RE: security permissions
The program is called WEKA its a Java application that runs data through machine learning algorithms I am trying to write the otput of that program into a file. The OS I am running is XP Professional. Thanks in advance Andrea Powles Mark Thomas [EMAIL PROTECTED] wrote: OK. Next set of questions: - which program? - what is the server OS? From: Andrea Powles [mailto:[EMAIL PROTECTED] Im wanting to run the program on the server. When I startup Tomcat with the -security option Tomcat doesn't start up? This is the case even when I take out my modifications to the policy file. When I don't use the -security option Tomcat runs fine but I am unable to execute another program from my webapp. Anyone have an idea as wo why not? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security permissions
The exec() method should be OK then. Try doing things through a batch file - this often overcomes a number of windows niggles. Also, have a look at the source for the CGI servlet - this is essentially running a app on the server but doing some other things as well. Mark -Original Message- From: Andrea Powles [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 10:32 AM To: Tomcat Users List Subject: RE: security permissions The program is called WEKA its a Java application that runs data through machine learning algorithms I am trying to write the otput of that program into a file. The OS I am running is XP Professional. Thanks in advance Andrea Powles Mark Thomas [EMAIL PROTECTED] wrote: OK. Next set of questions: - which program? - what is the server OS? From: Andrea Powles [mailto:[EMAIL PROTECTED] Im wanting to run the program on the server. When I startup Tomcat with the -security option Tomcat doesn't start up? This is the case even when I take out my modifications to the policy file. When I don't use the -security option Tomcat runs fine but I am unable to execute another program from my webapp. Anyone have an idea as wo why not? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security permissions
OK. Next set of questions: - which program? - what is the server OS? From: Andrea Powles [mailto:[EMAIL PROTECTED] Im wanting to run the program on the server. When I startup Tomcat with the -security option Tomcat doesn't start up? This is the case even when I take out my modifications to the policy file. When I don't use the -security option Tomcat runs fine but I am unable to execute another program from my webapp. Anyone have an idea as wo why not? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security permissions
Hi,
Im wanting to run the program on the server.
When I startup Tomcat with the -security option Tomcat doesn't start up? This is the
case even when I take out my modifications to the policy file. When I don't use the
-security option Tomcat runs fine but I am unable to execute another program from my
webapp. Anyone have an idea as wo why not?
Thanks in advance
Andrea Powles
Mark Thomas [EMAIL PROTECTED] wrote:
Where are you trying to run the external program? On the tomcat server or
on the
client talking to the server?
If on the server try:
- testing it without the security manager
If on the client:
- The browser security model will not allow this at all unless the
applet/JavaScript is signed.
- If you use vbscript on IE, the browser will let unsigned code do it but
requires the user to acknowledge the risk before running the app.
Mark
-Original Message-
From: Andrea Powles [mailto:[EMAIL PROTECTED]
Sent: Saturday, April 17, 2004 7:43 AM
To: Tomcat Users List
Subject: Re: security permissions
Thanks, I tried this but it doesn't seem to work, don't know
what I'm doing wrong?
Andrea Powles
Jeanfrancois Arcand [EMAIL PROTECTED] wrote:
Andrea Powles wrote:
Hi Tomcatusers,
I wish for one of my web apps in Tomcat to execute another
program on my computer using the exec method. I know that I
can't currently do this due to the security restrictions.
I have tried changing the Catalina policy file but I'm
unsure of exactly what to do so it didn't work. Can someone
please advise me of exactly what I need to add or modify in
order for my web app to have all permissions.
I am aware of the security risks but at this stage it is
more important that I get my application to work. My web app
runs as a servlet and is in a web app directory calledruddis.
try the following in catalina.policy:
// These permissions apply only to yourapplication
grant codeBase file:${catalina.home}/webapps/your webapp/-{
permissionjava.security.AllPermission;
};
-- Jeanfrancois
Thanks in advance
AndreaPowles
-
To unsubscribe, e-mail:[EMAIL PROTECTED]
For additional commands, e-mail:[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: security permissions
Thanks, I tried this but it doesn't seem to work, don't know what I'm doing wrong?
Andrea Powles
Jeanfrancois Arcand [EMAIL PROTECTED] wrote:
Andrea Powles wrote:
Hi Tomcatusers,
I wish for one of my web apps in Tomcat to execute another program on my computer
using the exec method. I know that I cant currently do this due to the security
restrictions.
I have tried changing the Catalina policy file but Im unsure of exactly what to do
so it didnt work. Can someone please advise me of exactly what I need to add or
modify in order for my web app to have all permissions.
I am aware of the security risks but at this stage it is more important that I get
my application to work. My web app runs as a servlet and is in a web app directory
calledruddis.
try the following in catalina.policy:
// These permissions apply only to yourapplication
grant codeBase file:${catalina.home}/webapps/your webapp/-{
permissionjava.security.AllPermission;
};
-- Jeanfrancois
Thanks in advance
AndreaPowles
-
To unsubscribe, e-mail:[EMAIL PROTECTED]
For additional commands, e-mail:[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: security permissions
Where are you trying to run the external program? On the tomcat server or on the
client talking to the server?
If on the server try:
- testing it without the security manager
If on the client:
- The browser security model will not allow this at all unless the
applet/JavaScript is signed.
- If you use vbscript on IE, the browser will let unsigned code do it but
requires the user to acknowledge the risk before running the app.
Mark
-Original Message-
From: Andrea Powles [mailto:[EMAIL PROTECTED]
Sent: Saturday, April 17, 2004 7:43 AM
To: Tomcat Users List
Subject: Re: security permissions
Thanks, I tried this but it doesn't seem to work, don't know
what I'm doing wrong?
Andrea Powles
Jeanfrancois Arcand [EMAIL PROTECTED] wrote:
Andrea Powles wrote:
Hi Tomcatusers,
I wish for one of my web apps in Tomcat to execute another
program on my computer using the exec method. I know that I
can't currently do this due to the security restrictions.
I have tried changing the Catalina policy file but I'm
unsure of exactly what to do so it didn't work. Can someone
please advise me of exactly what I need to add or modify in
order for my web app to have all permissions.
I am aware of the security risks but at this stage it is
more important that I get my application to work. My web app
runs as a servlet and is in a web app directory calledruddis.
try the following in catalina.policy:
// These permissions apply only to yourapplication
grant codeBase file:${catalina.home}/webapps/your webapp/-{
permissionjava.security.AllPermission;
};
-- Jeanfrancois
Thanks in advance
AndreaPowles
-
To unsubscribe, e-mail:[EMAIL PROTECTED]
For additional commands, e-mail:[EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: security permissions
Andrea Powles wrote:
Hi Tomcat users,
I wish for one of my web apps in Tomcat to execute another program on my computer using the exec method. I know that I cant currently do this due to the security restrictions.
I have tried changing the Catalina policy file but Im unsure of exactly what to do so it didnt work. Can someone please advise me of exactly what I need to add or modify in order for my web app to have all permissions.
I am aware of the security risks but at this stage it is more important that I get my application to work. My web app runs as a servlet and is in a web app directory called ruddis.
try the following in catalina.policy:
// These permissions apply only to your application
grant codeBase file:${catalina.home}/webapps/your webapp/- {
permission java.security.AllPermission;
};
-- Jeanfrancois
Thanks in advance
Andrea Powles
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
security permissions
Hi Tomcat users, I wish for one of my web apps in Tomcat to execute another program on my computer using the exec method. I know that I cant currently do this due to the security restrictions. I have tried changing the Catalina policy file but Im unsure of exactly what to do so it didnt work. Can someone please advise me of exactly what I need to add or modify in order for my web app to have all permissions. I am aware of the security risks but at this stage it is more important that I get my application to work. My web app runs as a servlet and is in a web app directory called ruddis. Thanks in advance Andrea Powles - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
security permissions war files
Hi,
I'm having a hard time with the security permissions for a webapp using
tomcat 4.1.30.
The application needs to write files to the java.io.tmp directory and it
works fine in the first scenario ( without a war file ) but in the
second scenario I keep getting:
java.security.AccessControlException: access denied ...
For both scenario's, I have a MyApp.xml file in the webapps directory
which contains a context fragment. The java.io.tmp is the default
catalina_home/temp and it's been chmod to 777.
The first scenario works:
1) I set the docBase in the context fragment to /www and unzip the
MyApp.war file in /www
2) I edit conf/catalina.policy and add:
grant codeBase file:/www/WEB-INF/classes/- {
permission java.security.AllPermission;
};
grant codeBase file:/www/WEB-INF/lib/* {
permission java.security.AllPermission;
};
The second scenario does not work:
1) I set the docBase in the context fragment to /www/MyApp.war and
place the MyApp.war file in /www
2) I edit conf/catalina policy, remove the above from the first
scenarion and add:
grant codeBase file:/www/MyApp.war {
permission java.security.AllPermission;
};
I've been trying all sorts of other possibilities based on what I found
in various user google searches - I can't seem to find a decent example
or any further detail on how this is supposed to work.
Even the O'Reilly Tomcat book doesn't cover this very well.
Any help would be appreciated.
Thanks,
Hollister
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: War files / codeBase and security permissions (v4.0.4)
You should not have to make any changes to policy files for this to work.
It is Tomcat itself that is unpacking the WAR files--so assigning
permissions to the WAR file itself won't do anything. What does your
server.xml file look like? How did you determine that WAR files weren't
automatically being unpacked? What error did you see?
Sean Dockery
[EMAIL PROTECTED]
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com
- Original Message -
From: Kenneth J Baker [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Saturday, February 08, 2003 21:13
Subject: War files / codeBase and security permissions (v4.0.4)
I'm deploying a war file with unpackWARs=false. I am trying to grant
permissions to this war in 04webapps.policy.
Here is what I've tried...
Given the examples this is what I would expect to work but doesn't:
grant codeBase file:${catalina.home}/webapps/iface.war!/- {
permission java.security.AllPermission;
};
This doesn't work (but works if unpackWARs=true):
grant codeBase file:${catalina.home}/webapps/iface/- {
permission java.security.AllPermission;
};
This works because this is where tomcat extracts the war to (with
unpackWARs set to false)
grant codeBase file:${catalina.home}/work/Standalone/localhost/iface/- {
permission java.security.AllPermission;
};
What is the correct way to specify permissions to give to a war file?
Thanks,
Ken
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
War files / codeBase and security permissions (v4.0.4)
I'm deploying a war file with unpackWARs=false. I am trying to grant
permissions to this war in 04webapps.policy.
Here is what I've tried...
Given the examples this is what I would expect to work but doesn't:
grant codeBase file:${catalina.home}/webapps/iface.war!/- {
permission java.security.AllPermission;
};
This doesn't work (but works if unpackWARs=true):
grant codeBase file:${catalina.home}/webapps/iface/- {
permission java.security.AllPermission;
};
This works because this is where tomcat extracts the war to (with unpackWARs set to
false)
grant codeBase file:${catalina.home}/work/Standalone/localhost/iface/- {
permission java.security.AllPermission;
};
What is the correct way to specify permissions to give to a war file?
Thanks,
Ken
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Granting security permissions not working
In Tomcat 4.0 the URL used for the codeBase for jar files located in
/WEB-INF/lib starts with jar:file:..., your grant below starts
with file: Those are two different codeBases! The SecurityManager
is very picky about where code comes from when granting permissions,
the URL must start with the exact same text.
Regards,
Glenn
[EMAIL PROTECTED] wrote:
I am not able to grant security permissions on individual jar files. Can
someone tell me what I'm doing wrong?
In my policy file (CATALINA_HOME/conf/catalina.policy) I have the
following setting:
grant codeBase file:${catalina.home}/- {
permission java.security.AllPermission;
};
I would think this would grant all permissions to all jar files,
classes, etc under the catalina directory, including webapps'
classes/jars. However, I keep getting the following (I set security
debug output according to the following --
java.security.debug=access,failure):
access: access denied (java.util.PropertyPermission
log4j.defaultInitOverride read)
java.lang.Exception: Stack trace
at java.lang.Thread.dumpStack(Thread.java:1071)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.
java:259)
at
java.security.AccessController.checkPermission(AccessController.java:401
)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at
java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1291)
at java.lang.System.getProperty(System.java:611)
at
org.apache.log4j.helpers.OptionConverter.getSystemProperty(OptionConvert
er.java:92)
at org.apache.log4j.LogManager.clinit(LogManager.java:117)
at org.apache.log4j.Logger.getLogger(Logger.java:85)
at
com.cssc.security.CognisecAuthFilter$1.run(CognisecAuthFilter.java:85)
at java.security.AccessController.doPrivileged(Native Method)
at
com.cssc.security.CognisecAuthFilter.clinit(CognisecAuthFilter.java:83
)
...
access: domain that failed ProtectionDomain
(jar:file:C:/tomcat/webapps/cssc/WEB-INF/lib/log4j-1.2.6.jar!/org/apache
/log4j/helpers/OptionConverter.class no certificates)
WebappClassLoader
available:
Extension[Struts Framework, implementationVendor=Apache Software
Foundation, implementationVendorId=org.apache,
implementationVersion=1.0.2, specificationVendor=Apache Software
Foundation, specificationVersion=1.0]
delegate: false
repositories:
/WEB-INF/classes/
required:
-- Parent Classloader:
+ other stuff.
What gives? I don't understand why this is not working. Please help!
Running Tomcat 4.0.4, J2SDK 1.4.0, on a winxp box
Thanks,
John
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Granting security permissions not working
Hi:
Is it possible that you're running into case-sensitivity or path-separator
problems? The following is from a policy file included in a Sun product:
* Note: ExecOptionPermission uses String.equals() for equality comparisons,
* so the values of these permissions are case sensitive. For example, the
* following two permissions are not equal:
*com.sun.rmi.rmid.ExecOptionPermission
* C:\jini1_2\lib\sharedvm.jar
*com.sun.rmi.rmid.ExecOptionPermission
* c:\jini1_2\lib\sharedvm.jar
*[Note the case of the drive letters.]
* This subtlety can occur, for example, when the com.sun.jini.jsk.home
* property is set to c:\..., but the service starter
* framework, which uses File.getCanonicalFile() to build its command
* environment, ends up returning C:\... on certain platforms.
*
If you're on Windows, you might also need to use the backslash as the path
separator. I'm not sure if Tomcat's class loader uses a the standard policy
file reader or not, but with the standard security manager, you need to
escape the backslashes (double-backslashes), as in:
permission java.io.FilePermission d:\\windows\\temp\\-,
read,write,execute,delete;
Cheers,
Greg Trasuk, President
StratusCom Manufacturing Systems Inc. - We use information technology to
solve business problems on your plant floor.
http://stratuscom.ca
-Original Message-
From: John Pelly [mailto:[EMAIL PROTECTED]]
Sent: November 18, 2002 22:19
To: 'Tomcat Users List'; 'David Wall'
Subject: RE: Granting security permissions not working
Thank you for your suggestions. See my comments below:
First, ensure you are running with the -security option that
turns on Tomcat
with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have
double-checked
that it's in my start.bat script in the bin/ directory and I see the
statement Using Security Manager on the tomcat console. Plus, when
running with -Djava.security.debug=access,failure, I see permissions
checking etc. going on.
Second, you are granting your permissions far too low on the
file path. At
the very least, consider something like
grant codeBase file:${catalina.base}/webapps/yourappname/- {
The grant that I described there was a last-ditch desparate attempt to
cover everything with AllPermission. I had previously tried granting on
the individual .jar files, on the webapps directory, on my specific
webapps directory, etc. I've tried every conceivable known permutation.
Regardless, I did as you suggested and put the grant back on the
specific webapp directory (using the - at the end)... No luck.
Third, are you actually running multiple instances in which your
catalina.base is different than your catalina.home? If so,
I'm only running one instance of tomcat. I'm not sure where/how
catalina.base gets set, but I have a good feeling that the
actual policy
file is being read b/c if I remove that policy file then
everything goes
nuts.
One interesting thing is that I can grant access in the general grant {
... } clause (no specific codeBase specified... Just the
default for all
webapps), and things will work fine. However, I don't want to grant
access to all webapps, I only want to grant access to a particular
webapp/jar file.
Basically, it looks like grant entries on codebase's under the webapps
directory are *completely ignored*. No matter what I grant on a
particular webapp (using grant codeBase
file:${catalina.base}/webapps/appname/- { perms }), nothing takes
effect at all. I can verify this by looking at debug output (setting
java.debug.security=policy,access,failure) -- when it prints the
Protection Domain that failed the access call, I can clearly see that
*no permissions* are granted to the jar files under that
webapp/codebase
besides the default jndi and file read permissions. If I want any
permissions to apply, I have to grant them generally in the grant { ...
} clause (no codeBase).
Obviously, this is not desired behavior. It looks like there could be a
bug in the Tomcat policy management?
JP
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
On Win32, the forward slash works as well . For example,
grant codebase file://drive name:/- {
Pae
- Original Message -
From: Greg Trasuk [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Wednesday, November 20, 2002 5:05 AM
Subject: RE: Granting security permissions not working
Hi:
Is it possible that you're running into case-sensitivity or path-separator
problems? The following is from a policy file included in a Sun product:
* Note: ExecOptionPermission uses String.equals() for equality
comparisons,
* so the values of these permissions are case sensitive. For example, the
* following two permissions are not equal:
*com.sun.rmi.rmid.ExecOptionPermission
* C:\jini1_2\lib\sharedvm.jar
*com.sun.rmi.rmid.ExecOptionPermission
* c:\jini1_2\lib\sharedvm.jar
*[Note the case of the drive letters.]
* This subtlety can occur, for example, when the com.sun.jini.jsk.home
* property is set to c:\..., but the service starter
* framework, which uses File.getCanonicalFile() to build its command
* environment, ends up returning C:\... on certain platforms.
*
If you're on Windows, you might also need to use the backslash as the path
separator. I'm not sure if Tomcat's class loader uses a the standard
policy
file reader or not, but with the standard security manager, you need to
escape the backslashes (double-backslashes), as in:
permission java.io.FilePermission d:\\windows\\temp\\-,
read,write,execute,delete;
Cheers,
Greg Trasuk, President
StratusCom Manufacturing Systems Inc. - We use information technology to
solve business problems on your plant floor.
http://stratuscom.ca
-Original Message-
From: John Pelly [mailto:[EMAIL PROTECTED]]
Sent: November 18, 2002 22:19
To: 'Tomcat Users List'; 'David Wall'
Subject: RE: Granting security permissions not working
Thank you for your suggestions. See my comments below:
First, ensure you are running with the -security option that
turns on Tomcat
with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have
double-checked
that it's in my start.bat script in the bin/ directory and I see the
statement Using Security Manager on the tomcat console. Plus, when
running with -Djava.security.debug=access,failure, I see permissions
checking etc. going on.
Second, you are granting your permissions far too low on the
file path. At
the very least, consider something like
grant codeBase file:${catalina.base}/webapps/yourappname/- {
The grant that I described there was a last-ditch desparate attempt to
cover everything with AllPermission. I had previously tried granting on
the individual .jar files, on the webapps directory, on my specific
webapps directory, etc. I've tried every conceivable known permutation.
Regardless, I did as you suggested and put the grant back on the
specific webapp directory (using the - at the end)... No luck.
Third, are you actually running multiple instances in which your
catalina.base is different than your catalina.home? If so,
I'm only running one instance of tomcat. I'm not sure where/how
catalina.base gets set, but I have a good feeling that the
actual policy
file is being read b/c if I remove that policy file then
everything goes
nuts.
One interesting thing is that I can grant access in the general grant {
... } clause (no specific codeBase specified... Just the
default for all
webapps), and things will work fine. However, I don't want to grant
access to all webapps, I only want to grant access to a particular
webapp/jar file.
Basically, it looks like grant entries on codebase's under the webapps
directory are *completely ignored*. No matter what I grant on a
particular webapp (using grant codeBase
file:${catalina.base}/webapps/appname/- { perms }), nothing takes
effect at all. I can verify this by looking at debug output (setting
java.debug.security=policy,access,failure) -- when it prints the
Protection Domain that failed the access call, I can clearly see that
*no permissions* are granted to the jar files under that
webapp/codebase
besides the default jndi and file read permissions. If I want any
permissions to apply, I have to grant them generally in the grant { ...
} clause (no codeBase).
Obviously, this is not desired behavior. It looks like there could be a
bug in the Tomcat policy management?
JP
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Granting security permissions not working
Thank you for your suggestions. See my comments below:
First, ensure you are running with the -security option that
turns on Tomcat
with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have double-checked
that it's in my start.bat script in the bin/ directory and I see the
statement Using Security Manager on the tomcat console. Plus, when
running with -Djava.security.debug=access,failure, I see permissions
checking etc. going on.
Second, you are granting your permissions far too low on the
file path. At
the very least, consider something like
grant codeBase file:${catalina.base}/webapps/yourappname/- {
The grant that I described there was a last-ditch desparate attempt to
cover everything with AllPermission. I had previously tried granting on
the individual .jar files, on the webapps directory, on my specific
webapps directory, etc. I've tried every conceivable known permutation.
Regardless, I did as you suggested and put the grant back on the
specific webapp directory (using the - at the end)... No luck.
Third, are you actually running multiple instances in which your
catalina.base is different than your catalina.home? If so,
I'm only running one instance of tomcat. I'm not sure where/how
catalina.base gets set, but I have a good feeling that the actual policy
file is being read b/c if I remove that policy file then everything goes
nuts.
One interesting thing is that I can grant access in the general grant {
... } clause (no specific codeBase specified... Just the default for all
webapps), and things will work fine. However, I don't want to grant
access to all webapps, I only want to grant access to a particular
webapp/jar file.
Basically, it looks like grant entries on codebase's under the webapps
directory are *completely ignored*. No matter what I grant on a
particular webapp (using grant codeBase
file:${catalina.base}/webapps/appname/- { perms }), nothing takes
effect at all. I can verify this by looking at debug output (setting
java.debug.security=policy,access,failure) -- when it prints the
Protection Domain that failed the access call, I can clearly see that
*no permissions* are granted to the jar files under that webapp/codebase
besides the default jndi and file read permissions. If I want any
permissions to apply, I have to grant them generally in the grant { ...
} clause (no codeBase).
Obviously, this is not desired behavior. It looks like there could be a
bug in the Tomcat policy management?
JP
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Granting security permissions not working
I am not able to grant security permissions on individual jar files. Can
someone tell me what I'm doing wrong?
In my policy file (CATALINA_HOME/conf/catalina.policy) I have the
following setting:
grant codeBase file:${catalina.home}/- {
permission java.security.AllPermission;
};
I would think this would grant all permissions to all jar files,
classes, etc under the catalina directory, including webapps'
classes/jars. However, I keep getting the following (I set security
debug output according to the following --
java.security.debug=access,failure):
access: access denied (java.util.PropertyPermission
log4j.defaultInitOverride read)
java.lang.Exception: Stack trace
at java.lang.Thread.dumpStack(Thread.java:1071)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.
java:259)
at
java.security.AccessController.checkPermission(AccessController.java:401
)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at
java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1291)
at java.lang.System.getProperty(System.java:611)
at
org.apache.log4j.helpers.OptionConverter.getSystemProperty(OptionConvert
er.java:92)
at org.apache.log4j.LogManager.clinit(LogManager.java:117)
at org.apache.log4j.Logger.getLogger(Logger.java:85)
at
com.cssc.security.CognisecAuthFilter$1.run(CognisecAuthFilter.java:85)
at java.security.AccessController.doPrivileged(Native Method)
at
com.cssc.security.CognisecAuthFilter.clinit(CognisecAuthFilter.java:83
)
...
access: domain that failed ProtectionDomain
(jar:file:C:/tomcat/webapps/cssc/WEB-INF/lib/log4j-1.2.6.jar!/org/apache
/log4j/helpers/OptionConverter.class no certificates)
WebappClassLoader
available:
Extension[Struts Framework, implementationVendor=Apache Software
Foundation, implementationVendorId=org.apache,
implementationVersion=1.0.2, specificationVendor=Apache Software
Foundation, specificationVersion=1.0]
delegate: false
repositories:
/WEB-INF/classes/
required:
-- Parent Classloader:
+ other stuff.
What gives? I don't understand why this is not working. Please help!
Running Tomcat 4.0.4, J2SDK 1.4.0, on a winxp box
Thanks,
John
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
I am not able to grant security permissions on individual jar files. Can
someone tell me what I'm doing wrong?
In my policy file (CATALINA_HOME/conf/catalina.policy) I have the
following setting:
grant codeBase file:${catalina.home}/- {
permission java.security.AllPermission;
};
I would think this would grant all permissions to all jar files,
classes, etc under the catalina directory, including webapps'
classes/jars.
First, ensure you are running with the -security option that turns on Tomcat
with the security manager installed. Often you need to modify the
startup.sh script to include that options between 'start' and '$@'. In my
TC 4.1.12 startup.sh, I have:
exec $PRGDIR/$EXECUTABLE start -security $@
Second, you are granting your permissions far too low on the file path. At
the very least, consider something like
grant codeBase file:${catalina.base}/webapps/yourappname/- {
Third, are you actually running multiple instances in which your
catalina.base is different than your catalina.home? If so, make sure you
are modifying the right catalina.policy file (you want the one that's under
your catalina.base, not the one under catalina.home). If you are only
running a single instance of TC, though, then this should not be an issue.
Hope something here helps...
David Wall
www.yozons.com Electronic signatures with secure document delivery
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Granting security permissions not working
Thank you for your suggestions. See my comments below:
First, ensure you are running with the -security option that
turns on Tomcat
with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have double-checked
that it's in my start.bat script in the bin/ directory and I see the
statement Using Security Manager on the tomcat console. Plus, when
running with -Djava.security.debug=access,failure, I see permissions
checking etc. going on.
Second, you are granting your permissions far too low on the
file path. At
the very least, consider something like
grant codeBase file:${catalina.base}/webapps/yourappname/- {
The grant that I described there was a last-ditch desparate attempt to
cover everything with AllPermission. I had previously tried granting on
the individual .jar files, on the webapps directory, on my specific
webapps directory, etc. I've tried every conceivable known permutation.
Regardless, I did as you suggested and put the grant back on the
specific webapp directory (using the - at the end)... No luck.
Third, are you actually running multiple instances in which your
catalina.base is different than your catalina.home? If so,
I'm only running one instance of tomcat. I'm not sure where/how
catalina.base gets set, but I have a good feeling that the actual policy
file is being read b/c if I remove that policy file then everything goes
nuts.
One interesting thing is that I can grant access in the general grant {
... } clause (no specific codeBase specified... Just the default for all
webapps), and things will work fine. However, I don't want to grant
access to all webapps, I only want to grant access to a particular
webapp/jar file.
Basically, it looks like grant entries on codebase's under the webapps
directory are *completely ignored*. No matter what I grant on a
particular webapp (using grant codeBase
file:${catalina.base}/webapps/appname/- { perms }), nothing takes
effect at all. I can verify this by looking at debug output (setting
java.debug.security=policy,access,failure) -- when it prints the
Protection Domain that failed the access call, I can clearly see that
*no permissions* are granted to the jar files under that webapp/codebase
besides the default jndi and file read permissions. If I want any
permissions to apply, I have to grant them generally in the grant { ...
} clause (no codeBase).
Obviously, this is not desired behavior. It looks like there could be a
bug in the Tomcat policy management?
JP
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
I know it's not going to help you much or at all. And I am not
certain what's going on with your side, but just FYI. I have
tested the TC v4.1.12 with -security. And it runs fine on
the WinNT.
It has many security permissions in the catalina.policy, inclduing
own Web Apps, JAXM, AXIS, RMI stub downloading, blah, blah...
Pae
Thank you for your suggestions. See my comments below:
First, ensure you are running with the -security option that
turns on Tomcat
with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have double-checked
that it's in my start.bat script in the bin/ directory and I see the
statement Using Security Manager on the tomcat console. Plus, when
running with -Djava.security.debug=access,failure, I see permissions
checking etc. going on.
Second, you are granting your permissions far too low on the
file path. At
the very least, consider something like
grant codeBase file:${catalina.base}/webapps/yourappname/- {
The grant that I described there was a last-ditch desparate attempt to
cover everything with AllPermission. I had previously tried granting on
the individual .jar files, on the webapps directory, on my specific
webapps directory, etc. I've tried every conceivable known permutation.
Regardless, I did as you suggested and put the grant back on the
specific webapp directory (using the - at the end)... No luck.
Third, are you actually running multiple instances in which your
catalina.base is different than your catalina.home? If so,
I'm only running one instance of tomcat. I'm not sure where/how
catalina.base gets set, but I have a good feeling that the actual policy
file is being read b/c if I remove that policy file then everything goes
nuts.
One interesting thing is that I can grant access in the general grant {
... } clause (no specific codeBase specified... Just the default for all
webapps), and things will work fine. However, I don't want to grant
access to all webapps, I only want to grant access to a particular
webapp/jar file.
Basically, it looks like grant entries on codebase's under the webapps
directory are *completely ignored*. No matter what I grant on a
particular webapp (using grant codeBase
file:${catalina.base}/webapps/appname/- { perms }), nothing takes
effect at all. I can verify this by looking at debug output (setting
java.debug.security=policy,access,failure) -- when it prints the
Protection Domain that failed the access call, I can clearly see that
*no permissions* are granted to the jar files under that webapp/codebase
besides the default jndi and file read permissions. If I want any
permissions to apply, I have to grant them generally in the grant { ...
} clause (no codeBase).
Obviously, this is not desired behavior. It looks like there could be a
bug in the Tomcat policy management?
JP
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
