On Wed, 12 Jun 2002, Patrick Dowler wrote:
> Date: Wed, 12 Jun 2002 11:53:13 -0700
> From: Patrick Dowler <[EMAIL PROTECTED]>
> Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: tomcat with security manager
>
>
> I'm developing a webapp with tomcat and struts and must use a
> security manager in tomcat (the -security startup arg). I have the following
> problem:
>
> Tomcat has and uses commons-logging.jar
> Struts has and uses commons-logging.jar
>
> The two jar files are identical. Normally, one is supposed to include
> strust jar files and a bunch of other stuff with the webapp (basically
> static linking, which seems tragic with a platform like java :-( so all the
> jars in $STRUTS_HOME/lib are copied to WEB_INF/lib.
>
> If I run with -security, TOMCAT finds the commons-logging.jar in WEB_INF/lib
> first, gets the webapp permissions (ie. NOT java.security.AllPermission :-)
> and fails. It looks like a
>
> java.lang.ExceptionInInitializerError:
> org.apache.commons.logging.LogConfigurationException:
> org.apache.commons.logging.LogConfigurationException:
> java.lang.NullPointerException
>
> but if I turn on java.security.debug I see it is really that it is a security access
> problem - which is expected: code in the webapp should not be able to
> open and write files in $CATALINA_HOME/logs.
>
> If I remove the commons-logging.jar from the webapp, then tomcat is
> happy (it uses $CATALINA_HOME/server/lib/commons-logging.jar, which
> has the right permissions) BUT then struts can't find the logging classes,
> which looks like:
>
> java.lang.NoClassDefFoundError: org/apache/commons/logging/LogFactory
> at
>org.apache.struts.util.MessageResourcesFactory.(MessageResourcesFactory.java:135)
> ...
>
> Granting java.security.AllPermission to webapps makes them work but is not
> an acceptable alternative because the webapp loads dynamic code that can't
> be trusted (either 'cause I wrote it and it's buggy or because someone else
> wrote it and it is buggy and/or malicious :-).
>
> Any ideas for a solution would be appreciated? Personally, it seems like
> tomcat is doing it wrong, but I thought I'd start here rather than cross-post
> right away.
>
I don't think Tomcat is doing this wrong -- security managers are paid to
be paranoid :-).
In Tomcat, permissions are based on where the code is loaded from -- if
it's loaded from your webapp (because commons-logging.jar is in
/WEB-INF/lib), then you need to grant the required permissions to that
webapp by modifying the $CATALINA_HOME/conf/catalina.policy file
appropriately. Otherwise, do what you did and remove commons-logging.jar
so that it gets loaded from $CATALINA_HOME/common/lib instead (which is
granted AllPermissions by default).
> cheers,
>
>
> --
> Patrick Dowler
> Canadian Astronomy Data Centre
> National Research Council
> Victoria, BC
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
