Re: AccessControlException when starting embedded Tomcat from Java Webstart
On 26/03/2012 10:32, Witoslaw Koczewski wrote: Hello, for our Kunagi Java web application we have a signed kunagi.jar file which contains our classes together with classes from embedded Tomcat 6. This runs perfectly when calling java -jar kunagi.jar. But when starting it with Java WebStart, I get an exception while embedded Tomcat is starting: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.deploy) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393) at java.security.AccessController.checkPermission(AccessController.java:553) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291) at java.lang.ClassLoader.loadClass(ClassLoader.java:266) at net.sourceforge.jnlp.runtime.JNLPClassLoader.loadClass(JNLPClassLoader.java:1018) at java.lang.Class.getDeclaredMethods0(Native Method) at java.lang.Class.privateGetDeclaredMethods(Class.java:2444) at java.lang.Class.getMethod0(Class.java:2687) at java.lang.Class.getMethod(Class.java:1620) at org.apache.catalina.startup.SetPublicIdRule.begin(WebRuleSet.java:639) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276) ... 33 more Of course kunagi.jar is signed, otherwise it wouldn't even start. It seams Java WebStart enables Java Security globally, which somehow embedded Tomcat inherits and fails to initialize. Is there a way to disable security checks for Tomcat inside of Java WebStart? Or how can I configure embedded Tomcat to permit access to org.apache.catalina...? There's a file called catalina.policy in tomcat/conf, which has some rules in it. You'll need compare those rules to the ones implemented in the client's policy file to work out what you need to add. I have already posted this problem on StackOverflow, where someone said, this could be a Tomcat bug: stackoverflow.com/questions... Really. URL please? p Best regards, Witek --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: AccessControlException when starting embedded Tomcat from Java Webstart
There's a file called catalina.policy in tomcat/conf, which has some rules in it. You'll need compare those rules to the ones implemented in the client's policy file to work out what you need to add. Since I am using embedded Tomcat, there is no catalina.policy :-( Can't I just disable the checks in Tomcat? I have already posted this problem on StackOverflow, where someone said, this could be a Tomcat bug: stackoverflow.com/questions... Really. URL please? http://stackoverflow.com/questions/9831063/accesscontrolexception-when-starting-embedded-tomcat-from-java-webstart Best regards, Witek --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java Webstart
On 26/03/2012 11:12, Witoslaw Koczewski wrote: There's a file called catalina.policy in tomcat/conf, which has some rules in it. You'll need compare those rules to the ones implemented in the client's policy file to work out what you need to add. Since I am using embedded Tomcat, there is no catalina.policy :-( Can't I just disable the checks in Tomcat? Yes, by applying the policy rules in the client JVM (as detailed in catalina.policy). I have already posted this problem on StackOverflow, where someone said, this could be a Tomcat bug: stackoverflow.com/questions... Really. URL please? http://stackoverflow.com/questions/9831063/accesscontrolexception-when-starting-embedded-tomcat-from-java-webstart Bah. p Best regards, Witek --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: AccessControlException when starting embedded Tomcat from Java Webstart
On 26/03/2012 11:12, Witoslaw Koczewski wrote: There's a file called catalina.policy in tomcat/conf, which has some rules in it. You'll need compare those rules to the ones implemented in the client's policy file to work out what you need to add. Since I am using embedded Tomcat, there is no catalina.policy :-( Can't I just disable the checks in Tomcat? Yes, by applying the policy rules in the client JVM (as detailed in catalina.policy). I have configured WebStart with securityall-permissions/, why do I need to define security rules for Tomcat? Shouldn't there be a switch in Tomcat to turn off this checks? It works perfectly when starting from executable JAR file - why not work the same way when starting from WebStart? Best regards, Witek --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java Webstart
On 26/03/2012 12:43, Witoslaw Koczewski wrote: On 26/03/2012 11:12, Witoslaw Koczewski wrote: There's a file called catalina.policy in tomcat/conf, which has some rules in it. You'll need compare those rules to the ones implemented in the client's policy file to work out what you need to add. Since I am using embedded Tomcat, there is no catalina.policy :-( Can't I just disable the checks in Tomcat? Yes, by applying the policy rules in the client JVM (as detailed in catalina.policy). I have configured WebStart with securityall-permissions/, why do I need to define security rules for Tomcat? Does that directly equate to applying an all-permission policy in a .policy file? Shouldn't there be a switch in Tomcat to turn off this checks? Why? If you don't want the Security Manager, don't turn it on. It works perfectly when starting from executable JAR file - why not work the same way when starting from WebStart? Because WebStart turns on the Security Manager. Tomcat isn't doing anything extra special, it only checks permissions if the Security Manager is enabled. The following has details: http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html p Best regards, Witek --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: AccessControlException when starting embedded Tomcat from Java Webstart
Shouldn't there be a switch in Tomcat to turn off this checks? Why? If you don't want the Security Manager, don't turn it on. I don't, WebStart does. Usualy when I turn on a feature in software A, I don't expect it to affect software B. Logging for example can be configured separately. Does Tomcat use the same Security Manager as WebStart or does it just share the same switch? Is there perhaps a central place in the Tomcat source code where the switch is evaluated, so I can rename it or hard-code it to false? Best regards, Witek, --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: AccessControlException when starting embedded Tomcat from Java Webstart
From: Witoslaw Koczewski [mailto:w...@koczewski.de] Subject: Re: AccessControlException when starting embedded Tomcat from Java Webstart Usualy when I turn on a feature in software A, I don't expect it to affect software B. You're not turning on a feature in an independent module; WebStart is changing the mode the JVM runs in. Does Tomcat use the same Security Manager as WebStart or does it just share the same switch? The SecurityManager is an attribute of the JVM, not of any particular set of classes loaded in that JVM. If the SecurityManager is enabled, all classes running inside that JVM have to live with it. Is there perhaps a central place in the Tomcat source code where the switch is evaluated, so I can rename it or hard-code it to false? You're missing the point; Tomcat isn't the one enforcing this, the JVM is. Since you have chosen to operate in an environment that includes a SecurityManager, you must find the controlling policy file for that SecurityManager and make sure it includes all the permissions Tomcat needs (the ones in catalina.policy). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java Webstart
On 26/03/2012 15:46, Witoslaw Koczewski wrote: Shouldn't there be a switch in Tomcat to turn off this checks? Why? If you don't want the Security Manager, don't turn it on. I don't, WebStart does. Usualy when I turn on a feature in software A, I don't expect it to affect software B. You are (or WebStart is) turning the feature on *in the JVM*, not in some arbitrary class running inside the JVM. Logging for example can be configured separately. It is not comparable. Does Tomcat use the same Security Manager as WebStart or does it just share the same switch? It's not Tomcat, it's the JVM. Is there perhaps a central place in the Tomcat source code where the switch is evaluated, so I can rename it or hard-code it to false? No. The access controls are distributed in the code. p Best regards, Witek, --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java Webstart
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 3/26/12 11:07 AM, Pid wrote: On 26/03/2012 15:46, Witoslaw Koczewski wrote: Is there perhaps a central place in the Tomcat source code where the switch is evaluated, so I can rename it or hard-code it to false? No. The access controls are distributed in the code. Nor would it help. Tomcat isn't just doing those checks because it's playing nice: those checks (really attempts, not checks) are required in order to work under a SecurityManager. If those privileges actions weren't being used, those actions wouldn't work, anyway. Seriously, there's nothing Tomcat can do about this: you have to tweak the policy under which WebStart launches the JVM. I have no idea how to do that. You may not even be able to do that, otherwise a WebStart application could simply assert its rights to do anything it wanted, like delete all the files off your hard disk, or email a copy of your /etc/passwd file to the developer. WebStart runs under a SecurityManager to protect the user from things it doesn't want to allow. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9wmHoACgkQ9CaO5/Lv0PA0JACcDcB0tpqBnJrOoKWx2aCy6GkU /HkAniTuTBP7Ly7x6RSTuyVl37kcAszQ =xtcD -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java Webstart
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Witoslaw, On 3/26/12 12:25 PM, Christopher Schultz wrote: I have no idea how to do [customize the policy]. Looks like you can't: http://lopica.sourceforge.net/faq.html#policy You could try separately signing the Tomcat JAR files yourself and see what happens. You haven't described your class loading strategy. For example, have you tried expanding *all* the JAR files that ship with Tomcat and then re-assembling them into your single kunagi.jar? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9wmXMACgkQ9CaO5/Lv0PA6vQCfQ5xLZrCF2lQEcN0I9y5H17q7 WZcAnjq4RSfUiZ73sns+vIVQ9HPYRweW =CeCU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java Webstart
For example, have you tried expanding *all* the JAR files that ship with Tomcat and then re-assembling them into your single kunagi.jar? This is exactly what I do. And my JNLP requires all-permissions. My application can open ports, read and delete all files - but not start the embedded Tomcat I have signed :-( Best regards, Witek - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9wmXMACgkQ9CaO5/Lv0PA6vQCfQ5xLZrCF2lQEcN0I9y5H17q7 WZcAnjq4RSfUiZ73sns+vIVQ9HPYRweW =CeCU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --- http://koczewski.de - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
