Solution to Problem with Java Security Manager
Hi All -
I found a solution to the problem I was experiencing - I changed the following
in my JavaHome\jre\lib\security\java.policy file :
grant {
permission java.security.AllPermission;
};
It was previously set to
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};
I had previously done the same in the java.policy file in
TomcatHome\conf\java.policy and I thought that this should have fixed the
problem because I thought that the
java.policy file in the Tomcat folder would override those in
JavaHome\jre\lib\security\java.policy but this doesn't seem to be the case, or
is it ?
If anybody can clear this up for me I'd be very grateful as I would like to
make sure that I'm not compromising security in some way.
Regards,
Jonathan O'Donovan
Web Developer,
EuroKom
Help Needed with Security Manager
Hi All - can anyone help me with this as I'm under pressure and am a relative
newcomer to Tomcat. The problem seems to be with the Java Security Manager, if
I'm not mistaken. The following 'access denied' entries are recorded in the
main logger for Tomcat: (I have enabled SecurityManager logging by setting the
following system property before starting Tomcat :
set CATALINA_OPTS=-Djava.security.debug=access,failure I am running :
Tomcat 4.1
Apache/1.3.33 (Win32)
mod_jk/1.2.8
JRE Version 1.4.2_03
access: access allowed (java.io.FilePermission
C:\Tomcat41\common\classes\xx\xx\xx\RMIManager$RMIHostList.class read)
access: access allowed (java.io.FilePermission C:\Tomcat41\bin\bootstrap.jar
read)
access: access allowed (java.io.FilePermission C:\Tomcat41\bin\bootstrap.jar
read)
access: access allowed (java.io.FilePermission C:\Tomcat41\bin\bootstrap.jar
read)
HERE->access: access denied (java.io.FilePermission
C:\Tomcat41\common\classes\xx\xx\xx\RMIManager$RMIHostList.class read)
access: access allowed (java.util.PropertyPermission java.rmi.server.hostname
read)
access: access allowed (java.util.PropertyPermission
sun.rmi.transport.connectionTimeout read)
access: access allowed (java.util.PropertyPermission
sun.rmi.transport.tcp.handshakeTimeout read)
access: access allowed (java.util.PropertyPermission
sun.rmi.transport.tcp.responseTimeout read)
access: access allowed (java.io.FilePermission
C:\Tomcat41\server\lib\tomcat-util.jar read)
access: access allowed (java.io.FilePermission
C:\Tomcat41\server\lib\tomcat-util.jar read)
access: access allowed (java.io.FilePermission
C:\Tomcat41\server\lib\tomcat-util.jar read)
access: access allowed (java.util.PropertyPermission socksProxyHost read)
HERE->access: access denied (java.net.SocketPermission XX.XX.XX resolve)
I'm not sure why SecurityManager is on - I am running Tomcat as a service in
Windows Server 2003 - perhaps running Tomcat as a service enables
SecurityManager ? Does anybody know how to disable the SecurityManager when
running as a service? If I disabled SecurityManager would I get the above
'access denied' entries?
For the first access denied above I have tried adding the following but it
makes no difference :
grant codeBase "file:${catalina.home}/common/classes/-" {
permission java.io.FilePermission "read";
};
....so I'm stumped!
Many thanks in advance!
Jonathan O'Donovan
Web Developer,
EuroKom
Problems with Java Security Manager
Hi All,
Can someone check my reasoning here? I am having difficulty with the Java
Security Manager. I am encountering the following 2 exceptions with some of my
servlets :
I am running :
Tomcat 4.1
Apache/1.3.33 (Win32)
mod_jk/1.2.8
JRE Version 1.4.2_03
I have enabled security manager logging using the following Java option (I've
set this in the configuration dialogue box for Tomcat as I'm running Tomcat as
a service on NT)
set CATALINA_OPTS=-Djava.security.debug=access,failure
Exception #1 (generated when using RMI):
access: access allowed (java.util.PropertyPermission java.rmi.server.hostname
read)
access: access allowed (java.util.PropertyPermission
sun.rmi.transport.connectionTimeout read)
access: access allowed (java.util.PropertyPermission
sun.rmi.transport.tcp.handshakeTimeout read)
access: access allowed (java.util.PropertyPermission
sun.rmi.transport.tcp.responseTimeout read)
access: access allowed (java.io.FilePermission
C:\Tomcat41\server\lib\tomcat-util.jar read)
access: access allowed (java.io.FilePermission
C:\Tomcat41\server\lib\tomcat-util.jar read)
access: access allowed (java.io.FilePermission
C:\Tomcat41\server\lib\tomcat-util.jar read)
access: access allowed (java.util.PropertyPermission socksProxyHost read)
access: access denied (java.net.SocketPermission XX.XX.XX resolve)
Exception #2 :
java.security.AccessControlException: access denied
(java.util.PropertyPermission catalina.base read)
I presume that the above 2 exceptions are generated by the Java Security
Manager. I have tried the following in my
catalina.policy file
grant codeBase "file:${catalina.home}/webapps/mywebapp/-" {
permission java.security.AllPermission;
};
but it makes no difference.
Also, I am wondering why catalina.base should have a problem reading files (I
am running Tomcat as Administrator)
These problems are happening in the test environment, but on the live system
there are no such exceptions being generated. I can't figure out why this
should be the case as the java.policy and catalina.policy files in the
Catalina.home/conf directory are identical for both live and test environments.
Does anybody know how to disable the Security Manager for Tomcat when running
as a service in NT or is it disabled by default?
Many thanks in advance,
Jonathan O'Donovan
Re: Deploying discovered web applications
Hi Charles, Thanks again for your help and your time. I'm still having no luck - Yes - transferring files from some system to another with a different time base can cause "interesting" actions in Tomcat. What do you mean by timebase - is this an OS-specific time format for files? I have checked all file timestamps and none have a date in the future. Look in conf/Catalina/[host] for .xml files that provide elements for the apps in question. You probably also want to clean out Tomcat's work directory to make sure there's no junk left lying around in there. I've tried cleaning out the /work directory with each restart of Tomcat. I'm not sure what you mean by conf/Catalina/[host] : All my are in server.xml (see below) aparf from /webapps/manager.xml /webapps/admin.xml which contains the following , respectively privileged="true"> type="org.apache.catalina.UserDatabase" /> privileged="true"> prefix="localhost_admin_log." suffix=".txt" timestamp="true" /> Perhaps I have got appBase and docBase misconfigured between the various hosts - I noticed that hosts local_eaglevm.cs and localhost both have appBase="webapps" in the declaration. Should this be a problem ? Also, host local_eaglevm.clients has appBase="webapps/eurokom2/active", even though the /active directory does not exist. Is this ok ? - I'm trying to understand someone else's configuration file here. It doesn't seem to cause a problem because the context's docBase is set to ../pressweb giving webapps/eurokom2/pressweb which exists. I have tried using appBase="webapps/eurokom2" and docBase="pressweb" in the above but it doesn't solve the problem. Many thanks again, Jonathan -- server.xml -- className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" debug="0"/> factory org.apache.catalina.users.MemoryUserDatabaseFactory pathname conf/tomcat-users.xml usersa password driverClassName org.hsql.jdbcDriver driverName jdbc:HypersonicSQL:database mail.smtp.host localhost appBase="webapps/eurokom2/active" unpackWARs="true" autoDeploy="true"> XX.XX className="org.apache.catalina.logger.FileLogger" prefix="stats_eurokom_log-tomcat"/> reloadable="false"> className="org.apache.catalina.logger.FileLogger" prefix="stats_eurokom_log_insidecontext-tomcat"/> type="javax.sql.DataSource"/> factoryorg.apache.commons.dbcp.BasicDataSourceFactory driverClassNameoracle.jdbc.driver.OracleDriver usernameclient passwordXX.XX urljdbc:oracle:thin:@database.XX.XX maxActive10 maxIdle10 maxWait6 defaultAutoCommittrue defaultReadOnlyfalse removeAbandonedtrue removeAbandonedTimeout60 logAbandonedtrue type="javax.mail.Session"/> mail.smtp.hostXX.XX.XX className="org.apache.catalina.logger.FileLogger" prefix="cs_log-tomcat" verbosity="4"/> - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Deploying discovered web applications
Hi Chuck - many thanks for your help. I'm not sure what you mean by set in the future. Do you mean that the timestamp of some files get reset at some point after deployment and this makes tomcat redeploy. Or do you mean that some of the files have a timestamp set to a time in the future? I searched through my /webapps folder but found no file with a timestamp set in the future. Also, I have removed all .war files from that directory but the problem persists. Many thanks for your help, Jonathan - Original Message - From: "Caldarale, Charles R" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Monday, April 28, 2008 1:18 PM Subject: RE: Deploying discovered web applications From: Jonathan O'Donovan [mailto:[EMAIL PROTECTED] Subject: Deploying discovered web applications I was wondering if anybody has encountered a situation where Tomcat keeps deploying a given webapp? I noticed that it has cropped up on this forum before but there doesn't seem to have been any solution found. The usual cause (as noted frequently on this mailing list) is timestamps on the .war files or directory entries set in the future. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Deploying discovered web applications
Hi, I was wondering if anybody has encountered a situation where Tomcat keeps deploying a given webapp? I noticed that it has cropped up on this forum before but there doesn't seem to have been any solution found. . The following is continually logged every 15 seconds to the context logger of the webapp in question: 2008-04-28 00:01:47 HostConfig[local_eaglevm.stats.XX.XX]: Deploying discovered web applications 2008-04-28 00:01:47 HostConfig[local_eaglevm.stats.XX.XX]: Deploying discovered web applications 2008-04-28 00:01:47 HostConfig[local_eaglevm.stats.XX.XX]: Deploying discovered web applications etc... I am running Tomcat 4.1 Apache/1.3.33 (Win32) mod_jk/1.2.8 JRE Version 1.4.2_03 My webapp is working. Here is a copy of the server.xml file. I have made sure to turn make reloadable false but the problem persists. XX.XX.XX [realm and resources follow here...] There are no .war files sitting in the /webapp directory. Thanks in Advance Jonathan
Re: Help Needed with Tomcat Stack Traces
Thanks a lot for that help Christopher - I am trying to debug someones else's app here so it can get tricky! Best Wishes, Jonathan
Help Needed with Tomcat Stack Traces
Hi All, I am a relative newcomer to Tomcat and Java and I would really appreciate if a few of you could check my reasoning here in trying to understand this exception. I am running the following: Tomcat 4.1 Apache/1.3.33 (Win32) mod_jk/1.2.8 JRE Version 1.4.2_03 About every hour or so on the live web app I get the following stack trace logged to the Tomcat context logger (Tomcat doesn't hang) 008-04-22 09:06:06 ApplicationDispatcher[] Servlet.service() for servlet jsp threw exception org.apache.jasper.JasperException at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:207) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:240) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:187) at javax.servlet.http.HttpServlet.service(HttpServlet.java:809) at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:627) at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:382) at org.apache.catalina.core.ApplicationDispatcher.access$000(ApplicationDispatcher.java:66) at org.apache.catalina.core.ApplicationDispatcher$PrivilegedForward.run(ApplicationDispatcher.java:81) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:298) at my.domain.opentools.ServPublicAreaController.gotoPage(ServPublicAreaController.java:686) at my.domain.opentools.ServPublicAreaController.doLogin(ServPublicAreaController.java:177) at my.domain.opentools.ServPublicAreaController.service(ServPublicAreaController.java:103) at javax.servlet.http.HttpServlet.service(HttpServlet.java:809) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:200) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:51) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:129) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:125) at org.securityfilter.filter.SecurityFilter.doFilter(SecurityFilter.java:188) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:51) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:129) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:125) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:209) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:596) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:433) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:144) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:596) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:433) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2358) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:133) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:596) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:118) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:594) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:116) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:594) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:433) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:127) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:596) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:433) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:152) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:300) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:374) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:743) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:675) at org.apache.jk.common.SocketC
