tomcat with security manager

2002-06-12 Thread Patrick Dowler 


I'm developing a webapp with tomcat and struts and must use a
security manager in tomcat (the -security startup arg). I have the
following problem:

Tomcat has and uses commons-logging.jar
Struts has and uses commons-logging.jar

The two jar files are identical. Normally, one is supposed to include
strust jar files and a bunch of other stuff with the webapp (basically
static linking, which seems tragic with a platform like java :-( so all
the jars in $STRUTS_HOME/lib are copied to WEB_INF/lib.

If I run with -security, TOMCAT finds the commons-logging.jar in WEB_INF/lib
first, which has the webapp permissions (ie. NOT java.security.AllPermission :-)

and fails. It looks like a

java.lang.ExceptionInInitializerError:
org.apache.commons.logging.LogConfigurationException:
org.apache.commons.logging.LogConfigurationException:
java.lang.NullPointerException

but if I turn on java.security.debug I see it is really that it is a security access
problem - which is expected: code in the webapp should not be able to
open and write files in $CATALINA_HOME/logs.

If I remove the commons-logging.jar from the webapp, then tomcat is
happy (it uses $CATALINA_HOME/server/lib/commons-logging.jar, which
has the right permissions) BUT then  struts can't find the logging
classes, which looks like:

java.lang.NoClassDefFoundError: org/apache/commons/logging/LogFactory
at 
org.apache.struts.util.MessageResourcesFactory.(MessageResourcesFactory.java:135)
...

Granting java.security.AllPermission to webapps makes them work but is not
an acceptable alternative because the webapp loads dynamic code that can't
be trusted (either 'cause I wrote it and it's buggy or because someone else
wrote it and it is buggy and/or malicious :-).

Any ideas for a solution would be appreciated? 

cheers,


-- 
Patrick Dowler
Canadian Astronomy Data Centre
National Research Council
Victoria, BC

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Tomcat with Security manager

2003-02-05 Thread Harish Kumar K.K. 
Hello All

Hope somebody can help me!

I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works 
fine if started without the security manager. Recently I had to put up a file upload 
form on one of my web sites, and when I deployed the jsp to accept the form data and 
save the uploaded file to disk...it came up with the error "File cannot be saved". I 
am using jspSmartUpload class to handle the multipart form data and to save the file 
to disk, which can be downloaded from www.jspsmart.com

So I read the documentation and figured, the security manager might have to be enabled 
with appropriate File IO permissions set for the directory to which I was trying to 
save the file. 

I proceeded to add the required "grant" directive in the catalina.policy file, and 
when I started Tomcat with the security manager enabledit wouldn't start! I 
checked catalina.out and saw that Tomcat is not able to read server.xml. Here is the 
stacktrace I found in catalina.out

Catalina.start: java.security.AccessControlException: access denied 
(java.io.FilePermission /var/tomcat4/conf/server.xml read)
java.security.AccessControlException: access denied (java.io.FilePermission 
/var/tomcat4/conf/server.xml read)
at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
at java.security.AccessController.checkPermission(AccessController.java:401)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at java.lang.SecurityManager.checkRead(SecurityManager.java:887)
at java.io.File.isDirectory(File.java:698)
at 
sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:65)
at 
sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:148)
at java.net.URL.openStream(URL.java:955)
at 
org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFactory.java)
at 
org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(DefaultEntityHandler.java)
at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java)
at org.apache.xerces.framework.XMLParser.parse(XMLParser.java)
at org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:314)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:253)
at org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228)
at org.apache.catalina.startup.Catalina.start(Catalina.java:725)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:681)
at org.apache.catalina.startup.Catalina.process(Catalina.java:179)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)

Then, I found from the security manager howto on the web site, that if no security 
manager is enabled, its just like giving all permissions...I am guessing this means 
that in that case the operating system file permission system only will be in effect. 
So I made the directory I wanted to save the file into, world writable, just to make 
sure the OS is not preventing the save operation. Then started Tomcat without the 
security manager...still the same result!

Now I am totally confused! What am I doing wrong?
Can anybody help me? Please?

Thanks and Regards
Harish

Re: Tomcat with Security manager

2003-02-06 Thread Jeanfrancois Arcand 
Can you post your catalina.policy file? Your file should contains that 
permission:

// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
 permission java.security.AllPermission;
}

-- Jeanfrancois

Harish Kumar K.K. wrote:

Hello All

Hope somebody can help me!

I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works fine if started without the security manager. Recently I had to put up a file upload form on one of my web sites, and when I deployed the jsp to accept the form data and save the uploaded file to disk...it came up with the error "File cannot be saved". I am using jspSmartUpload class to handle the multipart form data and to save the file to disk, which can be downloaded from www.jspsmart.com

So I read the documentation and figured, the security manager might have to be enabled with appropriate File IO permissions set for the directory to which I was trying to save the file. 

I proceeded to add the required "grant" directive in the catalina.policy file, and when I started Tomcat with the security manager enabledit wouldn't start! I checked catalina.out and saw that Tomcat is not able to read server.xml. Here is the stacktrace I found in catalina.out

Catalina.start: java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read)
java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read)
   at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
   at java.security.AccessController.checkPermission(AccessController.java:401)
   at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
   at java.lang.SecurityManager.checkRead(SecurityManager.java:887)
   at java.io.File.isDirectory(File.java:698)
   at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:65)
   at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:148)
   at java.net.URL.openStream(URL.java:955)
   at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFactory.java)
   at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(DefaultEntityHandler.java)
   at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java)
   at org.apache.xerces.framework.XMLParser.parse(XMLParser.java)
   at org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223)
   at javax.xml.parsers.SAXParser.parse(SAXParser.java:314)
   at javax.xml.parsers.SAXParser.parse(SAXParser.java:253)
   at org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228)
   at org.apache.catalina.startup.Catalina.start(Catalina.java:725)
   at org.apache.catalina.startup.Catalina.execute(Catalina.java:681)
   at org.apache.catalina.startup.Catalina.process(Catalina.java:179)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:324)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)

Then, I found from the security manager howto on the web site, that if no security manager is enabled, its just like giving all permissions...I am guessing this means that in that case the operating system file permission system only will be in effect. So I made the directory I wanted to save the file into, world writable, just to make sure the OS is not preventing the save operation. Then started Tomcat without the security manager...still the same result!

Now I am totally confused! What am I doing wrong?
Can anybody help me? Please?

Thanks and Regards
Harish
 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat with Security manager

2003-02-06 Thread Neville Gomes 
Hi,

You could try a chmod on the directory your uploading ur files onto.

Regards,
Neville


On Thursday 06 February 2003 10:27, you wrote:
> Hello All
>
> Hope somebody can help me!
>
> I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27,
> and it works fine if started without the security manager. Recently I had
> to put up a file upload form on one of my web sites, and when I deployed
> the jsp to accept the form data and save the uploaded file to disk...it
> came up with the error "File cannot be saved". I am using jspSmartUpload
> class to handle the multipart form data and to save the file to disk, which
> can be downloaded from www.jspsmart.com
>
> So I read the documentation and figured, the security manager might have to
> be enabled with appropriate File IO permissions set for the directory to
> which I was trying to save the file.
>
> I proceeded to add the required "grant" directive in the catalina.policy
> file, and when I started Tomcat with the security manager enabledit
> wouldn't start! I checked catalina.out and saw that Tomcat is not able to
> read server.xml. Here is the stacktrace I found in catalina.out
>
> Catalina.start: java.security.AccessControlException: access denied
> (java.io.FilePermission /var/tomcat4/conf/server.xml read)
> java.security.AccessControlException: access denied (java.io.FilePermission
> /var/tomcat4/conf/server.xml read) at
> java.security.AccessControlContext.checkPermission(AccessControlContext.jav
>a:270) at
> java.security.AccessController.checkPermission(AccessController.java:401)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at
> java.lang.SecurityManager.checkRead(SecurityManager.java:887) at
> java.io.File.isDirectory(File.java:698)
> at
> sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:
>65) at
> sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnectio
>n.java:148) at java.net.URL.openStream(URL.java:955)
> at
> org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFa
>ctory.java) at
> org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(Def
>aultEntityHandler.java) at
> org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java) at
> org.apache.xerces.framework.XMLParser.parse(XMLParser.java) at
> org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223) at
> javax.xml.parsers.SAXParser.parse(SAXParser.java:314)
> at javax.xml.parsers.SAXParser.parse(SAXParser.java:253)
> at
> org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228) at
> org.apache.catalina.startup.Catalina.start(Catalina.java:725) at
> org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at
> org.apache.catalina.startup.Catalina.process(Catalina.java:179) at
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:3
>9) at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp
>l.java:25) at java.lang.reflect.Method.invoke(Method.java:324)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)
>
> Then, I found from the security manager howto on the web site, that if no
> security manager is enabled, its just like giving all permissions...I am
> guessing this means that in that case the operating system file permission
> system only will be in effect. So I made the directory I wanted to save the
> file into, world writable, just to make sure the OS is not preventing the
> save operation. Then started Tomcat without the security manager...still
> the same result!
>
> Now I am totally confused! What am I doing wrong?
> Can anybody help me? Please?
>
> Thanks and Regards
> Harish

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat with Security manager

2003-02-06 Thread Harish Kumar K.K. 
java.util.PropertyPermission "java.specification.name",
"read";

permission java.util.PropertyPermission
"java.vm.specification.version", "read";
permission java.util.PropertyPermission
"java.vm.specification.vendor", "read";
permission java.util.PropertyPermission
"java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";

// Required for getting BeanInfo
permission java.lang.RuntimePermission
"accessClassInPackage.sun.beans.*";

// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
};


// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
//
// Different permissions can be granted to JSP pages, classes loaded from
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
// directory, or even to individual jar files in the /WEB-INF/lib/
directory.
//
// For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to
the
// corresponding database and used the scrape taglib to get the weather from
// the NOAA web server.  You might create a "grant" entries like this:
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.home}/webapps/examples/-" {
//  permission java.net.SocketPermission "dbhost.mycompany.com:5432",
"connect";
//  permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-"
{
// };
//
// The permission granted to your JDBC driver
// grant codeBase
"file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
//  permission java.net.SocketPermission "dbhost.mycompany.com:5432",
"connect";
// };
// The permission granted to the scrape taglib
// grant codeBase
"file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
//  permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };

grant codeBase "file:/my_jspfolderpath/-" {
permission java.io.FilePermission
"my_jspfolderpath/images/site","read,write";
};

**   End of catalina.policy
**


- Original Message -
From: "Jeanfrancois Arcand" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Thursday, February 06, 2003 7:34 AM
Subject: Re: Tomcat with Security manager


> Can you post your catalina.policy file? Your file should contains that
> permission:
>
> // These permissions apply to the server startup code
> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
>   permission java.security.AllPermission;
> }
>
> -- Jeanfrancois
>
> Harish Kumar K.K. wrote:
>
> >Hello All
> >
> >Hope somebody can help me!
> >
> >I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27,
and it works fine if started without the security manager. Recently I had to
put up a file upload form on one of my web sites, and when I deployed the
jsp to accept the form data and save the uploaded file to disk...it came up
with the error "File cannot be saved". I am using jspSmartUpload class to
handle the multipart form data and to save the file to disk, which can be
downloaded from www.jspsmart.com
> >
> >So I read the documentation and figured, the security manager might have
to be enabled with appropriate File IO permissions set for the directory to
which I was trying to save the file.
> >
> >I proceeded to add the required "grant" directive in the catalina.policy
file, and when I started Tomcat with the security manager enabledit
wouldn't start! I checked catalina.out and saw that Tomcat is not able to
read server.xml. Here is the stacktrace I found in catalina.out
> >
> >Catalina.start: java.security.AccessControlException: access denied
(java.io.FilePermission /var/tomcat4/conf/server.xml read)
> >java.security.AccessControlException: access denied
(java.io.FilePermission /var/tomcat4/conf/server.xml read)
> >at
java.s

Re: Tomcat with Security manager

2003-02-07 Thread Jeanfrancois Arcand 
rmission java.util.PropertyPermission
"java.specification.version", "read";
   permission java.util.PropertyPermission "java.specification.vendor",
"read";
   permission java.util.PropertyPermission "java.specification.name",
"read";

   permission java.util.PropertyPermission
"java.vm.specification.version", "read";
   permission java.util.PropertyPermission
"java.vm.specification.vendor", "read";
   permission java.util.PropertyPermission
"java.vm.specification.name", "read";
   permission java.util.PropertyPermission "java.vm.version", "read";
   permission java.util.PropertyPermission "java.vm.vendor", "read";
   permission java.util.PropertyPermission "java.vm.name", "read";

   // Required for getting BeanInfo
   permission java.lang.RuntimePermission
"accessClassInPackage.sun.beans.*";

   // Allow read of JAXP compliant XML parser debug
   permission java.util.PropertyPermission "jaxp.debug", "read";
};


// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
//
// Different permissions can be granted to JSP pages, classes loaded from
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
// directory, or even to individual jar files in the /WEB-INF/lib/
directory.
//
// For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to
the
// corresponding database and used the scrape taglib to get the weather from
// the NOAA web server.  You might create a "grant" entries like this:
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.home}/webapps/examples/-" {
//  permission java.net.SocketPermission "dbhost.mycompany.com:5432",
"connect";
//  permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-"
{
// };
//
// The permission granted to your JDBC driver
// grant codeBase
"file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
//  permission java.net.SocketPermission "dbhost.mycompany.com:5432",
"connect";
// };
// The permission granted to the scrape taglib
// grant codeBase
"file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
//  permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };

grant codeBase "file:/my_jspfolderpath/-" {
   permission java.io.FilePermission
"my_jspfolderpath/images/site","read,write";
};

**   End of catalina.policy
**


- Original Message -
From: "Jeanfrancois Arcand" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Thursday, February 06, 2003 7:34 AM
Subject: Re: Tomcat with Security manager


 

Can you post your catalina.policy file? Your file should contains that
permission:

// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
 permission java.security.AllPermission;
}

-- Jeanfrancois

Harish Kumar K.K. wrote:

   

Hello All

Hope somebody can help me!

I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27,
 

and it works fine if started without the security manager. Recently I had to
put up a file upload form on one of my web sites, and when I deployed the
jsp to accept the form data and save the uploaded file to disk...it came up
with the error "File cannot be saved". I am using jspSmartUpload class to
handle the multipart form data and to save the file to disk, which can be
downloaded from www.jspsmart.com
 

So I read the documentation and figured, the security manager might have
 

to be enabled with appropriate File IO permissions set for the directory to
which I was trying to save the file.
 

I proceeded to add the required "grant" directive in the catalina.policy
 

file, and when I started Tomcat with the security manager enabledit
wouldn't start! I checked catalina.out and saw that Tomcat is not able to
read server.xml. Here is the stacktrace I found in catalina.out
 

Catalina.start: java.security.AccessControlException: access denied
 

(java.io.FilePermission /var/tomcat4/conf/server.xml read)
 

java.security.Acces

[REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Phillip Qin 
Don't know if this mailing list filters my post, try it again.

I am frustrated. I have a webapp developed by struts. If I start Tomcat
without security manager, everything works fine. I can access
https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue.

After I start Tomcat -security and access the above link, I got the
following error. There is an index.jsp. When some one type
https://myhost.mydomain.com/myapp, this index.jsp will redirect him to the
home page. It is simply a META refresh. The frustration is, if I access
https://myhost.mydomain.com/myapp once, then I can always access
https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. I suspect there
are permission that I need to grant in Catalina.policy.

Any input?

java.lang.NoClassDefFoundError:
org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession
at
org.apache.coyote.tomcat4.CoyoteRequest.getSession(CoyoteRequest.java:1728)
at
org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade
.java:365)
at
org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade
.java:375)
at
org.apache.struts.action.RequestProcessor.processLocale(RequestProcessor.jav
a:631)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:230)
at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1480)
at
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:506)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:247)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter
Chain.java:98)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain
.java:176)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
ain.java:172)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja
va:256)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja
va:191)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
46)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
java:171)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:509)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
:174)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562)
at
org.apache.jk.co

Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread John Turner 
Is there a part in your error message that says "Root Cause"?  If so, what 
is it?

John

On Mon, 23 Jun 2003 14:24:36 -0400, Phillip Qin 
<[EMAIL PROTECTED]> wrote:

Don't know if this mailing list filters my post, try it again.

I am frustrated. I have a webapp developed by struts. If I start Tomcat
without security manager, everything works fine. I can access
https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue.
After I start Tomcat -security and access the above link, I got the
following error. There is an index.jsp. When some one type
https://myhost.mydomain.com/myapp, this index.jsp will redirect him to 
the
home page. It is simply a META refresh. The frustration is, if I access
https://myhost.mydomain.com/myapp once, then I can always access
https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. I suspect 
there
are permission that I need to grant in Catalina.policy.

Any input?

java.lang.NoClassDefFoundError:
org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession
	at
org.apache.coyote.tomcat4.CoyoteRequest.getSession(CoyoteRequest.java:1728) 

	at
org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade 

.java:365)
	at
org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade 

.java:375)
	at
org.apache.struts.action.RequestProcessor.processLocale(RequestProcessor.jav 

a:631)
	at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:230) 

	at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1480)
	at
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:506)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
	at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application 

FilterChain.java:247)
	at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter 

Chain.java:98)
	at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain 

.java:176)
	at java.security.AccessController.doPrivileged(Native Method)
	at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh 

ain.java:172)
	at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja 

va:256)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok 

eNext(StandardPipeline.java:643)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) 

	at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
	at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja 

va:191)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok 

eNext(StandardPipeline.java:643)
	at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 

46)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok 

eNext(StandardPipeline.java:641)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) 

	at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
	at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415) 

	at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 

)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok 

eNext(StandardPipeline.java:643)
	at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. 

java:171)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok 

eNext(StandardPipeline.java:641)
	at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172 

)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok 

eNext(StandardPipeline.java:641)
	at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:509)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok 

eNext(StandardPipeline.java:641)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) 

	at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
	at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java 

:174)
	at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok 

eNext(StandardPipeline.java:643)
	at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) 

	at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
	at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
	at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261)
	at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360)
	at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604)
	at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562) 

	at
org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679)
	at
org.apache.tomcat.util.threads.

RE: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Phillip Qin 
The exception that I posted is root cause. The exception is 

javax.servlet.ServletException: Servlet execution threw an exception
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:269)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter
Chain.java:98)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain
.java:176)
..

I solved this problem by including a grant entry

grant codeBase "file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar" {
  permission java.security.AllPermission;
};

But I am wondering if this AllPermission is secure enough or I am opening
more holes.

-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED] 
Sent: June 23, 2003 2:34 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError


Is there a part in your error message that says "Root Cause"?  If so, what 
is it?

John

On Mon, 23 Jun 2003 14:24:36 -0400, Phillip Qin 
<[EMAIL PROTECTED]> wrote:

> Don't know if this mailing list filters my post, try it again.
>
> I am frustrated. I have a webapp developed by struts. If I start Tomcat
> without security manager, everything works fine. I can access
> https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue.
>
> After I start Tomcat -security and access the above link, I got the
> following error. There is an index.jsp. When some one type
> https://myhost.mydomain.com/myapp, this index.jsp will redirect him to 
> the
> home page. It is simply a META refresh. The frustration is, if I access
> https://myhost.mydomain.com/myapp once, then I can always access
> https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. I suspect 
> there
> are permission that I need to grant in Catalina.policy.
>
> Any input?
>
> java.lang.NoClassDefFoundError:
> org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession
>   at
>
org.apache.coyote.tomcat4.CoyoteRequest.getSession(CoyoteRequest.java:1728) 
>
>
>   at
>
org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade

>
>
> .java:365)
>   at
>
org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade

>
>
> .java:375)
>   at
>
org.apache.struts.action.RequestProcessor.processLocale(RequestProcessor.jav

>
>
> a:631)
>   at
>
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:230)

>
>
>   at
> org.apache.struts.action.ActionServlet.process(ActionServlet.java:1480)
>   at
> org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:506)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>   at
>
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application

>
>
> FilterChain.java:247)
>   at
>
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter

>
>
> Chain.java:98)
>   at
>
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain

>
>
> .java:176)
>   at java.security.AccessController.doPrivileged(Native Method)
>   at
>
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh

>
>
> ain.java:172)
>   at
>
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja

>
>
> va:256)
>   at
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok

>
>
> eNext(StandardPipeline.java:643)
>   at
>
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) 
>
>
>   at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>   at
>
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja

>
>
> va:191)
>   at
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok

>
>
> eNext(StandardPipeline.java:643)
>   at
>
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2

>
>
> 46)
>   at
>
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok

>
>
> eNext(StandardPipeline.java:641)
>   at
>
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) 
>
>
>   at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
>   at
> org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415)

>
>
>   at
>
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180

>
>
> )
>   at
>
org.apache.catalina.core.StandardPipeline$S

Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Jason Bainbridge 
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
> I solved this problem by including a grant entry
>
> grant codeBase "file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar" {
>   permission java.security.AllPermission;
> };

Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant 
entry as it isn't the usual place to store jar files.

Regards,
-- 
Jason Bainbridge
http://jblinux.org

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Phillip Qin 
Typo, it is WEB-INF/lib.

When there is no grant entry for this jar, tomcat throws
"NoClassDefFoundError".

-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED] 
Sent: June 23, 2003 2:44 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
> I solved this problem by including a grant entry
>
> grant codeBase "file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar" {
>   permission java.security.AllPermission;
> };

Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant

entry as it isn't the usual place to store jar files.

Regards,
-- 
Jason Bainbridge
http://jblinux.org

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread John Turner 
Good eye, Jason.

John

On Tue, 24 Jun 2003 02:43:59 +0800, Jason Bainbridge <[EMAIL PROTECTED]> 
wrote:

On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry

grant codeBase "file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar" 
{
  permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib ? That is probably why you had to add that 
grant entry as it isn't the usual place to store jar files.

Regards,


--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Jason Bainbridge 
What other struts.jar files have you got laying around? Have you maybe got one 
in common/lib? I'm not sure why setting a grant like that would make a 
NoClassDefFoundError go away, maybe it tricks the classloader into looking at 
a specific class somehow.

Either way I don't think you have fixed the problem it just appears you 
have...

Regards,
-- 
Jason Bainbridge
http://jblinux.org

On Tue, 24 Jun 2003 02:46, Phillip Qin wrote:
> Typo, it is WEB-INF/lib.
>
> When there is no grant entry for this jar, tomcat throws
> "NoClassDefFoundError".
>
> -Original Message-
> From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
> Sent: June 23, 2003 2:44 PM
> To: Tomcat Users List
> Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
>
> On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
> > I solved this problem by including a grant entry
> >
> > grant codeBase "file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar" {
> >   permission java.security.AllPermission;
> > };
>
> Why isn't it in WEB-INF/lib ? That is probably why you had to add that
> grant
>
> entry as it isn't the usual place to store jar files.
>
> Regards,


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Shapira, Yoav 

Howdy,
The curious part about the stack trace is the doPrivileged throwing the exception.  
Are you using JAAS or a custom realm to do your authentication?  If so, are you sure 
this realm is properly configured?

Yoav Shapira
Millennium ChemInformatics


>-Original Message-
>From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
>Sent: Monday, June 23, 2003 2:53 PM
>To: Tomcat Users List
>Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
>
>What other struts.jar files have you got laying around? Have you maybe got
>one
>in common/lib? I'm not sure why setting a grant like that would make a
>NoClassDefFoundError go away, maybe it tricks the classloader into looking
>at
>a specific class somehow.
>
>Either way I don't think you have fixed the problem it just appears you
>have...
>
>Regards,
>--
>Jason Bainbridge
>http://jblinux.org
>
>On Tue, 24 Jun 2003 02:46, Phillip Qin wrote:
>> Typo, it is WEB-INF/lib.
>>
>> When there is no grant entry for this jar, tomcat throws
>> "NoClassDefFoundError".
>>
>> -Original Message-
>> From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
>> Sent: June 23, 2003 2:44 PM
>> To: Tomcat Users List
>> Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
>>
>> On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
>> > I solved this problem by including a grant entry
>> >
>> > grant codeBase "file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar"
>{
>> >   permission java.security.AllPermission;
>> > };
>>
>> Why isn't it in WEB-INF/lib ? That is probably why you had to add that
>> grant
>>
>> entry as it isn't the usual place to store jar files.
>>
>> Regards,
>
>
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]




This e-mail, including any attachments, is a confidential business communication, and 
may contain information that is confidential, proprietary and/or privileged.  This 
e-mail is intended only for the individual(s) to whom it is addressed, and may not be 
saved, copied, printed, disclosed or used by anyone else.  If you are not the(an) 
intended recipient, please immediately delete this e-mail from your computer system 
and notify the sender.  Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread John Turner 
NoClassDefFound is not the same as ClassNotFound...NoClassDefFound 
typically means Tomcat is confused about which class you want it to use.  I 
agree with Jason, I think you have a couple struts.jar files around, and 
Tomcat isn't sure which one to use.

John

On Mon, 23 Jun 2003 14:46:44 -0400, Phillip Qin 
<[EMAIL PROTECTED]> wrote:

Typo, it is WEB-INF/lib.

When there is no grant entry for this jar, tomcat throws
"NoClassDefFoundError".
-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 
2:44 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry

grant codeBase "file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar" 
{
  permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib ? That is probably why you had to add that 
grant

entry as it isn't the usual place to store jar files.

Regards,


--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Phillip Qin 
1. There is no struts installation at all outside Catalina directories on
this production box.
2. There are two webapps using struts, but struts.jars are located in
webapps/myapp1/WEB-INF/lib and webapps/myapp2/WEB-INF/lib respectively.
3. No environment variables set for struts.jars so I assume tomcat
classloader should take care of them.

To Yoav:

I start Tomcat with -security option. Tomcat will use Catalina.policy to
manage the permissions. I don't use JAAS or realm at all (realms were
cleaned up in server.xml).

-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED] 
Sent: June 23, 2003 3:01 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError


NoClassDefFound is not the same as ClassNotFound...NoClassDefFound 
typically means Tomcat is confused about which class you want it to use.  I 
agree with Jason, I think you have a couple struts.jar files around, and 
Tomcat isn't sure which one to use.

John

On Mon, 23 Jun 2003 14:46:44 -0400, Phillip Qin 
<[EMAIL PROTECTED]> wrote:

> Typo, it is WEB-INF/lib.
>
> When there is no grant entry for this jar, tomcat throws
> "NoClassDefFoundError".
>
> -Original Message-
> From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 
> 2:44 PM
> To: Tomcat Users List
> Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
>
> On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
>> I solved this problem by including a grant entry
>>
>> grant codeBase "file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar" 
>> {
>>   permission java.security.AllPermission;
>> };
>
> Why isn't it in WEB-INF/lib ? That is probably why you had to add that 
> grant
>
> entry as it isn't the usual place to store jar files.
>
> Regards,



-- 
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Shapira, Yoav 

Howdy,
Is your catalina.policy the default or modified?

Yoav Shapira
Millennium ChemInformatics


>-Original Message-
>From: Phillip Qin [mailto:[EMAIL PROTECTED]
>Sent: Monday, June 23, 2003 3:10 PM
>To: 'Tomcat Users List'
>Subject: RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
>
>1. There is no struts installation at all outside Catalina directories on
>this production box.
>2. There are two webapps using struts, but struts.jars are located in
>webapps/myapp1/WEB-INF/lib and webapps/myapp2/WEB-INF/lib respectively.
>3. No environment variables set for struts.jars so I assume tomcat
>classloader should take care of them.
>
>To Yoav:
>
>I start Tomcat with -security option. Tomcat will use Catalina.policy to
>manage the permissions. I don't use JAAS or realm at all (realms were
>cleaned up in server.xml).
>
>-Original Message-
>From: John Turner [mailto:[EMAIL PROTECTED]
>Sent: June 23, 2003 3:01 PM
>To: Tomcat Users List
>Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
>
>
>NoClassDefFound is not the same as ClassNotFound...NoClassDefFound
>typically means Tomcat is confused about which class you want it to use.  I
>agree with Jason, I think you have a couple struts.jar files around, and
>Tomcat isn't sure which one to use.
>
>John
>
>On Mon, 23 Jun 2003 14:46:44 -0400, Phillip Qin
><[EMAIL PROTECTED]> wrote:
>
>> Typo, it is WEB-INF/lib.
>>
>> When there is no grant entry for this jar, tomcat throws
>> "NoClassDefFoundError".
>>
>> -Original Message-
>> From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003
>> 2:44 PM
>> To: Tomcat Users List
>> Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
>>
>> On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
>>> I solved this problem by including a grant entry
>>>
>>> grant codeBase "file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar"
>>> {
>>>   permission java.security.AllPermission;
>>> };
>>
>> Why isn't it in WEB-INF/lib ? That is probably why you had to add that
>> grant
>>
>> entry as it isn't the usual place to store jar files.
>>
>> Regards,
>
>
>
>--
>Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
>
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]



This e-mail, including any attachments, is a confidential business communication, and 
may contain information that is confidential, proprietary and/or privileged.  This 
e-mail is intended only for the individual(s) to whom it is addressed, and may not be 
saved, copied, printed, disclosed or used by anyone else.  If you are not the(an) 
intended recipient, please immediately delete this e-mail from your computer system 
and notify the sender.  Thank you.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Phillip Qin 
I even deleted server/webapps which contains struts.jar for admin
application.

To Yoav:

I modified Catalina default policy file to allow log4j writing to files and
myapps sending out emails and connecting to credit card processing company.

-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED] 
Sent: June 23, 2003 2:53 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

What other struts.jar files have you got laying around? Have you maybe got
one 
in common/lib? I'm not sure why setting a grant like that would make a 
NoClassDefFoundError go away, maybe it tricks the classloader into looking
at 
a specific class somehow.

Either way I don't think you have fixed the problem it just appears you 
have...

Regards,
-- 
Jason Bainbridge
http://jblinux.org

On Tue, 24 Jun 2003 02:46, Phillip Qin wrote:
> Typo, it is WEB-INF/lib.
>
> When there is no grant entry for this jar, tomcat throws
> "NoClassDefFoundError".
>
> -Original Message-
> From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
> Sent: June 23, 2003 2:44 PM
> To: Tomcat Users List
> Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
>
> On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
> > I solved this problem by including a grant entry
> >
> > grant codeBase "file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar"
{
> >   permission java.security.AllPermission;
> > };
>
> Why isn't it in WEB-INF/lib ? That is probably why you had to add that
> grant
>
> entry as it isn't the usual place to store jar files.
>
> Regards,


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Jason Bainbridge 
Was just doing a bit of reading:

http://jakarta.apache.org/struts/userGuide/installation.html

Running Struts Applications Under A Security Manager

Many application servers execute web applications under the control of a Java 
security manager, with restricted permissions on what classes in the web 
application can do. If you utilize form beans with mapped properties, you may 
encounter security exceptions unless you add the following permission to the 
set of permissions granted to your Struts application's codebase:

permission java.lang.RuntimePermission "accessDeclaredMembers";

It still seems strange though that it was throwing a NoClassDefFoundError, can 
you maybe try the above as an alternative fix and see if that resolves the 
problem?

Regards,
-- 
Jason Bainbridge
http://jblinux.org

On Tue, 24 Jun 2003 03:30, Phillip Qin wrote:
> I even deleted server/webapps which contains struts.jar for admin
> application.
>
> To Yoav:
>
> I modified Catalina default policy file to allow log4j writing to files and
> myapps sending out emails and connecting to credit card processing company.
>
> -Original Message-
> From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
> Sent: June 23, 2003 2:53 PM
> To: Tomcat Users List
> Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
>
> What other struts.jar files have you got laying around? Have you maybe got
> one
> in common/lib? I'm not sure why setting a grant like that would make a
> NoClassDefFoundError go away, maybe it tricks the classloader into looking
> at
> a specific class somehow.
>
> Either way I don't think you have fixed the problem it just appears you
> have...
>
> Regards,

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Phillip Qin 
I have already added that one, plus

- ReflectPermission "suppressAccessChecks" for a commons-beanutils bug
- FilePermission for log4j

-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED] 
Sent: June 23, 2003 3:48 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

Was just doing a bit of reading:

http://jakarta.apache.org/struts/userGuide/installation.html

Running Struts Applications Under A Security Manager

Many application servers execute web applications under the control of a
Java 
security manager, with restricted permissions on what classes in the web 
application can do. If you utilize form beans with mapped properties, you
may 
encounter security exceptions unless you add the following permission to the

set of permissions granted to your Struts application's codebase:

permission java.lang.RuntimePermission "accessDeclaredMembers";

It still seems strange though that it was throwing a NoClassDefFoundError,
can 
you maybe try the above as an alternative fix and see if that resolves the 
problem?

Regards,
-- 
Jason Bainbridge
http://jblinux.org

On Tue, 24 Jun 2003 03:30, Phillip Qin wrote:
> I even deleted server/webapps which contains struts.jar for admin
> application.
>
> To Yoav:
>
> I modified Catalina default policy file to allow log4j writing to files
and
> myapps sending out emails and connecting to credit card processing
company.
>
> -Original Message-
> From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
> Sent: June 23, 2003 2:53 PM
> To: Tomcat Users List
> Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
>
> What other struts.jar files have you got laying around? Have you maybe got
> one
> in common/lib? I'm not sure why setting a grant like that would make a
> NoClassDefFoundError go away, maybe it tricks the classloader into looking
> at
> a specific class somehow.
>
> Either way I don't think you have fixed the problem it just appears you
> have...
>
> Regards,

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Jean-Francois Arcand 
Hi,

that's a bug in Tomcat. You should not received that exception, which 
means that the classloader is unable to load some package protected 
classes. The 
org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession needs to be 
loaded when Tomcat starts, not when you do your first invokation (Tomcat 
5 handles the current case).

Which Tomcat version are you using (4.1.?)?

-- Jeanfrancois

Phillip Qin wrote:

I have already added that one, plus

- ReflectPermission "suppressAccessChecks" for a commons-beanutils bug
- FilePermission for log4j
-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED] 
Sent: June 23, 2003 3:48 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

Was just doing a bit of reading:

http://jakarta.apache.org/struts/userGuide/installation.html

Running Struts Applications Under A Security Manager

Many application servers execute web applications under the control of a
Java 
security manager, with restricted permissions on what classes in the web 
application can do. If you utilize form beans with mapped properties, you
may 
encounter security exceptions unless you add the following permission to the

set of permissions granted to your Struts application's codebase:

permission java.lang.RuntimePermission "accessDeclaredMembers";

It still seems strange though that it was throwing a NoClassDefFoundError,
can 
you maybe try the above as an alternative fix and see if that resolves the 
problem?

Regards,
 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [REPOST]Tomcat with security manager + NoClassDefFoundError

2003-06-23 Thread Phillip Qin 
Apache 2.0.46, tomcat 4.1.24 and jk2 connector, struts-1.1-rc2

In my original posting, I said I am frustrated because,

- if I start index.jsp first which is simply a meta refresh, I didn't
receive the exception, and then I can access .../mylink.do?... from browser.
- if I access .../mylink.do?... first, I got this error.

I looked into catalina.out, there was no permission exception.
 
-Original Message-
From: Jean-Francois Arcand [mailto:[EMAIL PROTECTED] 
Sent: June 23, 2003 4:42 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError

Hi,

that's a bug in Tomcat. You should not received that exception, which 
means that the classloader is unable to load some package protected 
classes. The 
org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession needs to be 
loaded when Tomcat starts, not when you do your first invokation (Tomcat 
5 handles the current case).

Which Tomcat version are you using (4.1.?)?

-- Jeanfrancois

Phillip Qin wrote:

>I have already added that one, plus
>
>- ReflectPermission "suppressAccessChecks" for a commons-beanutils bug
>- FilePermission for log4j
>
>-Original Message-
>From: Jason Bainbridge [mailto:[EMAIL PROTECTED] 
>Sent: June 23, 2003 3:48 PM
>To: Tomcat Users List
>Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
>
>Was just doing a bit of reading:
>
>http://jakarta.apache.org/struts/userGuide/installation.html
>
>Running Struts Applications Under A Security Manager
>
>Many application servers execute web applications under the control of a
>Java 
>security manager, with restricted permissions on what classes in the web 
>application can do. If you utilize form beans with mapped properties, you
>may 
>encounter security exceptions unless you add the following permission to
the
>
>set of permissions granted to your Struts application's codebase:
>
>permission java.lang.RuntimePermission "accessDeclaredMembers";
>
>It still seems strange though that it was throwing a NoClassDefFoundError,
>can 
>you maybe try the above as an alternative fix and see if that resolves the 
>problem?
>
>Regards,
>  
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]