Solution to Problem with Java Security Manager
Hi All -
I found a solution to the problem I was experiencing - I changed the following
in my JavaHome\jre\lib\security\java.policy file :
grant {
permission java.security.AllPermission;
};
It was previously set to
grant codeBase file:${java.home}/lib/ext/* {
permission java.security.AllPermission;
};
I had previously done the same in the java.policy file in
TomcatHome\conf\java.policy and I thought that this should have fixed the
problem because I thought that the
java.policy file in the Tomcat folder would override those in
JavaHome\jre\lib\security\java.policy but this doesn't seem to be the case, or
is it ?
If anybody can clear this up for me I'd be very grateful as I would like to
make sure that I'm not compromising security in some way.
Regards,
Jonathan O'Donovan
Web Developer,
EuroKom
Help Needed with Security Manager
Hi All - can anyone help me with this as I'm under pressure and am a relative
newcomer to Tomcat. The problem seems to be with the Java Security Manager, if
I'm not mistaken. The following 'access denied' entries are recorded in the
main logger for Tomcat: (I have enabled SecurityManager logging by setting the
following system property before starting Tomcat :
set CATALINA_OPTS=-Djava.security.debug=access,failure I am running :
Tomcat 4.1
Apache/1.3.33 (Win32)
mod_jk/1.2.8
JRE Version 1.4.2_03
access: access allowed (java.io.FilePermission
C:\Tomcat41\common\classes\xx\xx\xx\RMIManager$RMIHostList.class read)
access: access allowed (java.io.FilePermission C:\Tomcat41\bin\bootstrap.jar
read)
access: access allowed (java.io.FilePermission C:\Tomcat41\bin\bootstrap.jar
read)
access: access allowed (java.io.FilePermission C:\Tomcat41\bin\bootstrap.jar
read)
HERE-access: access denied (java.io.FilePermission
C:\Tomcat41\common\classes\xx\xx\xx\RMIManager$RMIHostList.class read)
access: access allowed (java.util.PropertyPermission java.rmi.server.hostname
read)
access: access allowed (java.util.PropertyPermission
sun.rmi.transport.connectionTimeout read)
access: access allowed (java.util.PropertyPermission
sun.rmi.transport.tcp.handshakeTimeout read)
access: access allowed (java.util.PropertyPermission
sun.rmi.transport.tcp.responseTimeout read)
access: access allowed (java.io.FilePermission
C:\Tomcat41\server\lib\tomcat-util.jar read)
access: access allowed (java.io.FilePermission
C:\Tomcat41\server\lib\tomcat-util.jar read)
access: access allowed (java.io.FilePermission
C:\Tomcat41\server\lib\tomcat-util.jar read)
access: access allowed (java.util.PropertyPermission socksProxyHost read)
HERE-access: access denied (java.net.SocketPermission XX.XX.XX resolve)
I'm not sure why SecurityManager is on - I am running Tomcat as a service in
Windows Server 2003 - perhaps running Tomcat as a service enables
SecurityManager ? Does anybody know how to disable the SecurityManager when
running as a service? If I disabled SecurityManager would I get the above
'access denied' entries?
For the first access denied above I have tried adding the following but it
makes no difference :
grant codeBase file:${catalina.home}/common/classes/- {
permission java.io.FilePermission read;
};
so I'm stumped!
Many thanks in advance!
Jonathan O'Donovan
Web Developer,
EuroKom
Problems with Java Security Manager
Hi All,
Can someone check my reasoning here? I am having difficulty with the Java
Security Manager. I am encountering the following 2 exceptions with some of my
servlets :
I am running :
Tomcat 4.1
Apache/1.3.33 (Win32)
mod_jk/1.2.8
JRE Version 1.4.2_03
I have enabled security manager logging using the following Java option (I've
set this in the configuration dialogue box for Tomcat as I'm running Tomcat as
a service on NT)
set CATALINA_OPTS=-Djava.security.debug=access,failure
Exception #1 (generated when using RMI):
access: access allowed (java.util.PropertyPermission java.rmi.server.hostname
read)
access: access allowed (java.util.PropertyPermission
sun.rmi.transport.connectionTimeout read)
access: access allowed (java.util.PropertyPermission
sun.rmi.transport.tcp.handshakeTimeout read)
access: access allowed (java.util.PropertyPermission
sun.rmi.transport.tcp.responseTimeout read)
access: access allowed (java.io.FilePermission
C:\Tomcat41\server\lib\tomcat-util.jar read)
access: access allowed (java.io.FilePermission
C:\Tomcat41\server\lib\tomcat-util.jar read)
access: access allowed (java.io.FilePermission
C:\Tomcat41\server\lib\tomcat-util.jar read)
access: access allowed (java.util.PropertyPermission socksProxyHost read)
access: access denied (java.net.SocketPermission XX.XX.XX resolve)
Exception #2 :
java.security.AccessControlException: access denied
(java.util.PropertyPermission catalina.base read)
I presume that the above 2 exceptions are generated by the Java Security
Manager. I have tried the following in my
catalina.policy file
grant codeBase file:${catalina.home}/webapps/mywebapp/- {
permission java.security.AllPermission;
};
but it makes no difference.
Also, I am wondering why catalina.base should have a problem reading files (I
am running Tomcat as Administrator)
These problems are happening in the test environment, but on the live system
there are no such exceptions being generated. I can't figure out why this
should be the case as the java.policy and catalina.policy files in the
Catalina.home/conf directory are identical for both live and test environments.
Does anybody know how to disable the Security Manager for Tomcat when running
as a service in NT or is it disabled by default?
Many thanks in advance,
Jonathan O'Donovan
Re: Deploying discovered web applications
Hi Charles, Thanks again for your help and your time. I'm still having no luck - Yes - transferring files from some system to another with a different time base can cause interesting actions in Tomcat. What do you mean by timebase - is this an OS-specific time format for files? I have checked all file timestamps and none have a date in the future. Look in conf/Catalina/[host] for .xml files that provide Context elements for the apps in question. You probably also want to clean out Tomcat's work directory to make sure there's no junk left lying around in there. I've tried cleaning out the /work directory with each restart of Tomcat. I'm not sure what you mean by conf/Catalina/[host] : All my contexts are in server.xml (see below) aparf from /webapps/manager.xml /webapps/admin.xml which contains the following contexts, respectively Context path=/manager docBase=../server/webapps/manager debug=0 privileged=true ResourceLink name=users global=UserDatabase type=org.apache.catalina.UserDatabase / /Context Context path=/admin docBase=../server/webapps/admin debug=0 privileged=true Logger className=org.apache.catalina.logger.FileLogger prefix=localhost_admin_log. suffix=.txt timestamp=true / /Context Perhaps I have got appBase and docBase misconfigured between the various hosts - I noticed that hosts local_eaglevm.cs and localhost both have appBase=webapps in the host declaration. Should this be a problem ? Also, host local_eaglevm.clients has appBase=webapps/eurokom2/active, even though the /active directory does not exist. Is this ok ? - I'm trying to understand someone else's configuration file here. It doesn't seem to cause a problem because the context's docBase is set to ../pressweb giving webapps/eurokom2/pressweb which exists. I have tried using appBase=webapps/eurokom2 and docBase=pressweb in the above but it doesn't solve the problem. Many thanks again, Jonathan -- server.xml -- Server port=8005 shutdown=SHUTDOWN debug=0 Listener className=org.apache.catalina.mbeans.ServerLifecycleListener debug=0/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener debug=0/ GlobalNamingResources Environment name=simpleValue type=java.lang.Integer value=30/ Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved /Resource ResourceParams name=UserDatabase parameter namefactory/name valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value /parameter parameter namepathname/name valueconf/tomcat-users.xml/value /parameter /ResourceParams /GlobalNamingResources Service name=Tomcat-Standalone Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8080 enableLookups=true redirectPort=8443 acceptCount=100 connectionTimeout=2 useURIValidationHack=false disableUploadTimeout=true / Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8009 enableLookups=true redirectPort=8443 acceptCount=100 debug=9 connectionTimeout=60 useURIValidationHack=false protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler/ Engine name=Standalone defaultHost=localhost debug=9 Logger className=org.apache.catalina.logger.FileLogger prefix=catalina_log. suffix=.txt timestamp=true/ Realm className=org.apache.catalina.realm.UserDatabaseRealm debug=0 resourceName=UserDatabase/ Host name=localhost debug=9 appBase=webapps unpackWARs=true autoDeploy=true Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=localhost_log. suffix=.txt timestamp=true/ Context path=/examples docBase=examples debug=9 reloadable=false crossContext=true Logger className=org.apache.catalina.logger.FileLogger prefix=localhost_examples_log. suffix=.txt timestamp=true/ Ejb name=ejb/EmplRecord type=Entity home=com.wombat.empl.EmployeeRecordHome remote=com.wombat.empl.EmployeeRecord/ Environment name=maxExemptions type=java.lang.Integer value=15/ Parameter name=context.param.name value=context.param.value override=false/ Resource name=jdbc/EmployeeAppDb auth=SERVLET type=javax.sql.DataSource/ ResourceParams name=jdbc/EmployeeAppDb parameternameuser/namevaluesa/value/parameter parameternamepassword/namevalue/value/parameter parameternamedriverClassName/name valueorg.hsql.jdbcDriver/value/parameter parameternamedriverName/name
Re: Help Needed with Tomcat Stack Traces
Thanks a lot for that help Christopher - I am trying to debug someones else's app here so it can get tricky! Best Wishes, Jonathan
Deploying discovered web applications
Hi, I was wondering if anybody has encountered a situation where Tomcat keeps deploying a given webapp? I noticed that it has cropped up on this forum before but there doesn't seem to have been any solution found. . The following is continually logged every 15 seconds to the context logger of the webapp in question: 2008-04-28 00:01:47 HostConfig[local_eaglevm.stats.XX.XX]: Deploying discovered web applications 2008-04-28 00:01:47 HostConfig[local_eaglevm.stats.XX.XX]: Deploying discovered web applications 2008-04-28 00:01:47 HostConfig[local_eaglevm.stats.XX.XX]: Deploying discovered web applications etc... I am running Tomcat 4.1 Apache/1.3.33 (Win32) mod_jk/1.2.8 JRE Version 1.4.2_03 My webapp is working. Here is a copy of the server.xml file. I have made sure to turn make reloadable false but the problem persists. Host name=local_eaglevm.stats.XX.XX debug=9 appBase=webapps/eurokom2/active unpackWARs=true AliasXX.XX.XX/Alias Context path= workDir=work/pressweb docBase=../pressweb debug=9 reloadable=false Logger timestamp=true className=org.apache.catalina.logger.FileLogger prefix=XX.XX.log-tomcat/ [realm and resources follow here...] /Context /Host There are no .war files sitting in the /webapp directory. Thanks in Advance Jonathan
Re: Deploying discovered web applications
Hi Chuck - many thanks for your help. I'm not sure what you mean by set in the future. Do you mean that the timestamp of some files get reset at some point after deployment and this makes tomcat redeploy. Or do you mean that some of the files have a timestamp set to a time in the future? I searched through my /webapps folder but found no file with a timestamp set in the future. Also, I have removed all .war files from that directory but the problem persists. Many thanks for your help, Jonathan - Original Message - From: Caldarale, Charles R [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Monday, April 28, 2008 1:18 PM Subject: RE: Deploying discovered web applications From: Jonathan O'Donovan [mailto:[EMAIL PROTECTED] Subject: Deploying discovered web applications I was wondering if anybody has encountered a situation where Tomcat keeps deploying a given webapp? I noticed that it has cropped up on this forum before but there doesn't seem to have been any solution found. The usual cause (as noted frequently on this mailing list) is timestamps on the .war files or directory entries set in the future. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
