Re: java.util.PropertyPermission
I'm not following what you're suggesting. -- Propes, Barry L wrote: isn't that because the permission object picks all of that up as one item, and overrides your separate setting? I would think it would. Wouldn't you need to create an entire new object or not for that to work? -Original Message- From: Ryan Daly [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 25, 2006 2:01 PM To: Tomcat Users List Subject: java.util.PropertyPermission All: I have started seeing problems with using the java.util.PropertyPermission setting in the catalina.policy file. I have the following line: permission java.util.PropertyPermission *, read,write; If that's in my policy entry for the specific web application, it does not get picked up. If I have that in the area that gets applied to all web applications, it seems to work just fine. Has anyone else seen this? Is this a bug or did something change that would make me have to modify the policy file in some way? Thanks. -- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: java.util.PropertyPermission
I have those entries. Those are the default entries included with Tomcat (which I'm using 5.5.9). In my years administering Tomcat, I have always created additional entries and not touched the default entries. The entries I add are per application running under that certain Tomcat instance. It now appears that I'm getting JAR files in the work folder that are requesting permissions, and it doesn't realize that they came from the application that already was granted that permission. Is that normal? I need to explicitly set those permissions all of a sudden? -- Propes, Barry L wrote: I think you need to not remove the code, but add an additional one? My policy file looks like so. Without having touched it. // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission java.home, read; permission java.util.PropertyPermission java.naming.*, read; permission java.util.PropertyPermission javax.sql.*, read; // OS Specific properties to allow read access permission java.util.PropertyPermission os.name, read; permission java.util.PropertyPermission os.version, read; permission java.util.PropertyPermission os.arch, read; permission java.util.PropertyPermission file.separator, read; permission java.util.PropertyPermission path.separator, read; permission java.util.PropertyPermission line.separator, read; // JVM properties to allow read access permission java.util.PropertyPermission java.version, read; permission java.util.PropertyPermission java.vendor, read; permission java.util.PropertyPermission java.vendor.url, read; permission java.util.PropertyPermission java.class.version, read; permission java.util.PropertyPermission java.specification.version, read; permission java.util.PropertyPermission java.specification.vendor, read; permission java.util.PropertyPermission java.specification.name, read; permission java.util.PropertyPermission java.vm.specification.version, read; permission java.util.PropertyPermission java.vm.specification.vendor, read; permission java.util.PropertyPermission java.vm.specification.name, read; permission java.util.PropertyPermission java.vm.version, read; permission java.util.PropertyPermission java.vm.vendor, read; permission java.util.PropertyPermission java.vm.name, read; Which version are you using? -Original Message- From: Ryan Daly [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 25, 2006 2:43 PM To: Propes, Barry L Subject: Re: java.util.PropertyPermission Well, I removed some to verify that the block was being picked up. When I remove lines from: //grant codeBase file:/usr/local/apache/vhosts/www/webapp/ART/- { I started seeing more 'access denied' messages. It appears that the codeBase block is being picked up. -- Propes, Barry L wrote: sorry, I think I may have worded that incorrectly. Did you add any more grant statements to the file? -Original Message- From: Ryan Daly [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 25, 2006 2:35 PM To: Tomcat Users List Cc: Propes, Barry L Subject: Re: java.util.PropertyPermission I'm not following what you're suggesting. -- Propes, Barry L wrote: isn't that because the permission object picks all of that up as one item, and overrides your separate setting? I would think it would. Wouldn't you need to create an entire new object or not for that to work? -Original Message- From: Ryan Daly [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 25, 2006 2:01 PM To: Tomcat Users List Subject: java.util.PropertyPermission All: I have started seeing problems with using the java.util.PropertyPermission setting in the catalina.policy file. I have the following line: permission java.util.PropertyPermission *, read,write; If that's in my policy entry for the specific web application, it does not get picked up. If I have that in the area that gets applied to all web applications, it seems to work just fine. Has anyone else seen this? Is this a bug or did something change that would make me have to modify the policy file in some way? Thanks. -- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe
Re: java.util.PropertyPermission
Sure. I have the following in my policy file: // == DHS == grant codeBase file:/usr/local/apache/vhosts/www/webapp/DHS/- { // Runtime permissions permission java.util.PropertyPermission *, read,write; permission java.lang.RuntimePermission accessDeclaredMembers; permission java.lang.RuntimePermission defineClassInPackage.java.lang; permission java.lang.RuntimePermission stopThread; permission java.lang.RuntimePermission setContextClassLoader; permission java.lang.reflect.ReflectPermission suppressAccessChecks; }; Yet, in catalina.out, I see: access: access denied (java.util.PropertyPermission log4j.defaultInitOverride read) -- Martin Gainty wrote: can you provide the specific example where a webapp doesnt apply permissions from catalina.policy M- * This email message and any files transmitted with it contain confidential information intended only for the person(s) to whom this email message is addressed. If you have received this email message in error, please notify the sender immediately by telephone or email and destroy the original message without making a copy. Thank you. - Original Message - From: Ryan Daly [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Cc: Propes, Barry L [EMAIL PROTECTED] Sent: Tuesday, July 25, 2006 3:34 PM Subject: Re: java.util.PropertyPermission I'm not following what you're suggesting. -- Propes, Barry L wrote: isn't that because the permission object picks all of that up as one item, and overrides your separate setting? I would think it would. Wouldn't you need to create an entire new object or not for that to work? -Original Message- From: Ryan Daly [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 25, 2006 2:01 PM To: Tomcat Users List Subject: java.util.PropertyPermission All: I have started seeing problems with using the java.util.PropertyPermission setting in the catalina.policy file. I have the following line: permission java.util.PropertyPermission *, read,write; If that's in my policy entry for the specific web application, it does not get picked up. If I have that in the area that gets applied to all web applications, it seems to work just fine. Has anyone else seen this? Is this a bug or did something change that would make me have to modify the policy file in some way? Thanks. -- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Setting heap once the tomcat JVM is started
Martin Gainty wrote: Ryan-- Here is the policy setting I have in my %TOMCAT_HOME%/conf/catalina.policy // These permissions apply to the commons-logging API grant codeBase file:${catalina.home}/bin/commons-logging-api.jar { permission java.security.AllPermission; }; HTH, Martin -- That entry is already in the catalina.policy file. -- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security Manager
Has anyone seen any issues while running with the security manager and it complaining that it doesn't have permission to do something when in fact the permission is in the policy file? I'm seeing the following error Caused by: java.security.AccessControlException: access denied (java.io.FilePermission tomcat.log write) yet have the following in my policy file permission java.io.FilePermission tomcat.log, read,write,delete; Any clues anyone may be able to provide would be appreciated. Thanks. -- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Run Tomcat in W2k3 as service
On Fri, 2006-03-24 at 09:42 -0500, Ryan Daly wrote: On Fri, 2006-03-24 at 08:27 -0600, Benjamin Armintor wrote: I'm not sure about Windows services specifically, but you can start the JVM with a security manager generically by using the -Djava.security.manager and -Djava.security.policy=YOUR POLICY FILE URL java startup options. You can append these to $JAVA_OPTS on Unix systems to get a security manager (it's effectively what the catalina startup script does), so I'd try using those as the --JvmOptions values. This does appear to function properly. Thanks for the help. -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Run Tomcat in W2k3 as service
On Thu, 2006-03-23 at 20:51 +, Nic Daniau wrote: You may need to reconfigure the service. Have a look to my post from a few min ago on *running two instances of tomcat* you can also update the service using e.g. %CATALINA_HOME%\bin\tomcat5.exe //US//Tomcat5 --Description My updated description Referencing your other post, you're saying I can do something like the following? %CATALINA_HOME%\bin\tomcat5.exe //US/Tomcat5 --JvmOptions -security Will that work to get the security manager working while running as a service? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Run Tomcat in W2k3 as service
On Fri, 2006-03-24 at 13:38 +, Nic Daniau wrote: I wouldn't think so, these options are called when the service is launched so you would have to restart the service for this to be picked up. Right, I understand that I'll have to restart the service. But is that the way to get the service to recognize the fact that I want the security manager running? %CATALINA_HOME%\bin\tomcat5.exe //US/Tomcat5 --JvmOptions -security - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Run Tomcat in W2k3 as service
On Fri, 2006-03-24 at 13:55 +, Nic Daniau wrote: Not sure, TFM is a bit vague on this, it does not talk of the windows service. This must be one of the options, but which one?... StartMode? JvmOptions? I've never really spent a lot of time on the security manager, but I'm definitively interested in an answer on this. I have an opportunity to take the site down in a few minutes. I'll quickly try setting that and post what I find. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Run Tomcat in W2k3 as service
On Fri, 2006-03-24 at 08:58 -0500, Ryan Daly wrote: I have an opportunity to take the site down in a few minutes. I'll quickly try setting that and post what I find. No good. If anyone comes across the proper options to do this, please post it to the list. Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Run Tomcat in W2k3 as service
On Fri, 2006-03-24 at 08:27 -0600, Benjamin Armintor wrote: I'm not sure about Windows services specifically, but you can start the JVM with a security manager generically by using the -Djava.security.manager and -Djava.security.policy=YOUR POLICY FILE URL java startup options. You can append these to $JAVA_OPTS on Unix systems to get a security manager (it's effectively what the catalina startup script does), so I'd try using those as the --JvmOptions values. I was actually just taking a look at that. I'll give that a try and see how it goes... Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Run Tomcat in W2k3 as service
On Wed, 2006-03-22 at 19:34 -0500, Tim Lucia wrote: You can specify parameters on the various tabs under the servicew app (the tray monitor). You probably want Startup in this case, so it would go alongside the start option. I did try that. However, each time I put something there, it doesn't stick. When I reopen tomcat5w.exe, the options are no longer there. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Run Tomcat in W2k3 as service
Has anyone successfully set environment variables for the Tomcat process when it's running as a service? Is it possible to start the service with the -security option, as in Linux? Thanks in advance. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security manager issue
All: I have discovered the following in catalina.out: policy: reading file:/opt/tomcat/v5.5.12/logcom.dev.ctc.com/conf/catalina.policy policy: Adding policy entry: policy: signedBy null policy: codeBase file:/usr/java/jdk1.5.0_04/jre/lib/- policy: (java.security.AllPermission all permissions all actions) policy: policy: Adding policy entry: policy: signedBy null policy: codeBase file:/usr/java/jdk1.5.0_04/jre/jre/lib/ext/- policy: (java.security.AllPermission all permissions all actions) Note that there is an extra path (/jre) after JAVA_HOME. Why is this happening? Has anyone else come across this? -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Permissions issues
All: I'm noticing something else strange. I'm attempting to bring up a web application using the Security Manager. I have the following coming up in my catalina.out log: access: access denied (java.lang.RuntimePermission getClassLoader) Yet, I have the following in my catalina.policy file: permission java.lang.RuntimePermission getClassLoader; I have a few other permissions that are being skipped over as well. I verified that the catalina.policy file is being read because various other permissions work for this web application (like writing out a log file using log4j). Has anyone else noticed this strange behavior? Thanks. -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]