I've actually moved away from using -security.
I now have a plug-in that uses Security.getProperty() to get the policy.url
definitions and then adds the catalina.policy and my app's policy file's via
Security.setProperty() and then a Policy.getPolicy().refresh();
This way I can add different policy files for each web app without putting
everything in one policy file.
If you start tomcat w/ -security then it seems to do a
System.setProperty("java.security.policy") which seems to cancel all the
policy.url definitions within the security file (though I may be wrong about
this).
I'm just finishing testing it now but so far so good. I did have to add a
lot of permission for class loaders, log writing, etc.
All of this for a URLPermissions based system that conforms to JAAS...
Geeze..
Thanks though!
--
Sloan
-----Original Message-----
From: Benjamin Armintor [mailto:[EMAIL PROTECTED]
Sent: Friday, August 27, 2004 11:06 AM
To: Tomcat Users List
Subject: RE: SecurityManager
Where did you add the -security? Did you move the catalina.policy file?
System.getSecurityManager() returning null is generally taken to mean that
the JVM is not running under the manager at all: this is obvious, I know,
but it also indicates the converse. So if you start a security manager up,
the system's behavior will change. In fact, I never considered the trouble
one could cause calling setSecurityManager at runtime when there was no
manager in effect (as opposed to trying to override an existing policy, for
which there's a permission check).
The AccessControlException means that after you started the manager, some
bit of code tried to get its ContextClassLoader, and it did not have the
appropriate runtime permissions. Are the policy file entries you indicated
are all that is in your policy file?
Benjamin J. Armintor
Operations Systems Specialist
ITS-Systems: Mainframe Group
University of Texas - Austin
tele: (512) 232-6562
email: [EMAIL PROTECTED]
-----Original Message-----
From: Seaman, Sloan [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 26, 2004 1:28 PM
To: '[EMAIL PROTECTED]'
Subject: SecurityManager
I'm trying to get an application I have to use the SecurityManager object
from Tomcat.
I've added the -security to my startup so that it is enabled.
When I do a System.getSecurityManager() it returns a null object.
If I try and create my own SecurityManager and set it via
System.setSecurityManager, I get: 004-08-26 14:07:47
StandardContext[/clinicalTrials]Exception starting filter SessionFilter
java.security.AccessControlException: access denied
(java.lang.RuntimePermission getClassLoader)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.
java
:269)
at
java.security.AccessController.checkPermission(AccessController.java:401
)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
at java.lang.Thread.getContextClassLoader(Thread.java:1182)
at
org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFi
lter
Config.java:207)
at
org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(Applicatio
nFil
terConfig.java:308)
at
org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilte
rCon
fig.java:79)
The only info I have added to the catalina.policy file is: grant {
permission javax.security.auth.AuthPermission "createLoginContext";
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "getSubject";
};
grant principal com.ptilabs.commons.jaas.authentication.ldap.LDAPPrincipal
"_app_Clinical_Trials" {
permission com.ptilabs.commons.jaas.authorization.URLPermission
"/clinicalTrials/app/*";
};
Can someone tell me what I am doing wrong?
I have a command line version for testing that works fine. It is when I try
and do things under Tomcat that everything blows up.
Thanks!
--
Sloan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
