RE: security permissions
The program is called WEKA its a Java application that runs data through machine learning algorithms I am trying to write the otput of that program into a file. The OS I am running is XP Professional. Thanks in advance Andrea Powles Mark Thomas [EMAIL PROTECTED] wrote: OK. Next set of questions: - which program? - what is the server OS? From: Andrea Powles [mailto:[EMAIL PROTECTED] Im wanting to run the program on the server. When I startup Tomcat with the -security option Tomcat doesn't start up? This is the case even when I take out my modifications to the policy file. When I don't use the -security option Tomcat runs fine but I am unable to execute another program from my webapp. Anyone have an idea as wo why not? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security permissions
The exec() method should be OK then. Try doing things through a batch file - this often overcomes a number of windows niggles. Also, have a look at the source for the CGI servlet - this is essentially running a app on the server but doing some other things as well. Mark -Original Message- From: Andrea Powles [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 10:32 AM To: Tomcat Users List Subject: RE: security permissions The program is called WEKA its a Java application that runs data through machine learning algorithms I am trying to write the otput of that program into a file. The OS I am running is XP Professional. Thanks in advance Andrea Powles Mark Thomas [EMAIL PROTECTED] wrote: OK. Next set of questions: - which program? - what is the server OS? From: Andrea Powles [mailto:[EMAIL PROTECTED] Im wanting to run the program on the server. When I startup Tomcat with the -security option Tomcat doesn't start up? This is the case even when I take out my modifications to the policy file. When I don't use the -security option Tomcat runs fine but I am unable to execute another program from my webapp. Anyone have an idea as wo why not? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security permissions
OK. Next set of questions: - which program? - what is the server OS? From: Andrea Powles [mailto:[EMAIL PROTECTED] Im wanting to run the program on the server. When I startup Tomcat with the -security option Tomcat doesn't start up? This is the case even when I take out my modifications to the policy file. When I don't use the -security option Tomcat runs fine but I am unable to execute another program from my webapp. Anyone have an idea as wo why not? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security permissions
Hi, Im wanting to run the program on the server. When I startup Tomcat with the -security option Tomcat doesn't start up? This is the case even when I take out my modifications to the policy file. When I don't use the -security option Tomcat runs fine but I am unable to execute another program from my webapp. Anyone have an idea as wo why not? Thanks in advance Andrea Powles Mark Thomas [EMAIL PROTECTED] wrote: Where are you trying to run the external program? On the tomcat server or on the client talking to the server? If on the server try: - testing it without the security manager If on the client: - The browser security model will not allow this at all unless the applet/JavaScript is signed. - If you use vbscript on IE, the browser will let unsigned code do it but requires the user to acknowledge the risk before running the app. Mark -Original Message- From: Andrea Powles [mailto:[EMAIL PROTECTED] Sent: Saturday, April 17, 2004 7:43 AM To: Tomcat Users List Subject: Re: security permissions Thanks, I tried this but it doesn't seem to work, don't know what I'm doing wrong? Andrea Powles Jeanfrancois Arcand [EMAIL PROTECTED] wrote: Andrea Powles wrote: Hi Tomcatusers, I wish for one of my web apps in Tomcat to execute another program on my computer using the exec method. I know that I can't currently do this due to the security restrictions. I have tried changing the Catalina policy file but I'm unsure of exactly what to do so it didn't work. Can someone please advise me of exactly what I need to add or modify in order for my web app to have all permissions. I am aware of the security risks but at this stage it is more important that I get my application to work. My web app runs as a servlet and is in a web app directory calledruddis. try the following in catalina.policy: // These permissions apply only to yourapplication grant codeBase file:${catalina.home}/webapps/your webapp/-{ permissionjava.security.AllPermission; }; -- Jeanfrancois Thanks in advance AndreaPowles - To unsubscribe, e-mail:[EMAIL PROTECTED] For additional commands, e-mail:[EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security permissions
Thanks, I tried this but it doesn't seem to work, don't know what I'm doing wrong? Andrea Powles Jeanfrancois Arcand [EMAIL PROTECTED] wrote: Andrea Powles wrote: Hi Tomcatusers, I wish for one of my web apps in Tomcat to execute another program on my computer using the exec method. I know that I cant currently do this due to the security restrictions. I have tried changing the Catalina policy file but Im unsure of exactly what to do so it didnt work. Can someone please advise me of exactly what I need to add or modify in order for my web app to have all permissions. I am aware of the security risks but at this stage it is more important that I get my application to work. My web app runs as a servlet and is in a web app directory calledruddis. try the following in catalina.policy: // These permissions apply only to yourapplication grant codeBase file:${catalina.home}/webapps/your webapp/-{ permissionjava.security.AllPermission; }; -- Jeanfrancois Thanks in advance AndreaPowles - To unsubscribe, e-mail:[EMAIL PROTECTED] For additional commands, e-mail:[EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: security permissions
Where are you trying to run the external program? On the tomcat server or on the client talking to the server? If on the server try: - testing it without the security manager If on the client: - The browser security model will not allow this at all unless the applet/JavaScript is signed. - If you use vbscript on IE, the browser will let unsigned code do it but requires the user to acknowledge the risk before running the app. Mark -Original Message- From: Andrea Powles [mailto:[EMAIL PROTECTED] Sent: Saturday, April 17, 2004 7:43 AM To: Tomcat Users List Subject: Re: security permissions Thanks, I tried this but it doesn't seem to work, don't know what I'm doing wrong? Andrea Powles Jeanfrancois Arcand [EMAIL PROTECTED] wrote: Andrea Powles wrote: Hi Tomcatusers, I wish for one of my web apps in Tomcat to execute another program on my computer using the exec method. I know that I can't currently do this due to the security restrictions. I have tried changing the Catalina policy file but I'm unsure of exactly what to do so it didn't work. Can someone please advise me of exactly what I need to add or modify in order for my web app to have all permissions. I am aware of the security risks but at this stage it is more important that I get my application to work. My web app runs as a servlet and is in a web app directory calledruddis. try the following in catalina.policy: // These permissions apply only to yourapplication grant codeBase file:${catalina.home}/webapps/your webapp/-{ permissionjava.security.AllPermission; }; -- Jeanfrancois Thanks in advance AndreaPowles - To unsubscribe, e-mail:[EMAIL PROTECTED] For additional commands, e-mail:[EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security permissions
Andrea Powles wrote: Hi Tomcat users, I wish for one of my web apps in Tomcat to execute another program on my computer using the exec method. I know that I cant currently do this due to the security restrictions. I have tried changing the Catalina policy file but Im unsure of exactly what to do so it didnt work. Can someone please advise me of exactly what I need to add or modify in order for my web app to have all permissions. I am aware of the security risks but at this stage it is more important that I get my application to work. My web app runs as a servlet and is in a web app directory called ruddis. try the following in catalina.policy: // These permissions apply only to your application grant codeBase file:${catalina.home}/webapps/your webapp/- { permission java.security.AllPermission; }; -- Jeanfrancois Thanks in advance Andrea Powles - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
security permissions
Hi Tomcat users, I wish for one of my web apps in Tomcat to execute another program on my computer using the exec method. I know that I cant currently do this due to the security restrictions. I have tried changing the Catalina policy file but Im unsure of exactly what to do so it didnt work. Can someone please advise me of exactly what I need to add or modify in order for my web app to have all permissions. I am aware of the security risks but at this stage it is more important that I get my application to work. My web app runs as a servlet and is in a web app directory called ruddis. Thanks in advance Andrea Powles - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
security permissions war files
Hi, I'm having a hard time with the security permissions for a webapp using tomcat 4.1.30. The application needs to write files to the java.io.tmp directory and it works fine in the first scenario ( without a war file ) but in the second scenario I keep getting: java.security.AccessControlException: access denied ... For both scenario's, I have a MyApp.xml file in the webapps directory which contains a context fragment. The java.io.tmp is the default catalina_home/temp and it's been chmod to 777. The first scenario works: 1) I set the docBase in the context fragment to /www and unzip the MyApp.war file in /www 2) I edit conf/catalina.policy and add: grant codeBase file:/www/WEB-INF/classes/- { permission java.security.AllPermission; }; grant codeBase file:/www/WEB-INF/lib/* { permission java.security.AllPermission; }; The second scenario does not work: 1) I set the docBase in the context fragment to /www/MyApp.war and place the MyApp.war file in /www 2) I edit conf/catalina policy, remove the above from the first scenarion and add: grant codeBase file:/www/MyApp.war { permission java.security.AllPermission; }; I've been trying all sorts of other possibilities based on what I found in various user google searches - I can't seem to find a decent example or any further detail on how this is supposed to work. Even the O'Reilly Tomcat book doesn't cover this very well. Any help would be appreciated. Thanks, Hollister - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: War files / codeBase and security permissions (v4.0.4)
You should not have to make any changes to policy files for this to work. It is Tomcat itself that is unpacking the WAR files--so assigning permissions to the WAR file itself won't do anything. What does your server.xml file look like? How did you determine that WAR files weren't automatically being unpacked? What error did you see? Sean Dockery [EMAIL PROTECTED] Certified Java Web Component Developer Certified Delphi Programmer SBD Consultants http://www.sbdconsultants.com - Original Message - From: Kenneth J Baker [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Saturday, February 08, 2003 21:13 Subject: War files / codeBase and security permissions (v4.0.4) I'm deploying a war file with unpackWARs=false. I am trying to grant permissions to this war in 04webapps.policy. Here is what I've tried... Given the examples this is what I would expect to work but doesn't: grant codeBase file:${catalina.home}/webapps/iface.war!/- { permission java.security.AllPermission; }; This doesn't work (but works if unpackWARs=true): grant codeBase file:${catalina.home}/webapps/iface/- { permission java.security.AllPermission; }; This works because this is where tomcat extracts the war to (with unpackWARs set to false) grant codeBase file:${catalina.home}/work/Standalone/localhost/iface/- { permission java.security.AllPermission; }; What is the correct way to specify permissions to give to a war file? Thanks, Ken - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
War files / codeBase and security permissions (v4.0.4)
I'm deploying a war file with unpackWARs=false. I am trying to grant permissions to this war in 04webapps.policy. Here is what I've tried... Given the examples this is what I would expect to work but doesn't: grant codeBase file:${catalina.home}/webapps/iface.war!/- { permission java.security.AllPermission; }; This doesn't work (but works if unpackWARs=true): grant codeBase file:${catalina.home}/webapps/iface/- { permission java.security.AllPermission; }; This works because this is where tomcat extracts the war to (with unpackWARs set to false) grant codeBase file:${catalina.home}/work/Standalone/localhost/iface/- { permission java.security.AllPermission; }; What is the correct way to specify permissions to give to a war file? Thanks, Ken - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Granting security permissions not working
In Tomcat 4.0 the URL used for the codeBase for jar files located in /WEB-INF/lib starts with jar:file:..., your grant below starts with file: Those are two different codeBases! The SecurityManager is very picky about where code comes from when granting permissions, the URL must start with the exact same text. Regards, Glenn [EMAIL PROTECTED] wrote: I am not able to grant security permissions on individual jar files. Can someone tell me what I'm doing wrong? In my policy file (CATALINA_HOME/conf/catalina.policy) I have the following setting: grant codeBase file:${catalina.home}/- { permission java.security.AllPermission; }; I would think this would grant all permissions to all jar files, classes, etc under the catalina directory, including webapps' classes/jars. However, I keep getting the following (I set security debug output according to the following -- java.security.debug=access,failure): access: access denied (java.util.PropertyPermission log4j.defaultInitOverride read) java.lang.Exception: Stack trace at java.lang.Thread.dumpStack(Thread.java:1071) at java.security.AccessControlContext.checkPermission(AccessControlContext. java:259) at java.security.AccessController.checkPermission(AccessController.java:401 ) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1291) at java.lang.System.getProperty(System.java:611) at org.apache.log4j.helpers.OptionConverter.getSystemProperty(OptionConvert er.java:92) at org.apache.log4j.LogManager.clinit(LogManager.java:117) at org.apache.log4j.Logger.getLogger(Logger.java:85) at com.cssc.security.CognisecAuthFilter$1.run(CognisecAuthFilter.java:85) at java.security.AccessController.doPrivileged(Native Method) at com.cssc.security.CognisecAuthFilter.clinit(CognisecAuthFilter.java:83 ) ... access: domain that failed ProtectionDomain (jar:file:C:/tomcat/webapps/cssc/WEB-INF/lib/log4j-1.2.6.jar!/org/apache /log4j/helpers/OptionConverter.class no certificates) WebappClassLoader available: Extension[Struts Framework, implementationVendor=Apache Software Foundation, implementationVendorId=org.apache, implementationVersion=1.0.2, specificationVendor=Apache Software Foundation, specificationVersion=1.0] delegate: false repositories: /WEB-INF/classes/ required: -- Parent Classloader: + other stuff. What gives? I don't understand why this is not working. Please help! Running Tomcat 4.0.4, J2SDK 1.4.0, on a winxp box Thanks, John -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Granting security permissions not working
Hi: Is it possible that you're running into case-sensitivity or path-separator problems? The following is from a policy file included in a Sun product: * Note: ExecOptionPermission uses String.equals() for equality comparisons, * so the values of these permissions are case sensitive. For example, the * following two permissions are not equal: *com.sun.rmi.rmid.ExecOptionPermission * C:\jini1_2\lib\sharedvm.jar *com.sun.rmi.rmid.ExecOptionPermission * c:\jini1_2\lib\sharedvm.jar *[Note the case of the drive letters.] * This subtlety can occur, for example, when the com.sun.jini.jsk.home * property is set to c:\..., but the service starter * framework, which uses File.getCanonicalFile() to build its command * environment, ends up returning C:\... on certain platforms. * If you're on Windows, you might also need to use the backslash as the path separator. I'm not sure if Tomcat's class loader uses a the standard policy file reader or not, but with the standard security manager, you need to escape the backslashes (double-backslashes), as in: permission java.io.FilePermission d:\\windows\\temp\\-, read,write,execute,delete; Cheers, Greg Trasuk, President StratusCom Manufacturing Systems Inc. - We use information technology to solve business problems on your plant floor. http://stratuscom.ca -Original Message- From: John Pelly [mailto:[EMAIL PROTECTED]] Sent: November 18, 2002 22:19 To: 'Tomcat Users List'; 'David Wall' Subject: RE: Granting security permissions not working Thank you for your suggestions. See my comments below: First, ensure you are running with the -security option that turns on Tomcat with the security manager installed. Often you need to modify the I am definitely running with the -security option. I have double-checked that it's in my start.bat script in the bin/ directory and I see the statement Using Security Manager on the tomcat console. Plus, when running with -Djava.security.debug=access,failure, I see permissions checking etc. going on. Second, you are granting your permissions far too low on the file path. At the very least, consider something like grant codeBase file:${catalina.base}/webapps/yourappname/- { The grant that I described there was a last-ditch desparate attempt to cover everything with AllPermission. I had previously tried granting on the individual .jar files, on the webapps directory, on my specific webapps directory, etc. I've tried every conceivable known permutation. Regardless, I did as you suggested and put the grant back on the specific webapp directory (using the - at the end)... No luck. Third, are you actually running multiple instances in which your catalina.base is different than your catalina.home? If so, I'm only running one instance of tomcat. I'm not sure where/how catalina.base gets set, but I have a good feeling that the actual policy file is being read b/c if I remove that policy file then everything goes nuts. One interesting thing is that I can grant access in the general grant { ... } clause (no specific codeBase specified... Just the default for all webapps), and things will work fine. However, I don't want to grant access to all webapps, I only want to grant access to a particular webapp/jar file. Basically, it looks like grant entries on codebase's under the webapps directory are *completely ignored*. No matter what I grant on a particular webapp (using grant codeBase file:${catalina.base}/webapps/appname/- { perms }), nothing takes effect at all. I can verify this by looking at debug output (setting java.debug.security=policy,access,failure) -- when it prints the Protection Domain that failed the access call, I can clearly see that *no permissions* are granted to the jar files under that webapp/codebase besides the default jndi and file read permissions. If I want any permissions to apply, I have to grant them generally in the grant { ... } clause (no codeBase). Obviously, this is not desired behavior. It looks like there could be a bug in the Tomcat policy management? JP -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
On Win32, the forward slash works as well . For example, grant codebase file://drive name:/- { Pae - Original Message - From: Greg Trasuk [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Wednesday, November 20, 2002 5:05 AM Subject: RE: Granting security permissions not working Hi: Is it possible that you're running into case-sensitivity or path-separator problems? The following is from a policy file included in a Sun product: * Note: ExecOptionPermission uses String.equals() for equality comparisons, * so the values of these permissions are case sensitive. For example, the * following two permissions are not equal: *com.sun.rmi.rmid.ExecOptionPermission * C:\jini1_2\lib\sharedvm.jar *com.sun.rmi.rmid.ExecOptionPermission * c:\jini1_2\lib\sharedvm.jar *[Note the case of the drive letters.] * This subtlety can occur, for example, when the com.sun.jini.jsk.home * property is set to c:\..., but the service starter * framework, which uses File.getCanonicalFile() to build its command * environment, ends up returning C:\... on certain platforms. * If you're on Windows, you might also need to use the backslash as the path separator. I'm not sure if Tomcat's class loader uses a the standard policy file reader or not, but with the standard security manager, you need to escape the backslashes (double-backslashes), as in: permission java.io.FilePermission d:\\windows\\temp\\-, read,write,execute,delete; Cheers, Greg Trasuk, President StratusCom Manufacturing Systems Inc. - We use information technology to solve business problems on your plant floor. http://stratuscom.ca -Original Message- From: John Pelly [mailto:[EMAIL PROTECTED]] Sent: November 18, 2002 22:19 To: 'Tomcat Users List'; 'David Wall' Subject: RE: Granting security permissions not working Thank you for your suggestions. See my comments below: First, ensure you are running with the -security option that turns on Tomcat with the security manager installed. Often you need to modify the I am definitely running with the -security option. I have double-checked that it's in my start.bat script in the bin/ directory and I see the statement Using Security Manager on the tomcat console. Plus, when running with -Djava.security.debug=access,failure, I see permissions checking etc. going on. Second, you are granting your permissions far too low on the file path. At the very least, consider something like grant codeBase file:${catalina.base}/webapps/yourappname/- { The grant that I described there was a last-ditch desparate attempt to cover everything with AllPermission. I had previously tried granting on the individual .jar files, on the webapps directory, on my specific webapps directory, etc. I've tried every conceivable known permutation. Regardless, I did as you suggested and put the grant back on the specific webapp directory (using the - at the end)... No luck. Third, are you actually running multiple instances in which your catalina.base is different than your catalina.home? If so, I'm only running one instance of tomcat. I'm not sure where/how catalina.base gets set, but I have a good feeling that the actual policy file is being read b/c if I remove that policy file then everything goes nuts. One interesting thing is that I can grant access in the general grant { ... } clause (no specific codeBase specified... Just the default for all webapps), and things will work fine. However, I don't want to grant access to all webapps, I only want to grant access to a particular webapp/jar file. Basically, it looks like grant entries on codebase's under the webapps directory are *completely ignored*. No matter what I grant on a particular webapp (using grant codeBase file:${catalina.base}/webapps/appname/- { perms }), nothing takes effect at all. I can verify this by looking at debug output (setting java.debug.security=policy,access,failure) -- when it prints the Protection Domain that failed the access call, I can clearly see that *no permissions* are granted to the jar files under that webapp/codebase besides the default jndi and file read permissions. If I want any permissions to apply, I have to grant them generally in the grant { ... } clause (no codeBase). Obviously, this is not desired behavior. It looks like there could be a bug in the Tomcat policy management? JP -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Granting security permissions not working
Thank you for your suggestions. See my comments below: First, ensure you are running with the -security option that turns on Tomcat with the security manager installed. Often you need to modify the I am definitely running with the -security option. I have double-checked that it's in my start.bat script in the bin/ directory and I see the statement Using Security Manager on the tomcat console. Plus, when running with -Djava.security.debug=access,failure, I see permissions checking etc. going on. Second, you are granting your permissions far too low on the file path. At the very least, consider something like grant codeBase file:${catalina.base}/webapps/yourappname/- { The grant that I described there was a last-ditch desparate attempt to cover everything with AllPermission. I had previously tried granting on the individual .jar files, on the webapps directory, on my specific webapps directory, etc. I've tried every conceivable known permutation. Regardless, I did as you suggested and put the grant back on the specific webapp directory (using the - at the end)... No luck. Third, are you actually running multiple instances in which your catalina.base is different than your catalina.home? If so, I'm only running one instance of tomcat. I'm not sure where/how catalina.base gets set, but I have a good feeling that the actual policy file is being read b/c if I remove that policy file then everything goes nuts. One interesting thing is that I can grant access in the general grant { ... } clause (no specific codeBase specified... Just the default for all webapps), and things will work fine. However, I don't want to grant access to all webapps, I only want to grant access to a particular webapp/jar file. Basically, it looks like grant entries on codebase's under the webapps directory are *completely ignored*. No matter what I grant on a particular webapp (using grant codeBase file:${catalina.base}/webapps/appname/- { perms }), nothing takes effect at all. I can verify this by looking at debug output (setting java.debug.security=policy,access,failure) -- when it prints the Protection Domain that failed the access call, I can clearly see that *no permissions* are granted to the jar files under that webapp/codebase besides the default jndi and file read permissions. If I want any permissions to apply, I have to grant them generally in the grant { ... } clause (no codeBase). Obviously, this is not desired behavior. It looks like there could be a bug in the Tomcat policy management? JP -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Granting security permissions not working
I am not able to grant security permissions on individual jar files. Can someone tell me what I'm doing wrong? In my policy file (CATALINA_HOME/conf/catalina.policy) I have the following setting: grant codeBase file:${catalina.home}/- { permission java.security.AllPermission; }; I would think this would grant all permissions to all jar files, classes, etc under the catalina directory, including webapps' classes/jars. However, I keep getting the following (I set security debug output according to the following -- java.security.debug=access,failure): access: access denied (java.util.PropertyPermission log4j.defaultInitOverride read) java.lang.Exception: Stack trace at java.lang.Thread.dumpStack(Thread.java:1071) at java.security.AccessControlContext.checkPermission(AccessControlContext. java:259) at java.security.AccessController.checkPermission(AccessController.java:401 ) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1291) at java.lang.System.getProperty(System.java:611) at org.apache.log4j.helpers.OptionConverter.getSystemProperty(OptionConvert er.java:92) at org.apache.log4j.LogManager.clinit(LogManager.java:117) at org.apache.log4j.Logger.getLogger(Logger.java:85) at com.cssc.security.CognisecAuthFilter$1.run(CognisecAuthFilter.java:85) at java.security.AccessController.doPrivileged(Native Method) at com.cssc.security.CognisecAuthFilter.clinit(CognisecAuthFilter.java:83 ) ... access: domain that failed ProtectionDomain (jar:file:C:/tomcat/webapps/cssc/WEB-INF/lib/log4j-1.2.6.jar!/org/apache /log4j/helpers/OptionConverter.class no certificates) WebappClassLoader available: Extension[Struts Framework, implementationVendor=Apache Software Foundation, implementationVendorId=org.apache, implementationVersion=1.0.2, specificationVendor=Apache Software Foundation, specificationVersion=1.0] delegate: false repositories: /WEB-INF/classes/ required: -- Parent Classloader: + other stuff. What gives? I don't understand why this is not working. Please help! Running Tomcat 4.0.4, J2SDK 1.4.0, on a winxp box Thanks, John -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
I am not able to grant security permissions on individual jar files. Can someone tell me what I'm doing wrong? In my policy file (CATALINA_HOME/conf/catalina.policy) I have the following setting: grant codeBase file:${catalina.home}/- { permission java.security.AllPermission; }; I would think this would grant all permissions to all jar files, classes, etc under the catalina directory, including webapps' classes/jars. First, ensure you are running with the -security option that turns on Tomcat with the security manager installed. Often you need to modify the startup.sh script to include that options between 'start' and '$@'. In my TC 4.1.12 startup.sh, I have: exec $PRGDIR/$EXECUTABLE start -security $@ Second, you are granting your permissions far too low on the file path. At the very least, consider something like grant codeBase file:${catalina.base}/webapps/yourappname/- { Third, are you actually running multiple instances in which your catalina.base is different than your catalina.home? If so, make sure you are modifying the right catalina.policy file (you want the one that's under your catalina.base, not the one under catalina.home). If you are only running a single instance of TC, though, then this should not be an issue. Hope something here helps... David Wall www.yozons.com Electronic signatures with secure document delivery -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Granting security permissions not working
Thank you for your suggestions. See my comments below: First, ensure you are running with the -security option that turns on Tomcat with the security manager installed. Often you need to modify the I am definitely running with the -security option. I have double-checked that it's in my start.bat script in the bin/ directory and I see the statement Using Security Manager on the tomcat console. Plus, when running with -Djava.security.debug=access,failure, I see permissions checking etc. going on. Second, you are granting your permissions far too low on the file path. At the very least, consider something like grant codeBase file:${catalina.base}/webapps/yourappname/- { The grant that I described there was a last-ditch desparate attempt to cover everything with AllPermission. I had previously tried granting on the individual .jar files, on the webapps directory, on my specific webapps directory, etc. I've tried every conceivable known permutation. Regardless, I did as you suggested and put the grant back on the specific webapp directory (using the - at the end)... No luck. Third, are you actually running multiple instances in which your catalina.base is different than your catalina.home? If so, I'm only running one instance of tomcat. I'm not sure where/how catalina.base gets set, but I have a good feeling that the actual policy file is being read b/c if I remove that policy file then everything goes nuts. One interesting thing is that I can grant access in the general grant { ... } clause (no specific codeBase specified... Just the default for all webapps), and things will work fine. However, I don't want to grant access to all webapps, I only want to grant access to a particular webapp/jar file. Basically, it looks like grant entries on codebase's under the webapps directory are *completely ignored*. No matter what I grant on a particular webapp (using grant codeBase file:${catalina.base}/webapps/appname/- { perms }), nothing takes effect at all. I can verify this by looking at debug output (setting java.debug.security=policy,access,failure) -- when it prints the Protection Domain that failed the access call, I can clearly see that *no permissions* are granted to the jar files under that webapp/codebase besides the default jndi and file read permissions. If I want any permissions to apply, I have to grant them generally in the grant { ... } clause (no codeBase). Obviously, this is not desired behavior. It looks like there could be a bug in the Tomcat policy management? JP -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
I know it's not going to help you much or at all. And I am not certain what's going on with your side, but just FYI. I have tested the TC v4.1.12 with -security. And it runs fine on the WinNT. It has many security permissions in the catalina.policy, inclduing own Web Apps, JAXM, AXIS, RMI stub downloading, blah, blah... Pae Thank you for your suggestions. See my comments below: First, ensure you are running with the -security option that turns on Tomcat with the security manager installed. Often you need to modify the I am definitely running with the -security option. I have double-checked that it's in my start.bat script in the bin/ directory and I see the statement Using Security Manager on the tomcat console. Plus, when running with -Djava.security.debug=access,failure, I see permissions checking etc. going on. Second, you are granting your permissions far too low on the file path. At the very least, consider something like grant codeBase file:${catalina.base}/webapps/yourappname/- { The grant that I described there was a last-ditch desparate attempt to cover everything with AllPermission. I had previously tried granting on the individual .jar files, on the webapps directory, on my specific webapps directory, etc. I've tried every conceivable known permutation. Regardless, I did as you suggested and put the grant back on the specific webapp directory (using the - at the end)... No luck. Third, are you actually running multiple instances in which your catalina.base is different than your catalina.home? If so, I'm only running one instance of tomcat. I'm not sure where/how catalina.base gets set, but I have a good feeling that the actual policy file is being read b/c if I remove that policy file then everything goes nuts. One interesting thing is that I can grant access in the general grant { ... } clause (no specific codeBase specified... Just the default for all webapps), and things will work fine. However, I don't want to grant access to all webapps, I only want to grant access to a particular webapp/jar file. Basically, it looks like grant entries on codebase's under the webapps directory are *completely ignored*. No matter what I grant on a particular webapp (using grant codeBase file:${catalina.base}/webapps/appname/- { perms }), nothing takes effect at all. I can verify this by looking at debug output (setting java.debug.security=policy,access,failure) -- when it prints the Protection Domain that failed the access call, I can clearly see that *no permissions* are granted to the jar files under that webapp/codebase besides the default jndi and file read permissions. If I want any permissions to apply, I have to grant them generally in the grant { ... } clause (no codeBase). Obviously, this is not desired behavior. It looks like there could be a bug in the Tomcat policy management? JP -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]