Thank you for your suggestions. See my comments below:
> First, ensure you are running with the -security option that
> turns on Tomcat
> with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have double-checked
that it's in my start.bat script in the bin/ directory and I see the
statement "Using Security Manager" on the tomcat console. Plus, when
running with -Djava.security.debug=access,failure, I see permissions
checking etc. going on.
> Second, you are granting your permissions far too low on the
> file path. At
> the very least, consider something like
>
> grant codeBase "file:${catalina.base}/webapps/yourappname/-" {
The grant that I described there was a last-ditch desparate attempt to
cover everything with AllPermission. I had previously tried granting on
the individual .jar files, on the webapps directory, on my specific
webapps directory, etc. I've tried every conceivable known permutation.
Regardless, I did as you suggested and put the grant back on the
specific webapp directory (using the "-" at the end)... No luck.
>
> Third, are you actually running multiple instances in which your
> catalina.base is different than your catalina.home? If so,
I'm only running one instance of tomcat. I'm not sure where/how
catalina.base gets set, but I have a good feeling that the actual policy
file is being read b/c if I remove that policy file then everything goes
nuts.
One interesting thing is that I can grant access in the general grant {
... } clause (no specific codeBase specified... Just the default for all
webapps), and things will work fine. However, I don't want to grant
access to all webapps, I only want to grant access to a particular
webapp/jar file.
Basically, it looks like grant entries on codebase's under the webapps
directory are *completely ignored*. No matter what I grant on a
particular webapp (using grant codeBase
"file:${catalina.base}/webapps/appname/-" { <perms> }), nothing takes
effect at all. I can verify this by looking at debug output (setting
java.debug.security=policy,access,failure) -- when it prints the
Protection Domain that failed the access call, I can clearly see that
*no permissions* are granted to the jar files under that webapp/codebase
besides the default jndi and file read permissions. If I want any
permissions to apply, I have to grant them generally in the grant { ...
} clause (no codeBase).
Obviously, this is not desired behavior. It looks like there could be a
bug in the Tomcat policy management?
JP
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
