? Is there a way that somebody could write code that uses the catalina classes in order to do something bad ? Your IO permissions are not related to the reflection private access permission. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat + Hibernate2 + Security Manager
Webmaster wrote: Hi all, I know this is a little bit out of topic, but the general concept is useful for everybody. I run tomcat with security manager for a dozen users. Recently, people started to use the hibernate 2 which requires some funky permissions. I had to put these lines in the 'global' permission to make it work: grant { ... permission java.lang.RuntimePermission accessDeclaredMembers; permission java.lang.reflect.ReflectPermission suppressAccessChecks; permission java.lang.RuntimePermission defineCGLIBClassInJavaPackage; ... } Note: I DID test using a codebase like: grant codeBase file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/- { but the classes hibernate creates after reflection stop obeying the security manager. Do you have the exception? Which Tomcat version are you using? Are there any security risks on a security setup with those 3 lines for all classes in the JVM ? Yes. It will now allow a Servlet to load tomcat internal classes and maybe do malicious things. -- Jeanfrancois Thanks Renato. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat + Hibernate2 + Security Manager
FYI: This has also been discussed here: http://freeroller.net/page/jcarreira/20040126 -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 27, 2004 11:04 AM To: Tomcat Users List Subject: RE: Tomcat + Hibernate2 + Security Manager Howdy, I know this is a little bit out of topic, but the general concept is useful for everybody. I agree this is useful for everyone. Posting off-topic is fine as long as you mark it by placing [OFF-TOPIC] at the beginning of the subject line. Note: I DID test using a codebase like: grant codeBase file:/home//client/public_html/WEB- INF/lib/hibernate2.jar!/- { but the classes hibernate creates after reflection stop obeying the security manager. Yeah, that's too bad. The SuppressAccessChecks permission is dangerous, if malicious code is running inside your VM. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
tomcat 4.1 + JSSE + Security Manager (redux)
Dear Fellow Tomcat Users, I am unable to start tomcat 4.1 with Security Manager. Has anyone else had this problem? How did you solve it? I am able to start my tomcat server without Security Manager (catalina.sh start), and make HTTPS connections to it; however, when I try to start it with Security Manager enabled (catalina.sh start -security), it exits after a couple of seconds with a ClassNotFoundException, and the following error: Can't find any SSL implementation ...in the log file. JSSE is installed, and the configuration works fine without the Security Manager. I put redux in the subject line because I found an archive thread from a user named Renato on this very topic from 2002. I believe I followed all of the advice from the message that fixed the problem for him, but my tomcat server still will not start with Security Manager enabled. I've scoured the archives, googled on every combination I can think of, and scanned every line of the debug output from the server. Aside from a zillion access allowed messages, I was unable to find anything (other than the error message above) to point me in the right direction. Being relatively new to tomcat, I'm certain this is something stupid I'm just overlooking or didn't do. While I've been able to discover solutions to all the other dumb things I did by googling and searching the archives, this one has me stumped. Any suggestions would be greatly appreciated. Chris Bontempi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: Tomcat 4.1.24 + Security Manager + weird Exceptions
Hi Tim, thanks for the advise. The interesting part is that tomcat (process) doesn't seem to survive the re-initialization of the ServerSocket. It this a known bug? Regards, Thomas -Ursprüngliche Nachricht- Von: Tim Funk [mailto:[EMAIL PROTECTED] Gesendet am: Dienstag, 15. Juli 2003 13:02 An: Tomcat Users List Betreff: Re: Tomcat 4.1.24 + Security Manager + weird Exceptions - man ulimit - Google (java Too many open files solaris) -Tim Haug Thomas wrote: Hi everybody, I am experiencing some strange behaviour with Tomcat 4.1.24 running with a SecurityManager. The system is running on Solaris 8 using Jdk 1.4.1_02 and/or 1.4.2 Our software seems to use up all available file descriptors. If then tomcat tries to accept a new request the IO system throws an SocketException telling us that there are too many files open (see stacktrace below). Tomcat seems to reinitialize the ServerSocket but then the whole Tomcat (or the Coyote HTTP connector) 'breaks down': The securityManager starts to throw exceptions that class files are not allowed to be loaded, Sockets are not allowed to be opened (see below), and other strange things. At last we are not able anymore to request any http page from tomcat. Has anybody experienced a similar behaviour of tomcat. Or even better does anybody know how to fix this problem (beside not using all file descriptors ;-) ) Thank you very much, Thomas - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Tomcat 4.1.24 + Security Manager + weird Exceptions
We've got a similar issue, though this in on Linux and using channelUnix/JNI instead of normal tcp channelSocket. We're using Apache2/mod_jk2 (built from tomcat-connectors-1.1M1). On heavy load, there are over 3000 sockets open by one Tomcat/JVM, they don't seem to go down again too while Tomcat is running. (since File Descriptor limit on Solaris is lower normally (1024 or summat i think) this would cause us heavy problems there too) The Tomcats and Apache are restarted during the night to free up Memory, so socket count goes down then. However the application doesn't seem to be affected by this. In catalina.out there are many errors like this: org.apache.jk.common.ChannelUn receive SEVERE: receive error: 12 java.lang.Throwable at org.apache.jk.common.ChannelUn.receive(ChannelUn.java:230) at org.apache.jk.common.ChannelUn.processConnection(ChannelUn.java:282) at org.apache.jk.common.AprConnection.runIt(ChannelUn.java:350) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:631) at java.lang.Thread.run(Thread.java:536) org.apache.jk.common.JniHandler nativeDispatch SEVERE: nativeDispatch: error -3 java.lang.Throwable at org.apache.jk.common.JniHandler.nativeDispatch(JniHandler.java:312) at org.apache.jk.common.ChannelUn.send(ChannelUn.java:221) at org.apache.jk.common.ChannelUn.invoke(ChannelUn.java:306) at org.apache.jk.server.JkCoyoteHandler.doWrite(JkCoyoteHandler.java:249) at org.apache.coyote.Response.doWrite(Response.java:530) at org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.java:384) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:439) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:359) at org.apache.coyote.tomcat4.OutputBuffer.writeBytes(OutputBuffer.java:411) at org.apache.coyote.tomcat4.OutputBuffer.write(OutputBuffer.java:398) at org.apache.coyote.tomcat4.CoyoteOutputStream.write(CoyoteOutputStream.java:110) at org.apache.catalina.servlets.DefaultServlet.copyRange(DefaultServlet.java:1996) at org.apache.catalina.servlets.DefaultServlet.copy(DefaultServlet.java:1745) at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:1073) at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:506) . - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Tomcat 4.1.24 + Security Manager + weird Exceptions
How do you mean survive? The JVM core dumps (which then is a JVM vendor issue) or the JVM stays up buit sits there uselessly? -Tim Haug Thomas wrote: Hi Tim, thanks for the advise. The interesting part is that tomcat (process) doesn't seem to survive the re-initialization of the ServerSocket. It this a known bug? Regards, Thomas -Ursprüngliche Nachricht- Von: Tim Funk [mailto:[EMAIL PROTECTED] Gesendet am: Dienstag, 15. Juli 2003 13:02 An: Tomcat Users List Betreff: Re: Tomcat 4.1.24 + Security Manager + weird Exceptions - man ulimit - Google (java Too many open files solaris) -Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4.1.24 + Security Manager + weird Exceptions
Hi everybody, I am experiencing some strange behaviour with Tomcat 4.1.24 running with a SecurityManager. The system is running on Solaris 8 using Jdk 1.4.1_02 and/or 1.4.2 Our software seems to use up all available file descriptors. If then tomcat tries to accept a new request the IO system throws an SocketException telling us that there are too many files open (see stacktrace below). Tomcat seems to reinitialize the ServerSocket but then the whole Tomcat (or the Coyote HTTP connector) 'breaks down': The securityManager starts to throw exceptions that class files are not allowed to be loaded, Sockets are not allowed to be opened (see below), and other strange things. At last we are not able anymore to request any http page from tomcat. Has anybody experienced a similar behaviour of tomcat. Or even better does anybody know how to fix this problem (beside not using all file descriptors ;-) ) Thank you very much, Thomas * StackTrace (in catalina.out) * Jul 14, 2003 5:06:32 PM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket SEVERE: Endpoint ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8080] ignored exception: java.net.SocketException: Too many open files java.net.SocketException: Too many open files at java.net.PlainSocketImpl.socketAccept(Native Method) at java.net.PlainSocketImpl.accept(PlainSocketImpl.java:353) at java.net.ServerSocket.implAccept(ServerSocket.java:448) at java.net.ServerSocket.accept(ServerSocket.java:419) at org.apache.tomcat.util.net.DefaultServerSocketFactory.acceptSocket(DefaultSe rverSocketFactory.java:107) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java :356) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:529) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:619) at java.lang.Thread.run(Thread.java:534) Jul 14, 2003 5:06:32 PM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket WARNING: Reinitializing ServerSocket Jul 14, 2003 5:06:33 PM org.apache.tomcat.util.net.TcpWorkerThread runIt SEVERE: Exception in acceptSocket java.security.AccessControlException: access denied (java.net.SocketPermission 146.254.108.60:3156 accept,resolve) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :269) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) at java.lang.SecurityManager.checkAccept(SecurityManager.java:1149) at java.net.ServerSocket.implAccept(ServerSocket.java:452) at java.net.ServerSocket.accept(ServerSocket.java:419) at org.apache.tomcat.util.net.DefaultServerSocketFactory.acceptSocket(DefaultSe rverSocketFactory.java:107) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java :356) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:529) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:619) at java.lang.Thread.run(Thread.java:534) Jul 14, 2003 5:06:33 PM org.apache.tomcat.util.threads.ThreadPool$ControlRunnable run SEVERE: Caught exception executing [EMAIL PROTECTED], terminating thread java.lang.IllegalStateException: Terminating thread at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:532) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:619) at java.lang.Thread.run(Thread.java:534) ... (a whole lot more) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 4.1.24 + Security Manager + weird Exceptions
- man ulimit - Google (java Too many open files solaris) -Tim Haug Thomas wrote: Hi everybody, I am experiencing some strange behaviour with Tomcat 4.1.24 running with a SecurityManager. The system is running on Solaris 8 using Jdk 1.4.1_02 and/or 1.4.2 Our software seems to use up all available file descriptors. If then tomcat tries to accept a new request the IO system throws an SocketException telling us that there are too many files open (see stacktrace below). Tomcat seems to reinitialize the ServerSocket but then the whole Tomcat (or the Coyote HTTP connector) 'breaks down': The securityManager starts to throw exceptions that class files are not allowed to be loaded, Sockets are not allowed to be opened (see below), and other strange things. At last we are not able anymore to request any http page from tomcat. Has anybody experienced a similar behaviour of tomcat. Or even better does anybody know how to fix this problem (beside not using all file descriptors ;-) ) Thank you very much, Thomas - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[REPOST]Tomcat with security manager + NoClassDefFoundError
Don't know if this mailing list filters my post, try it again. I am frustrated. I have a webapp developed by struts. If I start Tomcat without security manager, everything works fine. I can access https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. After I start Tomcat -security and access the above link, I got the following error. There is an index.jsp. When some one type https://myhost.mydomain.com/myapp, this index.jsp will redirect him to the home page. It is simply a META refresh. The frustration is, if I access https://myhost.mydomain.com/myapp once, then I can always access https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. I suspect there are permission that I need to grant in Catalina.policy. Any input? java.lang.NoClassDefFoundError: org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession at org.apache.coyote.tomcat4.CoyoteRequest.getSession(CoyoteRequest.java:1728) at org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade .java:365) at org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade .java:375) at org.apache.struts.action.RequestProcessor.processLocale(RequestProcessor.jav a:631) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:230) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1480) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:506) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter Chain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain .java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:256) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 46) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 ) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172 ) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:509) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
Is there a part in your error message that says Root Cause? If so, what is it? John On Mon, 23 Jun 2003 14:24:36 -0400, Phillip Qin [EMAIL PROTECTED] wrote: Don't know if this mailing list filters my post, try it again. I am frustrated. I have a webapp developed by struts. If I start Tomcat without security manager, everything works fine. I can access https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. After I start Tomcat -security and access the above link, I got the following error. There is an index.jsp. When some one type https://myhost.mydomain.com/myapp, this index.jsp will redirect him to the home page. It is simply a META refresh. The frustration is, if I access https://myhost.mydomain.com/myapp once, then I can always access https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. I suspect there are permission that I need to grant in Catalina.policy. Any input? java.lang.NoClassDefFoundError: org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession at org.apache.coyote.tomcat4.CoyoteRequest.getSession(CoyoteRequest.java:1728) at org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade .java:365) at org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade .java:375) at org.apache.struts.action.RequestProcessor.processLocale(RequestProcessor.jav a:631) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:230) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1480) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:506) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter Chain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain .java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:256) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 46) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 ) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172 ) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:509) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562) at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
The exception that I posted is root cause. The exception is javax.servlet.ServletException: Servlet execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter Chain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain .java:176) .. I solved this problem by including a grant entry grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar { permission java.security.AllPermission; }; But I am wondering if this AllPermission is secure enough or I am opening more holes. -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:34 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError Is there a part in your error message that says Root Cause? If so, what is it? John On Mon, 23 Jun 2003 14:24:36 -0400, Phillip Qin [EMAIL PROTECTED] wrote: Don't know if this mailing list filters my post, try it again. I am frustrated. I have a webapp developed by struts. If I start Tomcat without security manager, everything works fine. I can access https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. After I start Tomcat -security and access the above link, I got the following error. There is an index.jsp. When some one type https://myhost.mydomain.com/myapp, this index.jsp will redirect him to the home page. It is simply a META refresh. The frustration is, if I access https://myhost.mydomain.com/myapp once, then I can always access https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. I suspect there are permission that I need to grant in Catalina.policy. Any input? java.lang.NoClassDefFoundError: org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession at org.apache.coyote.tomcat4.CoyoteRequest.getSession(CoyoteRequest.java:1728) at org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade .java:365) at org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade .java:375) at org.apache.struts.action.RequestProcessor.processLocale(RequestProcessor.jav a:631) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:230) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1480) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:506) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter Chain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain .java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:256) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 46) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 ) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172 ) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote: I solved this problem by including a grant entry grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar { permission java.security.AllPermission; }; Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant entry as it isn't the usual place to store jar files. Regards, -- Jason Bainbridge http://jblinux.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
Typo, it is WEB-INF/lib. When there is no grant entry for this jar, tomcat throws NoClassDefFoundError. -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:44 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError On Tue, 24 Jun 2003 02:41, Phillip Qin wrote: I solved this problem by including a grant entry grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar { permission java.security.AllPermission; }; Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant entry as it isn't the usual place to store jar files. Regards, -- Jason Bainbridge http://jblinux.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
Good eye, Jason. John On Tue, 24 Jun 2003 02:43:59 +0800, Jason Bainbridge [EMAIL PROTECTED] wrote: On Tue, 24 Jun 2003 02:41, Phillip Qin wrote: I solved this problem by including a grant entry grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar { permission java.security.AllPermission; }; Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant entry as it isn't the usual place to store jar files. Regards, -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
What other struts.jar files have you got laying around? Have you maybe got one in common/lib? I'm not sure why setting a grant like that would make a NoClassDefFoundError go away, maybe it tricks the classloader into looking at a specific class somehow. Either way I don't think you have fixed the problem it just appears you have... Regards, -- Jason Bainbridge http://jblinux.org On Tue, 24 Jun 2003 02:46, Phillip Qin wrote: Typo, it is WEB-INF/lib. When there is no grant entry for this jar, tomcat throws NoClassDefFoundError. -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:44 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError On Tue, 24 Jun 2003 02:41, Phillip Qin wrote: I solved this problem by including a grant entry grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar { permission java.security.AllPermission; }; Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant entry as it isn't the usual place to store jar files. Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
Howdy, The curious part about the stack trace is the doPrivileged throwing the exception. Are you using JAAS or a custom realm to do your authentication? If so, are you sure this realm is properly configured? Yoav Shapira Millennium ChemInformatics -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 2:53 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError What other struts.jar files have you got laying around? Have you maybe got one in common/lib? I'm not sure why setting a grant like that would make a NoClassDefFoundError go away, maybe it tricks the classloader into looking at a specific class somehow. Either way I don't think you have fixed the problem it just appears you have... Regards, -- Jason Bainbridge http://jblinux.org On Tue, 24 Jun 2003 02:46, Phillip Qin wrote: Typo, it is WEB-INF/lib. When there is no grant entry for this jar, tomcat throws NoClassDefFoundError. -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:44 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError On Tue, 24 Jun 2003 02:41, Phillip Qin wrote: I solved this problem by including a grant entry grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar { permission java.security.AllPermission; }; Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant entry as it isn't the usual place to store jar files. Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
NoClassDefFound is not the same as ClassNotFound...NoClassDefFound typically means Tomcat is confused about which class you want it to use. I agree with Jason, I think you have a couple struts.jar files around, and Tomcat isn't sure which one to use. John On Mon, 23 Jun 2003 14:46:44 -0400, Phillip Qin [EMAIL PROTECTED] wrote: Typo, it is WEB-INF/lib. When there is no grant entry for this jar, tomcat throws NoClassDefFoundError. -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:44 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError On Tue, 24 Jun 2003 02:41, Phillip Qin wrote: I solved this problem by including a grant entry grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar { permission java.security.AllPermission; }; Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant entry as it isn't the usual place to store jar files. Regards, -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
1. There is no struts installation at all outside Catalina directories on this production box. 2. There are two webapps using struts, but struts.jars are located in webapps/myapp1/WEB-INF/lib and webapps/myapp2/WEB-INF/lib respectively. 3. No environment variables set for struts.jars so I assume tomcat classloader should take care of them. To Yoav: I start Tomcat with -security option. Tomcat will use Catalina.policy to manage the permissions. I don't use JAAS or realm at all (realms were cleaned up in server.xml). -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 3:01 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError NoClassDefFound is not the same as ClassNotFound...NoClassDefFound typically means Tomcat is confused about which class you want it to use. I agree with Jason, I think you have a couple struts.jar files around, and Tomcat isn't sure which one to use. John On Mon, 23 Jun 2003 14:46:44 -0400, Phillip Qin [EMAIL PROTECTED] wrote: Typo, it is WEB-INF/lib. When there is no grant entry for this jar, tomcat throws NoClassDefFoundError. -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:44 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError On Tue, 24 Jun 2003 02:41, Phillip Qin wrote: I solved this problem by including a grant entry grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar { permission java.security.AllPermission; }; Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant entry as it isn't the usual place to store jar files. Regards, -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
Howdy, Is your catalina.policy the default or modified? Yoav Shapira Millennium ChemInformatics -Original Message- From: Phillip Qin [mailto:[EMAIL PROTECTED] Sent: Monday, June 23, 2003 3:10 PM To: 'Tomcat Users List' Subject: RE: [REPOST]Tomcat with security manager + NoClassDefFoundError 1. There is no struts installation at all outside Catalina directories on this production box. 2. There are two webapps using struts, but struts.jars are located in webapps/myapp1/WEB-INF/lib and webapps/myapp2/WEB-INF/lib respectively. 3. No environment variables set for struts.jars so I assume tomcat classloader should take care of them. To Yoav: I start Tomcat with -security option. Tomcat will use Catalina.policy to manage the permissions. I don't use JAAS or realm at all (realms were cleaned up in server.xml). -Original Message- From: John Turner [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 3:01 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError NoClassDefFound is not the same as ClassNotFound...NoClassDefFound typically means Tomcat is confused about which class you want it to use. I agree with Jason, I think you have a couple struts.jar files around, and Tomcat isn't sure which one to use. John On Mon, 23 Jun 2003 14:46:44 -0400, Phillip Qin [EMAIL PROTECTED] wrote: Typo, it is WEB-INF/lib. When there is no grant entry for this jar, tomcat throws NoClassDefFoundError. -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:44 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError On Tue, 24 Jun 2003 02:41, Phillip Qin wrote: I solved this problem by including a grant entry grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar { permission java.security.AllPermission; }; Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant entry as it isn't the usual place to store jar files. Regards, -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
I even deleted server/webapps which contains struts.jar for admin application. To Yoav: I modified Catalina default policy file to allow log4j writing to files and myapps sending out emails and connecting to credit card processing company. -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:53 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError What other struts.jar files have you got laying around? Have you maybe got one in common/lib? I'm not sure why setting a grant like that would make a NoClassDefFoundError go away, maybe it tricks the classloader into looking at a specific class somehow. Either way I don't think you have fixed the problem it just appears you have... Regards, -- Jason Bainbridge http://jblinux.org On Tue, 24 Jun 2003 02:46, Phillip Qin wrote: Typo, it is WEB-INF/lib. When there is no grant entry for this jar, tomcat throws NoClassDefFoundError. -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:44 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError On Tue, 24 Jun 2003 02:41, Phillip Qin wrote: I solved this problem by including a grant entry grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar { permission java.security.AllPermission; }; Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant entry as it isn't the usual place to store jar files. Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
Was just doing a bit of reading: http://jakarta.apache.org/struts/userGuide/installation.html Running Struts Applications Under A Security Manager Many application servers execute web applications under the control of a Java security manager, with restricted permissions on what classes in the web application can do. If you utilize form beans with mapped properties, you may encounter security exceptions unless you add the following permission to the set of permissions granted to your Struts application's codebase: permission java.lang.RuntimePermission accessDeclaredMembers; It still seems strange though that it was throwing a NoClassDefFoundError, can you maybe try the above as an alternative fix and see if that resolves the problem? Regards, -- Jason Bainbridge http://jblinux.org On Tue, 24 Jun 2003 03:30, Phillip Qin wrote: I even deleted server/webapps which contains struts.jar for admin application. To Yoav: I modified Catalina default policy file to allow log4j writing to files and myapps sending out emails and connecting to credit card processing company. -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:53 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError What other struts.jar files have you got laying around? Have you maybe got one in common/lib? I'm not sure why setting a grant like that would make a NoClassDefFoundError go away, maybe it tricks the classloader into looking at a specific class somehow. Either way I don't think you have fixed the problem it just appears you have... Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
I have already added that one, plus - ReflectPermission suppressAccessChecks for a commons-beanutils bug - FilePermission for log4j -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 3:48 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError Was just doing a bit of reading: http://jakarta.apache.org/struts/userGuide/installation.html Running Struts Applications Under A Security Manager Many application servers execute web applications under the control of a Java security manager, with restricted permissions on what classes in the web application can do. If you utilize form beans with mapped properties, you may encounter security exceptions unless you add the following permission to the set of permissions granted to your Struts application's codebase: permission java.lang.RuntimePermission accessDeclaredMembers; It still seems strange though that it was throwing a NoClassDefFoundError, can you maybe try the above as an alternative fix and see if that resolves the problem? Regards, -- Jason Bainbridge http://jblinux.org On Tue, 24 Jun 2003 03:30, Phillip Qin wrote: I even deleted server/webapps which contains struts.jar for admin application. To Yoav: I modified Catalina default policy file to allow log4j writing to files and myapps sending out emails and connecting to credit card processing company. -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:53 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError What other struts.jar files have you got laying around? Have you maybe got one in common/lib? I'm not sure why setting a grant like that would make a NoClassDefFoundError go away, maybe it tricks the classloader into looking at a specific class somehow. Either way I don't think you have fixed the problem it just appears you have... Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
Hi, that's a bug in Tomcat. You should not received that exception, which means that the classloader is unable to load some package protected classes. The org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession needs to be loaded when Tomcat starts, not when you do your first invokation (Tomcat 5 handles the current case). Which Tomcat version are you using (4.1.?)? -- Jeanfrancois Phillip Qin wrote: I have already added that one, plus - ReflectPermission suppressAccessChecks for a commons-beanutils bug - FilePermission for log4j -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 3:48 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError Was just doing a bit of reading: http://jakarta.apache.org/struts/userGuide/installation.html Running Struts Applications Under A Security Manager Many application servers execute web applications under the control of a Java security manager, with restricted permissions on what classes in the web application can do. If you utilize form beans with mapped properties, you may encounter security exceptions unless you add the following permission to the set of permissions granted to your Struts application's codebase: permission java.lang.RuntimePermission accessDeclaredMembers; It still seems strange though that it was throwing a NoClassDefFoundError, can you maybe try the above as an alternative fix and see if that resolves the problem? Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
Apache 2.0.46, tomcat 4.1.24 and jk2 connector, struts-1.1-rc2 In my original posting, I said I am frustrated because, - if I start index.jsp first which is simply a meta refresh, I didn't receive the exception, and then I can access .../mylink.do?... from browser. - if I access .../mylink.do?... first, I got this error. I looked into catalina.out, there was no permission exception. -Original Message- From: Jean-Francois Arcand [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 4:42 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError Hi, that's a bug in Tomcat. You should not received that exception, which means that the classloader is unable to load some package protected classes. The org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession needs to be loaded when Tomcat starts, not when you do your first invokation (Tomcat 5 handles the current case). Which Tomcat version are you using (4.1.?)? -- Jeanfrancois Phillip Qin wrote: I have already added that one, plus - ReflectPermission suppressAccessChecks for a commons-beanutils bug - FilePermission for log4j -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 3:48 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError Was just doing a bit of reading: http://jakarta.apache.org/struts/userGuide/installation.html Running Struts Applications Under A Security Manager Many application servers execute web applications under the control of a Java security manager, with restricted permissions on what classes in the web application can do. If you utilize form beans with mapped properties, you may encounter security exceptions unless you add the following permission to the set of permissions granted to your Struts application's codebase: permission java.lang.RuntimePermission accessDeclaredMembers; It still seems strange though that it was throwing a NoClassDefFoundError, can you maybe try the above as an alternative fix and see if that resolves the problem? Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security manager, velocity and logging - access denied
Hello, I'm a tomcat newbie running debian and trying to use tomcat 4.0.3-3woody2 and velocity-1.3.1-rc2. So far I haven't managed all that well. =) If I disable the java security manager everything works fine. But I kinda figure that the security manager is there to serve a purpose. I would really like to have it activaded and not less strict than necessary. When I enable it I get the following error, probably caused by the combination of some automatic(?) logging in velocity that haven't got the correct access rights in catalina.policy: Apache Tomcat/4.0.3 - HTTP Status 500 - Internal Server Error exception javax.servlet.ServletException: Error initializing Velocity: java.lang.Exception: Unable to configure AvalonLogSystem: java.security.AccessControlException: access denied (java.io.FilePermission /var/lib/tomcat4/webapps/ROOT read) at org.apache.velocity.servlet.VelocityServlet.initVelocity( VelocityServlet.java:236) [snippage] I have tried random (doh!) changes in the policy, but without much luck. I'll be greatful to get some hints... What are good default grants for webapps using velocity? TIA regards, -- Fredrik Jonson [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with Security manager
java.util.PropertyPermission java.vm.version, read; permission java.util.PropertyPermission java.vm.vendor, read; permission java.util.PropertyPermission java.vm.name, read; // Required for getting BeanInfo permission java.lang.RuntimePermission accessClassInPackage.sun.beans.*; // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission jaxp.debug, read; }; // You can assign additional permissions to particular web applications by // adding additional grant entries here, based on the code base for that // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. // // Different permissions can be granted to JSP pages, classes loaded from // the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ // directory, or even to individual jar files in the /WEB-INF/lib/ directory. // // For instance, assume that the standard examples application // included a JDBC driver that needed to establish a network connection to the // corresponding database and used the scrape taglib to get the weather from // the NOAA web server. You might create a grant entries like this: // // The permissions granted to the context root directory apply to JSP pages. // grant codeBase file:${catalina.home}/webapps/examples/- { // permission java.net.SocketPermission dbhost.mycompany.com:5432, connect; // permission java.net.SocketPermission *.noaa.gov:80, connect; // }; // // The permissions granted to the context WEB-INF/classes directory // grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/classes/- { // }; // // The permission granted to your JDBC driver // grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/- { // permission java.net.SocketPermission dbhost.mycompany.com:5432, connect; // }; // The permission granted to the scrape taglib // grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/- { // permission java.net.SocketPermission *.noaa.gov:80, connect; // }; grant codeBase file:/my_jspfolderpath/- { permission java.io.FilePermission my_jspfolderpath/images/site,read,write; }; ** End of catalina.policy ** - Original Message - From: Jeanfrancois Arcand [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 06, 2003 7:34 AM Subject: Re: Tomcat with Security manager Can you post your catalina.policy file? Your file should contains that permission: // These permissions apply to the server startup code grant codeBase file:${catalina.home}/bin/bootstrap.jar { permission java.security.AllPermission; } -- Jeanfrancois Harish Kumar K.K. wrote: Hello All Hope somebody can help me! I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works fine if started without the security manager. Recently I had to put up a file upload form on one of my web sites, and when I deployed the jsp to accept the form data and save the uploaded file to disk...it came up with the error File cannot be saved. I am using jspSmartUpload class to handle the multipart form data and to save the file to disk, which can be downloaded from www.jspsmart.com So I read the documentation and figured, the security manager might have to be enabled with appropriate File IO permissions set for the directory to which I was trying to save the file. I proceeded to add the required grant directive in the catalina.policy file, and when I started Tomcat with the security manager enabledit wouldn't start! I checked catalina.out and saw that Tomcat is not able to read server.xml. Here is the stacktrace I found in catalina.out Catalina.start: java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkRead(SecurityManager.java:887) at java.io.File.isDirectory(File.java:698) at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:6 5) at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection .java:148) at java.net.URL.openStream(URL.java:955) at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFac tory.java) at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(Defa ultEntityHandler.java) at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java
Re: Tomcat with Security manager
Can you post your catalina.policy file? Your file should contains that permission: // These permissions apply to the server startup code grant codeBase file:${catalina.home}/bin/bootstrap.jar { permission java.security.AllPermission; } -- Jeanfrancois Harish Kumar K.K. wrote: Hello All Hope somebody can help me! I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works fine if started without the security manager. Recently I had to put up a file upload form on one of my web sites, and when I deployed the jsp to accept the form data and save the uploaded file to disk...it came up with the error File cannot be saved. I am using jspSmartUpload class to handle the multipart form data and to save the file to disk, which can be downloaded from www.jspsmart.com So I read the documentation and figured, the security manager might have to be enabled with appropriate File IO permissions set for the directory to which I was trying to save the file. I proceeded to add the required grant directive in the catalina.policy file, and when I started Tomcat with the security manager enabledit wouldn't start! I checked catalina.out and saw that Tomcat is not able to read server.xml. Here is the stacktrace I found in catalina.out Catalina.start: java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkRead(SecurityManager.java:887) at java.io.File.isDirectory(File.java:698) at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:65) at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:148) at java.net.URL.openStream(URL.java:955) at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFactory.java) at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(DefaultEntityHandler.java) at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java) at org.apache.xerces.framework.XMLParser.parse(XMLParser.java) at org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223) at javax.xml.parsers.SAXParser.parse(SAXParser.java:314) at javax.xml.parsers.SAXParser.parse(SAXParser.java:253) at org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228) at org.apache.catalina.startup.Catalina.start(Catalina.java:725) at org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243) Then, I found from the security manager howto on the web site, that if no security manager is enabled, its just like giving all permissions...I am guessing this means that in that case the operating system file permission system only will be in effect. So I made the directory I wanted to save the file into, world writable, just to make sure the OS is not preventing the save operation. Then started Tomcat without the security manager...still the same result! Now I am totally confused! What am I doing wrong? Can anybody help me? Please? Thanks and Regards Harish - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with Security manager
Hi, You could try a chmod on the directory your uploading ur files onto. Regards, Neville On Thursday 06 February 2003 10:27, you wrote: Hello All Hope somebody can help me! I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works fine if started without the security manager. Recently I had to put up a file upload form on one of my web sites, and when I deployed the jsp to accept the form data and save the uploaded file to disk...it came up with the error File cannot be saved. I am using jspSmartUpload class to handle the multipart form data and to save the file to disk, which can be downloaded from www.jspsmart.com So I read the documentation and figured, the security manager might have to be enabled with appropriate File IO permissions set for the directory to which I was trying to save the file. I proceeded to add the required grant directive in the catalina.policy file, and when I started Tomcat with the security manager enabledit wouldn't start! I checked catalina.out and saw that Tomcat is not able to read server.xml. Here is the stacktrace I found in catalina.out Catalina.start: java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) at java.security.AccessControlContext.checkPermission(AccessControlContext.jav a:270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkRead(SecurityManager.java:887) at java.io.File.isDirectory(File.java:698) at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java: 65) at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnectio n.java:148) at java.net.URL.openStream(URL.java:955) at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFa ctory.java) at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(Def aultEntityHandler.java) at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java) at org.apache.xerces.framework.XMLParser.parse(XMLParser.java) at org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223) at javax.xml.parsers.SAXParser.parse(SAXParser.java:314) at javax.xml.parsers.SAXParser.parse(SAXParser.java:253) at org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228) at org.apache.catalina.startup.Catalina.start(Catalina.java:725) at org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243) Then, I found from the security manager howto on the web site, that if no security manager is enabled, its just like giving all permissions...I am guessing this means that in that case the operating system file permission system only will be in effect. So I made the directory I wanted to save the file into, world writable, just to make sure the OS is not preventing the save operation. Then started Tomcat without the security manager...still the same result! Now I am totally confused! What am I doing wrong? Can anybody help me? Please? Thanks and Regards Harish - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with Security manager
; // Required for getting BeanInfo permission java.lang.RuntimePermission accessClassInPackage.sun.beans.*; // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission jaxp.debug, read; }; // You can assign additional permissions to particular web applications by // adding additional grant entries here, based on the code base for that // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. // // Different permissions can be granted to JSP pages, classes loaded from // the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ // directory, or even to individual jar files in the /WEB-INF/lib/ directory. // // For instance, assume that the standard examples application // included a JDBC driver that needed to establish a network connection to the // corresponding database and used the scrape taglib to get the weather from // the NOAA web server. You might create a grant entries like this: // // The permissions granted to the context root directory apply to JSP pages. // grant codeBase file:${catalina.home}/webapps/examples/- { // permission java.net.SocketPermission dbhost.mycompany.com:5432, connect; // permission java.net.SocketPermission *.noaa.gov:80, connect; // }; // // The permissions granted to the context WEB-INF/classes directory // grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/classes/- { // }; // // The permission granted to your JDBC driver // grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/- { // permission java.net.SocketPermission dbhost.mycompany.com:5432, connect; // }; // The permission granted to the scrape taglib // grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/- { // permission java.net.SocketPermission *.noaa.gov:80, connect; // }; grant codeBase file:/my_jspfolderpath/- { permission java.io.FilePermission my_jspfolderpath/images/site,read,write; }; ** End of catalina.policy ** - Original Message - From: Jeanfrancois Arcand [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, February 06, 2003 7:34 AM Subject: Re: Tomcat with Security manager Can you post your catalina.policy file? Your file should contains that permission: // These permissions apply to the server startup code grant codeBase file:${catalina.home}/bin/bootstrap.jar { permission java.security.AllPermission; } -- Jeanfrancois Harish Kumar K.K. wrote: Hello All Hope somebody can help me! I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works fine if started without the security manager. Recently I had to put up a file upload form on one of my web sites, and when I deployed the jsp to accept the form data and save the uploaded file to disk...it came up with the error File cannot be saved. I am using jspSmartUpload class to handle the multipart form data and to save the file to disk, which can be downloaded from www.jspsmart.com So I read the documentation and figured, the security manager might have to be enabled with appropriate File IO permissions set for the directory to which I was trying to save the file. I proceeded to add the required grant directive in the catalina.policy file, and when I started Tomcat with the security manager enabledit wouldn't start! I checked catalina.out and saw that Tomcat is not able to read server.xml. Here is the stacktrace I found in catalina.out Catalina.start: java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkRead(SecurityManager.java:887) at java.io.File.isDirectory(File.java:698) at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:6 5) at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection .java:148) at java.net.URL.openStream(URL.java:955) at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFac tory.java) at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(Defa ultEntityHandler.java) at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java) at org.apache.xerces.framework.XMLParser.parse(XMLParser.java) at org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223) at javax.xml.parsers.SAXParser.parse(SAXParser.java:314) at javax.xml.parsers.SAXParser.parse(SAXParser.java:253
Tomcat with Security manager
Hello All Hope somebody can help me! I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works fine if started without the security manager. Recently I had to put up a file upload form on one of my web sites, and when I deployed the jsp to accept the form data and save the uploaded file to disk...it came up with the error File cannot be saved. I am using jspSmartUpload class to handle the multipart form data and to save the file to disk, which can be downloaded from www.jspsmart.com So I read the documentation and figured, the security manager might have to be enabled with appropriate File IO permissions set for the directory to which I was trying to save the file. I proceeded to add the required grant directive in the catalina.policy file, and when I started Tomcat with the security manager enabledit wouldn't start! I checked catalina.out and saw that Tomcat is not able to read server.xml. Here is the stacktrace I found in catalina.out Catalina.start: java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkRead(SecurityManager.java:887) at java.io.File.isDirectory(File.java:698) at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:65) at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:148) at java.net.URL.openStream(URL.java:955) at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFactory.java) at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(DefaultEntityHandler.java) at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java) at org.apache.xerces.framework.XMLParser.parse(XMLParser.java) at org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223) at javax.xml.parsers.SAXParser.parse(SAXParser.java:314) at javax.xml.parsers.SAXParser.parse(SAXParser.java:253) at org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228) at org.apache.catalina.startup.Catalina.start(Catalina.java:725) at org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243) Then, I found from the security manager howto on the web site, that if no security manager is enabled, its just like giving all permissions...I am guessing this means that in that case the operating system file permission system only will be in effect. So I made the directory I wanted to save the file into, world writable, just to make sure the OS is not preventing the save operation. Then started Tomcat without the security manager...still the same result! Now I am totally confused! What am I doing wrong? Can anybody help me? Please? Thanks and Regards Harish
Tomcat and security manager: unexpected java.security.AccessControlException on sun linux cobalt
Hi! I've been working on this since beginnig last week together with a friend and can't find a clue: My friend owns a sun cobalt with linux, apache and tomcat. The system seems to be ready to use for providers - there is a config utility to add new user sites with a lot of options (like: user gets mysql, pop3, tomcat, or whatever) After creating a site with jsp, we deployed a jsp-testsuite which tests the given infrastructure: reading files, instancing classes, trying a db-query on mysql and so on (Which works fine on our local system). But every time we try to execute the testsuite we get one of these SecurityExceptions: java.security.AccessControlException: access denied (java.io.FilePermission /home/.sites/143/site40/web/test.txt read) (Test.txt is the file we want to read in the first part of our testsuite: File permissions 777) We looked into the tomcat docs how to setup the security manager correctly and looked into the tomcat.policy file in the {tomcat.home}/conf dir just to see that everything was set correctly (for us) from the site management utility: ... grant codeBase file:/home/.sites/143/site40/web/- { permission SocketPermission localhost:1024-, listen,connect,resolve; permission java.util.PropertyPermission *, read,write; permission java.io.FilePermission /home/.sites/143/site40/-, read,write,delete; permission java.lang.RuntimePermission accessClassInPackage.sun.io; }; ... Tomcat seems to run secure with the right file (as seen under ps -Af) but seems to ignore all grants for the user sites: ... java -Djava.security.manager -Djava.security.policy==/usr/java/jakarta-tomca t/conf/tomcat.policy -Dtomcat.home=/usr/java/jakarta-tomcat org.apache.tomcat.startup.Tomcat Some users on groups.google mentioned, that the codeBase should be the same as the docBase in the server.xml: ... Host name=johannes.jarolim.com !-- Site site40 -- Context path= docBase=/home/.sites/143/site40/web debug=0/ !-- user web contexts -- /Host ... but this looks correct to me too. We even tried to give my site all permissions: grant codeBase file:/home/.sites/143/site40/web/- { permission java.security.AllPermission; }; But that is ignored too. The testsuite is neither able to open a file nor just to read the length. We have the same problems when instancing a class which tries to dynamically instance another class. Like: myDriver = (Driver)Class.forName(DriverName).newInstance(); // This is a part of opening a connection to the mysql-db To get that straight: Everything runs fine without security manager - But who wants to run a root-tomcat without a security manager ;-) Could anyone give me a clue where we could look at? After one week of googling we're somehow out of ideas... thanks in advance, mfG, J.P.Jarolim, ADWERBA - ADWERBA, Gesellschaft für Verkaufsförderung und Werbung A-5020 Salzburg - Schallmooser Hauptstraße 85 A Telefon: +43(0)662 643125, 643126 - Telefax: +43(0)662 643128 ISDN: +43(0)662 648058 - Email: [EMAIL PROTECTED] - ICQ 44284507 - -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat and security manager: unexpected java.security.AccessControlException on sun linux cobalt
* J.P.Jarolim [EMAIL PROTECTED] [1217 11:17]: java.security.AccessControlException: access denied (java.io.FilePermission /home/.sites/143/site40/web/test.txt read) We looked into the tomcat docs how to setup the security manager correctly and looked into the tomcat.policy file in the {tomcat.home}/conf dir just to see that everything was set correctly (for us) from the site management utility: ... grant codeBase file:/home/.sites/143/site40/web/- { permission SocketPermission localhost:1024-, listen,connect,resolve; permission java.util.PropertyPermission *, read,write; permission java.io.FilePermission /home/.sites/143/site40/-, read,write,delete; permission java.lang.RuntimePermission accessClassInPackage.sun.io; }; Does the class trying to read that directory live in : '/home/.sites/143/site40/web/-' ? I doubt it. I'm no expert, but that sounds wrong to me, unless the class files live there. The codebase parameter lists where the Java classes were loaded from. Writing to a direcotry you load code from is a bad idea unless you really need to. Host name=johannes.jarolim.com !-- Site site40 -- Context path= docBase=/home/.sites/143/site40/web debug=0/ !-- user web contexts -- /Host grant codeBase file:/home/.sites/143/site40/web/- { permission java.security.AllPermission; }; I think your codeBase is wrong - try allowing all code to read it, just to check. Also, if you want security, you might want to think twice about running tomcat as root - it doesn't need to be IMO. -- Rasputin :: Jack of All Trades - Master of Nuns -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat and security manager: unexpected java.security.AccessControlExceptionon sun linux cobalt
J.P.Jarolim wrote: Hi! I've been working on this since beginnig last week together with a friend and can't find a clue: My friend owns a sun cobalt with linux, apache and tomcat. The system seems to be ready to use for providers - there is a config utility to add new user sites with a lot of options (like: user gets mysql, pop3, tomcat, or whatever) After creating a site with jsp, we deployed a jsp-testsuite which tests the given infrastructure: reading files, instancing classes, trying a db-query on mysql and so on (Which works fine on our local system). But every time we try to execute the testsuite we get one of these SecurityExceptions: java.security.AccessControlException: access denied (java.io.FilePermission /home/.sites/143/site40/web/test.txt read) (Test.txt is the file we want to read in the first part of our testsuite: File permissions 777) We looked into the tomcat docs how to setup the security manager correctly and looked into the tomcat.policy file in the {tomcat.home}/conf dir just to see that everything was set correctly (for us) from the site management utility: ... grant codeBase file:/home/.sites/143/site40/web/- { permission SocketPermission localhost:1024-, listen,connect,resolve; permission java.util.PropertyPermission *, read,write; permission java.io.FilePermission /home/.sites/143/site40/-, read,write,delete; This is the problem. You need to put the file name, not the path. If need to put ALL FILES if you want to grant access to all file under your context, or test.txt if you only want to be able to read that file. -- Jeanfrancois permission java.lang.RuntimePermission accessClassInPackage.sun.io; }; ... Tomcat seems to run secure with the right file (as seen under ps -Af) but seems to ignore all grants for the user sites: ... java -Djava.security.manager -Djava.security.policy==/usr/java/jakarta-tomca t/conf/tomcat.policy -Dtomcat.home=/usr/java/jakarta-tomcat org.apache.tomcat.startup.Tomcat Some users on groups.google mentioned, that the codeBase should be the same as the docBase in the server.xml: ... Host name=johannes.jarolim.com !-- Site site40 -- Context path= docBase=/home/.sites/143/site40/web debug=0/ !-- user web contexts -- /Host ... but this looks correct to me too. We even tried to give my site all permissions: grant codeBase file:/home/.sites/143/site40/web/- { permission java.security.AllPermission; }; But that is ignored too. The testsuite is neither able to open a file nor just to read the length. We have the same problems when instancing a class which tries to dynamically instance another class. Like: myDriver = (Driver)Class.forName(DriverName).newInstance(); // This is a part of opening a connection to the mysql-db To get that straight: Everything runs fine without security manager - But who wants to run a root-tomcat without a security manager ;-) Could anyone give me a clue where we could look at? After one week of googling we're somehow out of ideas... thanks in advance, mfG, J.P.Jarolim, ADWERBA - ADWERBA, Gesellschaft für Verkaufsförderung und Werbung A-5020 Salzburg - Schallmooser Hauptstraße 85 A Telefon: +43(0)662 643125, 643126 - Telefax: +43(0)662 643128 ISDN: +43(0)662 648058 - Email: [EMAIL PROTECTED] - ICQ 44284507 - -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat and security manager: unexpected java.security.AccessControlException on sun linux cobalt
Hi - thanks for the answer; I found the following line in the description for java.io.FilePermission indicating that i could have a serious problem in understanding english (nosarkasm): A pathname that ends with /- indicates (recursively) all files and subdirectories contained in that directory. A pathname consisting of the special token ALL FILES matches any file. Is there a difference between all files and subdirectories and any file? Nevertheless i'll try every posted solution until tomcat stops ignoring my settings ;-) thanks, J.P.Jarolim ... grant codeBase file:/home/.sites/143/site40/web/- { permission SocketPermission localhost:1024-, listen,connect,resolve; permission java.util.PropertyPermission *, read,write; permission java.io.FilePermission /home/.sites/143/site40/-, read,write,delete; This is the problem. You need to put the file name, not the path. If need to put ALL FILES if you want to grant access to all file under your context, or test.txt if you only want to be able to read that file. -- Jeanfrancois -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Solved: Tomcat and security manager: unexpected java.security.AccessControlException on sun linux cobalt
Hi all. We solved the problem with tomcat ignoring all grants for individual user sites. It was a pure RTFM. For every user site, a unique context is created on startup (as seen in tomcat.log on debug level) There is a outcommented line in the server.xml which has to be activated: !-- ContextInterceptor className=org.apache.tomcat.context.PolicyInterceptor -- After activating the line it should look like this: ContextInterceptor className=org.apache.tomcat.context.PolicyInterceptor / After that, tomcat actually assigns the permissions granted in the tomcat.policy to the individual user sites. thanx for your all your help on this group, J.P.Jarolim P.S.: Keywords for other googlers like me: tomcat ignoring ignore tomcat.policy grant java server.xml security manager FilePermission java.security.AccessControlException secure security sun cobalt -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: security manager problem
Start tomcat with the property javax.security.debug=access,failure so that you can capture debug information for the SecurityManager. Also read the SecurityManager-HOWTO that comes with tomcat. Glenn Mok Swee Loong wrote: Dear all, Just started with tomcat 4.1.2, i am trying to run things a little bit more secure, and try to figure out a good way to start and stop the server. Pls do comment if you have any opinion or good reference regarding this. Thanks a million. - I plan to run the tomcat server as user tomcat - I have changed everything under $CATALINA_HOME owned by tomcat user (is this necessary at all? or we'll just need to change the logging directory to be writable by user tomcat?) and start tomcat using su -c $CATALICA_HOME/bin/startup.sh tomcat - Does tomcat have similar setting like apache httpd server, where u can set user and group permission to run as, you start the server as root to initialize everything that needed root, then the server will change and run as your desired credential? With the above setup it is running fine, but when i try to run it with the security manager using the default catalina.policy # export CATALINA_OPTS=-Djava.security.debug=access,failure # su -c $CATALICA_HOME/bin/startup.sh tomcat -security i got the following exception: Exception during startup processing java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1031) at org.apache.catalina.startup.Catalina.init(Catalina.java:127) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAcces sorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstruc torAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:274) at java.lang.Class.newInstance0(Class.java:306) at java.lang.Class.newInstance(Class.java:259) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:179) what could be wrong? any comments are appreciated. Thanks. regards, mok -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
security manager
I am using the default security configuration at manager 'catalina.policy' file, but when i try to access files which are under the webapp directory who i am executing i have an exception: javax.servlet.ServletException: Servlet execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176) at java.security.AccessController.doPrivileged(Native Method) what's the problem? ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: security manager
Which version of Tomcat are you using? -- Jeanfrancois Jose Antonio Martinez wrote: I am using the default security configuration at manager 'catalina.policy' file, but when i try to access files which are under the webapp directory who i am executing i have an exception: javax.servlet.ServletException: Servlet execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176) at java.security.AccessController.doPrivileged(Native Method) what's the problem? ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: security manager
tomcat 4.0.5 --- Jeanfrancois Arcand [EMAIL PROTECTED] escribió: Which version of Tomcat are you using? -- Jeanfrancois Jose Antonio Martinez wrote: I am using the default security configuration at manager 'catalina.policy' file, but when i try to access files which are under the webapp directory who i am executing i have an exception: javax.servlet.ServletException: Servlet execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176) at java.security.AccessController.doPrivileged(Native Method) what's the problem? ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: security manager
Strange. Can you post you entire log file (to see more exception info)? -- Jeanfrancois Jose Antonio Martinez wrote: tomcat 4.0.5 --- Jeanfrancois Arcand [EMAIL PROTECTED] escribió: Which version of Tomcat are you using? -- Jeanfrancois Jose Antonio Martinez wrote: I am using the default security configuration at manager 'catalina.policy' file, but when i try to access files which are under the webapp directory who i am executing i have an exception: javax.servlet.ServletException: Servlet execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176) at java.security.AccessController.doPrivileged(Native Method) what's the problem? ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: security manager
I have developed a servlet that recives from a form (post method) the name of a file and write its content. --- Jeanfrancois Arcand [EMAIL PROTECTED] escribió: Strange. Can you post you entire log file (to see more exception info)? -- Jeanfrancois Jose Antonio Martinez wrote: tomcat 4.0.5 --- Jeanfrancois Arcand [EMAIL PROTECTED] escribió: Which version of Tomcat are you using? -- Jeanfrancois Jose Antonio Martinez wrote: I am using the default security configuration at manager 'catalina.policy' file, but when i try to access files which are under the webapp directory who i am executing i have an exception: javax.servlet.ServletException: Servlet execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176) at java.security.AccessController.doPrivileged(Native Method) what's the problem? ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es javax.servlet.ServletException: Servlet execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2347) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566) at
Re: security manager
You need to add the following line in catalina.policy, under // == WEB APPLICATION PERMISSIONS = // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { .. // Required for sevlets and JSP's permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util.*; permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util; permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util.*; } -- Jeanfrancois Jose Antonio Martinez wrote: I have developed a servlet that recives from a form (post method) the name of a file and write its content. --- Jeanfrancois Arcand [EMAIL PROTECTED] escribió: Strange. Can you post you entire log file (to see more exception info)? -- Jeanfrancois Jose Antonio Martinez wrote: tomcat 4.0.5 --- Jeanfrancois Arcand [EMAIL PROTECTED] escribió: Which version of Tomcat are you using? -- Jeanfrancois Jose Antonio Martinez wrote: I am using the default security configuration at manager 'catalina.policy' file, but when i try to access files which are under the webapp directory who i am executing i have an exception: javax.servlet.ServletException: Servlet execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176) at java.security.AccessController.doPrivileged(Native Method) what's the problem? ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es javax.servlet.ServletException: Servlet execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:246) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:564) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2347) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:566) at
Re: security manager
it seems dont work --- Jeanfrancois Arcand [EMAIL PROTECTED] escribió: You need to add the following line in catalina.policy, under // == WEB APPLICATION PERMISSIONS = // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { .. // Required for sevlets and JSP's permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util.*; permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util; permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util.*; } -- Jeanfrancois Jose Antonio Martinez wrote: I have developed a servlet that recives from a form (post method) the name of a file and write its content. --- Jeanfrancois Arcand [EMAIL PROTECTED] escribió: Strange. Can you post you entire log file (to see more exception info)? -- Jeanfrancois Jose Antonio Martinez wrote: tomcat 4.0.5 --- Jeanfrancois Arcand [EMAIL PROTECTED] escribió: Which version of Tomcat are you using? -- Jeanfrancois Jose Antonio Martinez wrote: I am using the default security configuration at manager 'catalina.policy' file, but when i try to access files which are under the webapp directory who i am executing i have an exception: javax.servlet.ServletException: Servlet execution threw an exception at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:176) at java.security.AccessController.doPrivileged(Native Method) what's the problem? ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org ___ === message truncated === ___ Yahoo! Messenger Nueva versión: Webcam, voz, y mucho más ¡Gratis! Descárgalo ya desde http://messenger.yahoo.es -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Running Tomcat 4.1.12 as Win2K Service with Security Manager enabled...
Hi, I have installed Tomcat 4.1.12 under Windows 2000 as service and it runs fine. Now I want to enable the Security Manager. This works when I start the server with startup.bat -security. But I want to start it as service. Does anyone has ideas how to do it? I tried the following things without success: - adding the -security parameter in Services control panel of Tomcat service - adding the -security parameter directly in registry under entry of Tomcat service - installing a 2nd service with tomcat.exe and the -security parameter Regards, Volker -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
security manager problem
Dear all, Just started with tomcat 4.1.2, i am trying to run things a little bit more secure, and try to figure out a good way to start and stop the server. Pls do comment if you have any opinion or good reference regarding this. Thanks a million. - I plan to run the tomcat server as user tomcat - I have changed everything under $CATALINA_HOME owned by tomcat user (is this necessary at all? or we'll just need to change the logging directory to be writable by user tomcat?) and start tomcat using su -c $CATALICA_HOME/bin/startup.sh tomcat - Does tomcat have similar setting like apache httpd server, where u can set user and group permission to run as, you start the server as root to initialize everything that needed root, then the server will change and run as your desired credential? With the above setup it is running fine, but when i try to run it with the security manager using the default catalina.policy # export CATALINA_OPTS=-Djava.security.debug=access,failure # su -c $CATALICA_HOME/bin/startup.sh tomcat -security i got the following exception: Exception during startup processing java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1031) at org.apache.catalina.startup.Catalina.init(Catalina.java:127) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAcces sorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstruc torAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:274) at java.lang.Class.newInstance0(Class.java:306) at java.lang.Class.newInstance(Class.java:259) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:179) what could be wrong? any comments are appreciated. Thanks. regards, mok -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Security Manager - configuration need
Hi, I invoked the TomCat 4.0.4 with the security manager default policy (catalina.policy). The thing is that I could invoke all the servlets,jsp's and html files which are in my webapps although i specify no access permission to those webapps. How can I disable specific classes/jsp/html from running. Further more - can I limit one servlet to specific action on a remote ejb ? if so how. Thanks a lot.
Re: Security manager and request.getParameter() access error
Check your catalina.policy and see if the following 4 permissions are granted in the default policy: // Required for sevlets and JSP's permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util.*; permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util; permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util.*; Java 1.4 is more picky about the RuntimePermission accessClassInPackage and defineClassInPackage permissions. Regards, Glenn Dala wrote: When I use the security manager in Tomcat (4.1.12-LE-jdk1.4) some strange problems occur. When I execute the following simple JSP code: % request.getParameter(foo); % I get the following exception: org.apache.jasper.JasperException: org/apache/catalina/util/ParameterMap at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 48) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain ... I also start tomcat with security debub info enabled (i.e. CATALINA_OPTS=-Djava.security.debug=failure) but the log files do not report any errors, except for the exception of course. I use the standard policy rules as stated in the file catalina.policy. I even tried to grant the additional following rules, but nothing have helped so far: permission java.lang.RuntimePermission accessClassInPackage.javax.servlet; permission java.lang.RuntimePermission accessClassInPackage.javax.servlet.*; If I grant all permissions (i.e. permission java.security.AllPermission;) to my code base, then everything works fine. What is the problem? Have I missed something obvious here? /Tommy -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Security manager and request.getParameter() access error
When I use the security manager in Tomcat (4.1.12-LE-jdk1.4) some strange problems occur. When I execute the following simple JSP code: % request.getParameter(foo); % I get the following exception: org.apache.jasper.JasperException: org/apache/catalina/util/ParameterMap at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:2 48) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:289) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:240) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain ... I also start tomcat with security debub info enabled (i.e. CATALINA_OPTS=-Djava.security.debug=failure) but the log files do not report any errors, except for the exception of course. I use the standard policy rules as stated in the file catalina.policy. I even tried to grant the additional following rules, but nothing have helped so far: permission java.lang.RuntimePermission accessClassInPackage.javax.servlet; permission java.lang.RuntimePermission accessClassInPackage.javax.servlet.*; If I grant all permissions (i.e. permission java.security.AllPermission;) to my code base, then everything works fine. What is the problem? Have I missed something obvious here? /Tommy -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: tomcat/unix security manager questions
Richard Smith wrote: Hi All, Just wondering if you could help me clarify a few questions I have about tomcat and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with mod_jk on solaris with about 300+ users, all of whom can deploy jsp/servlets from their public_html directory. I have never setup Tomcat to do this, but from reading the docs it looks like Tomcat instantiates a separate web application context for each user. A user requirement is that they must is to be able to read/write files in their home directory. This is what im a little confused about. I understand I can put an entry like: permission java.io.FilePermission /home/-, read,write,delete,execute; I would never grant the execute permission, this allows Tomcat to use Runtime.exec() to execute shell scripts, etc.! The above permission w/o execute should be fine. in catalina.policy, but how does this enable tomcat to write to other user's home directories (when tomcat is running as a user with minimal privledges)? Or must I change permissions on the file to allow the user that is running tomcat to write to it (is this the normal practice?). Yes, if you want to allow the user web applications to write and delete files in their own home directory Tomcat would need r/w file permissions. This can be done by adding the tomcat user tomcat to the group(s) which your users are members of. Then setup permissions on the public_html directory of mode 2775. Also, this is probably more a java question, but do standard unix permissions always take precedence over what is set in catalina.policy? (In my understanding the unix permissions take precedence, but I just wanted to make sure(please excuse my java ignorance)) Yes, unix file/dir ownership and permissions take precedence. Any help appreciated, Cheers, -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: tomcat/unix security manager questions
Unix permissions do take precedence over java security policy. Regards, Rossen -Original Message- From: Richard Smith [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 18, 2002 11:12 PM To: [EMAIL PROTECTED] Subject: tomcat/unix security manager questions Hi All, Just wondering if you could help me clarify a few questions I have about tomcat and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with mod_jk on solaris with about 300+ users, all of whom can deploy jsp/servlets from their public_html directory. A user requirement is that they must is to be able to read/write files in their home directory. This is what im a little confused about. I understand I can put an entry like: permission java.io.FilePermission /home/-, read,write,delete,execute; in catalina.policy, but how does this enable tomcat to write to other user's home directories (when tomcat is running as a user with minimal privledges)? Or must I change permissions on the file to allow the user that is running tomcat to write to it (is this the normal practice?). Also, this is probably more a java question, but do standard unix permissions always take precedence over what is set in catalina.policy? (In my understanding the unix permissions take precedence, but I just wanted to make sure(please excuse my java ignorance)) Any help appreciated, Cheers, _ Join the world's largest e-mail service with MSN Hotmail. http://www.hotmail.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: tomcat/unix security manager questions
On Tue, 2002-08-20 at 03:13, Rossen Raykov wrote: Unix permissions do take precedence over java security policy. With a logical AND. If unix permissions say you do have write access, but the java security policy says you do not, then you do not have write access, and vice versa. This, of course, assumes that there are no bugs in the unix or java security policy implementations. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
tomcat/unix security manager questions
Hi All, Just wondering if you could help me clarify a few questions I have about tomcat and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with mod_jk on solaris with about 300+ users, all of whom can deploy jsp/servlets from their public_html directory. A user requirement is that they must is to be able to read/write files in their home directory. This is what im a little confused about. I understand I can put an entry like: permission java.io.FilePermission /home/-, read,write,delete,execute; in catalina.policy, but how does this enable tomcat to write to other user's home directories (when tomcat is running as a user with minimal privledges)? Or must I change permissions on the file to allow the user that is running tomcat to write to it (is this the normal practice?). Also, this is probably more a java question, but do standard unix permissions always take precedence over what is set in catalina.policy? (In my understanding the unix permissions take precedence, but I just wanted to make sure(please excuse my java ignorance)) Any help appreciated, Cheers, _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
codebase not accepted - Security Manager - catalina.policy
Hi, I use the Security Manager in my Webapps. Everythink works fine, until I write the codeBase parameter to the grant in my catalina.policy. Then I get some security Exceptions, which are not when I use only grant standalone. I use this entry in my catalina.policy: grant codeBase file:${catalina.home}/webapps/-{ permission java.lang.RuntimePermission getClassLoader; }; And get this Exception: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) If the - Element works, than I shouldn't get any Permission-Exceptions. Or is there any syntax error in my configuration? Has someone a example with codebase and - which ist working? bye juraj -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
codebase not accepted - Security Manager - catalina.policy
Hi, I use the Security Manager in my Webapps. Everythink works fine, until I write the codeBase parameter to the grant in my catalina.policy. Then I get some security Exceptions, which are not when I use only grant standalone. I use this entry in my catalina.policy: grant codeBase file:${catalina.home}/webapps/-{ permission java.lang.RuntimePermission getClassLoader; }; And get this Exception: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) If the - Element works, than I shouldn't get any Permission-Exceptions. Or is there any syntax error in my configuration? Has someone a example with codebase and - which ist working? bye juraj -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
tomcat with security manager
I'm developing a webapp with tomcat and struts and must use a security manager in tomcat (the -security startup arg). I have the following problem: Tomcat has and uses commons-logging.jar Struts has and uses commons-logging.jar The two jar files are identical. Normally, one is supposed to include strust jar files and a bunch of other stuff with the webapp (basically static linking, which seems tragic with a platform like java :-( so all the jars in $STRUTS_HOME/lib are copied to WEB_INF/lib. If I run with -security, TOMCAT finds the commons-logging.jar in WEB_INF/lib first, which has the webapp permissions (ie. NOT java.security.AllPermission :-) and fails. It looks like a java.lang.ExceptionInInitializerError: org.apache.commons.logging.LogConfigurationException: org.apache.commons.logging.LogConfigurationException: java.lang.NullPointerException but if I turn on java.security.debug I see it is really that it is a security access problem - which is expected: code in the webapp should not be able to open and write files in $CATALINA_HOME/logs. If I remove the commons-logging.jar from the webapp, then tomcat is happy (it uses $CATALINA_HOME/server/lib/commons-logging.jar, which has the right permissions) BUT then struts can't find the logging classes, which looks like: java.lang.NoClassDefFoundError: org/apache/commons/logging/LogFactory at org.apache.struts.util.MessageResourcesFactory.(MessageResourcesFactory.java:135) ... Granting java.security.AllPermission to webapps makes them work but is not an acceptable alternative because the webapp loads dynamic code that can't be trusted (either 'cause I wrote it and it's buggy or because someone else wrote it and it is buggy and/or malicious :-). Any ideas for a solution would be appreciated? cheers, -- Patrick Dowler Canadian Astronomy Data Centre National Research Council Victoria, BC -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Exception when using security manager
Hi, I need to deploy an webapps under Tomcat4.0.3 with security manager #startup -security I have added in the required permission in the catalina.policy file as grant codeBase file:${catalina.home}/webapps/sso/* { permission java.security.AllPermission; }; I guess this will grant all the rights to the webapps. But when I startup tomcat with security manager, I got exceptions as follow: Any thoughts! Thanks 2002-06-10 16:58:45 StandardHost[localhost]: Installing web application at context path /sso from URL file:D:\tomcat-4-LE\webapps\sso 2002-06-10 16:58:46 WebappLoader[/sso]: Deploying class repositories to work directory D:\tomcat-4-LE\work\localhost\sso 2002-06-10 16:58:46 WebappLoader[/sso]: Deploy JAR /WEB-INF/lib/SCBJaas.jar to D:\tomcat-4-LE\webapps\sso\WEB-INF\lib\SCBJaas.jar 2002-06-10 16:58:46 WebappLoader[/sso]: Deploy JAR /WEB-INF/lib/classes12.jar to D:\tomcat-4-LE\webapps\sso\WEB-INF\lib\classes12.jar 2002-06-10 16:58:46 WebappLoader[/sso]: Deploy JAR /WEB-INF/lib/ecb.jar to D:\tomcat-4-LE\webapps\sso\WEB-INF\lib\ecb.jar 2002-06-10 16:58:46 WebappLoader[/sso]: Deploy JAR /WEB-INF/lib/ecbldap.jar to D:\tomcat-4-LE\webapps\sso\WEB-INF\lib\ecbldap.jar 2002-06-10 16:58:46 WebappLoader[/sso]: Deploy JAR /WEB-INF/lib/ecbsecurity.jar to D:\tomcat-4-LE\webapps\sso\WEB-INF\lib\ecbsecurity.jar 2002-06-10 16:58:46 WebappLoader[/sso]: Deploy JAR /WEB-INF/lib/ldap.jar to D:\tomcat-4-LE\webapps\sso\WEB-INF\lib\ldap.jar 2002-06-10 16:58:46 WebappLoader[/sso]: Deploy JAR /WEB-INF/lib/log4j.jar to D:\tomcat-4-LE\webapps\sso\WEB-INF\lib\log4j.jar 2002-06-10 16:58:46 WebappLoader[/sso]: Deploy JAR /WEB-INF/lib/logapp.jar to D:\tomcat-4-LE\webapps\sso\WEB-INF\lib\logapp.jar 2002-06-10 16:58:46 WebappLoader[/sso]: Deploy JAR /WEB-INF/lib/logger.jar to D:\tomcat-4-LE\webapps\sso\WEB-INF\lib\logger.jar 2002-06-10 16:58:46 WebappLoader[/sso]: Deploy JAR /WEB-INF/lib/session.jar to D:\tomcat-4-LE\webapps\sso\WEB-INF\lib\session.jar 2002-06-10 16:58:46 WebappLoader[/sso]: Deploy JAR /WEB-INF/lib/struts.jar to D:\tomcat-4-LE\webapps\sso\WEB-INF\lib\struts.jar 2002-06-10 16:58:46 StandardManager[/sso]: Seeding random number generator class java.security.SecureRandom 2002-06-10 16:58:46 StandardManager[/sso]: Seeding of random number generator has been completed 2002-06-10 16:58:46 ContextConfig[/sso]: Added certificates - request attribute Valve 2002-06-10 16:58:46 SSO-init: init 2002-06-10 16:58:48 StandardContext[/sso]: Servlet /sso threw load() exception javax.servlet.ServletException: Servlet.init() for servlet SSO-init threw exception at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:93 5) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:808) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java: 3266) at org.apache.catalina.core.StandardContext.start(StandardContext.java:3395) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:785) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:454) at org.apache.catalina.core.StandardHost.install(StandardHost.java:714) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:300) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:389) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:232) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSuppor t.java:155) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1131) at org.apache.catalina.core.StandardHost.start(StandardHost.java:614) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1123) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:343) at org.apache.catalina.core.StandardService.start(StandardService.java:388) at org.apache.catalina.core.StandardServer.start(StandardServer.java:506) at org.apache.catalina.startup.Catalina.start(Catalina.java:781) at org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243) - Root Cause - java.security.AccessControlException: access denied (java.net.SocketPermission dbhost resolve) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :270) at java.security.AccessController.checkPermission(AccessController.java:401
Re: Fwd: Re: Tomcat 4.0.2-b2 + JSSE + Security Manager
Hi Glenn, Thanks for the advice. My last try was to leave security manager with just these lines: grant { permission java.security.AllPermission; }; ( which I premuse is the same as running without a security manager ) and it didn't work. I opened a bug report because I don't think I'm able to do something further. Thanks for the help ! Renato - Brazil On Wed, 23 Jan 2002 20:17:49 -0600, Glenn Nielsen [EMAIL PROTECTED] escreveu : Oh, one more thing you can try. Configure the following permission in your catalina.policy. permission java.security.SecurityPermission getProperty.cert.provider.x509v1; Regards, Glenn Renato wrote: This is the last message I got, besides the usual already reported. default context init failed: java.security.PrivilegedActionException java.security.NoSuchAlgorithmException: Algorithm SunX509 not available Looking at the docs, it looks like it couldn't find the JSSE libraries. I even forced the jsse.jar, jcert.jar and jnet.jar on the global classpath when starting Catalina but I still can't use Security Manager and JSSE at the same time. Anything else I could do ? On Tue, 22 Jan 2002 13:58:17 -0600, Glenn Nielsen [EMAIL PROTECTED] escreveu : Try starting tomcat 4 with -security and the following properties defined: -Djava.security.debug=access,failure -Djava.net.debug=ssl That should generate alot of debug data to help you track down the source of the problem. Regards, Glenn Renato wrote: Hi all, I'm installing Tomcat 4.0.2B2. Everything is fine except for the following: - I try to run a servlet that uses JSSE. If I start Catalina without the '- security' it works fine, if I start with the '-security' it generates the error: java.net.SocketException: SSL implementation not available (...) The JSSE libraries are on ${java.home}/jre/lib/ext and this path has permission to all. I also tried on Tomcat 3.3 and the servlet works with or without the security manager. Any hint ? Thanks Renato - Brazil -- To unsubscribe, e-mail: mailto:tomcat-dev- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-dev- [EMAIL PROTECTED] -- -- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder| MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | -- -- To unsubscribe, e-mail: mailto:tomcat-dev- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-dev- [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:tomcat-dev- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-dev- [EMAIL PROTECTED] -- -- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder| MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | -- -- To unsubscribe, e-mail: mailto:tomcat-dev- [EMAIL PROTECTED] For additional commands, e-mail: mailto:tomcat-dev- [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Tomcat 4.0.2-b2 + JSSE + Security Manager
Hi all, I'm installing Tomcat 4.0.2B2. Everything is fine except for the following: - I try to run a servlet that uses JSSE. If I start Catalina without the '- security' it works fine, if I start with the '-security' it generates the error: java.net.SocketException: SSL implementation not available (...) The JSSE libraries are on ${java.home}/jre/lib/ext and this path has permission to all. I also tried on Tomcat 3.3 and the servlet works with or without the security manager. Any hint ? Thanks Renato - Brazil -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: How do I know what security manager is in use?
Am Dienstag, 2. Oktober 2001 19:04 schrieben Sie: [...] I am writing some general support classes to manage users and roles. To support a call like addUser() I need to know which security manager is in use so I can do the right thing. Doing things like checking for tomcat-usrs.xml or a particular security class don't seem adequate. You should not be using MemoryRealm for a production application. A completely separate approach would be to write a regular webapp that talks directly to the underlying database (or directory server) containing your authentication data. Any new user that you add, for example, is immediately recognized -- there is no real reason to mess around with the internal Realm implementation class at all. We needed for a project the abbility to show the user why the athentification wasn´t succesful (wrong passwd, unknown username,...). And after three failed tries the account should be disabled. For the first problem we found no easy solution, the second problem was solved by hacking the JDBCRealm. Is this a real reason to mess around with the internal Realm? Or we´ve taken the wrong way? Greetings Martin
Re: How do I know what security manager is in use?
On Wed, 3 Oct 2001, Martin Scheerer wrote: Date: Wed, 3 Oct 2001 17:54:34 +0200 From: Martin Scheerer [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: How do I know what security manager is in use? Am Dienstag, 2. Oktober 2001 19:04 schrieben Sie: [...] I am writing some general support classes to manage users and roles. To support a call like addUser() I need to know which security manager is in use so I can do the right thing. Doing things like checking for tomcat-usrs.xml or a particular security class don't seem adequate. You should not be using MemoryRealm for a production application. A completely separate approach would be to write a regular webapp that talks directly to the underlying database (or directory server) containing your authentication data. Any new user that you add, for example, is immediately recognized -- there is no real reason to mess around with the internal Realm implementation class at all. We needed for a project the abbility to show the user why the athentification wasn´t succesful (wrong passwd, unknown username,...). This is information you really would not want to tell someone trying to hack in to your site. And after three failed tries the account should be disabled. To do something like this, you'd definitely need to modify the Tomcat code. I would think, though, that you'd want to modify the Authenticator, rather than the Realm - testing whether authentication has failed three times is the same no matter which realm you are actually using underneath. For the first problem we found no easy solution, the second problem was solved by hacking the JDBCRealm. Is this a real reason to mess around with the internal Realm? Or we´ve taken the wrong way? Greetings Martin Craig
How do I know what security manager is in use?
There are now (at least) 3 different web security managers which could be in use by a web app (JDBC, JNDI, in-memory). How can I tell which one? I am writing some general support classes to manage users and roles. To support a call like addUser() I need to know which security manager is in use so I can do the right thing. Doing things like checking for tomcat-usrs.xml or a particular security class don't seem adequate. Further, if the class is, say, JDBCRealm, I would like to also get the xml properties for connectionURL, connectionName, connectionPassword, etc. or maybe even the connection itself. It seems like this is something the servlet spec should address. Any suggestions? Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions.
Re: How do I know what security manager is in use?
On Tue, 2 Oct 2001, Frank Lawlor wrote: Date: Tue, 2 Oct 2001 11:29:41 -0500 From: Frank Lawlor [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED], [EMAIL PROTECTED] To: Tomcat (E-mail) [EMAIL PROTECTED] Subject: How do I know what security manager is in use? There are now (at least) 3 different web security managers which could be in use by a web app (JDBC, JNDI, in-memory). How can I tell which one? It sounds like you're really asking which *Realm* is in use, right? SecurityManager is something different from this. From code inside Tomcat, the way to find out which one is in use would be to get a reference to the current Context, and then call the getRealm() method. Then, you could (for example) do an instanceof test to see which implementation is in use. In order to get a reference to the Context from a servlet, your servlet class must implement the ContainerServlet interface, and be installed inside Catalina (in the server/classes or server/lib directory), because normal servlets are not allowed to access I am writing some general support classes to manage users and roles. To support a call like addUser() I need to know which security manager is in use so I can do the right thing. Doing things like checking for tomcat-usrs.xml or a particular security class don't seem adequate. You should not be using MemoryRealm for a production application. A completely separate approach would be to write a regular webapp that talks directly to the underlying database (or directory server) containing your authentication data. Any new user that you add, for example, is immediately recognized -- there is no real reason to mess around with the internal Realm implementation class at all. Further, if the class is, say, JDBCRealm, I would like to also get the xml properties for connectionURL, connectionName, connectionPassword, etc. or maybe even the connection itself. Check out the implementation classes, and you'll see that much of this stuff is visible as JavaBeans properties. If you do the container servlet approach, you can call any public method of these classes. But, I suggest that you don't go this way - it adds needless complexity and ties you incredibly tightly to Tomcat's internal architecture. It seems like this is something the servlet spec should address. In the JSR-053 discussion group that came up with Servlet 2.3, we did some initial discussion of this. But it's a much bigger topic than just servlets (because EJBs use the same security model) - it's likely to end up with a new JSR that covers these sorts of issues. Any suggestions? Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions. Craig McClanahan