this had the expected effect: I used the return value later and got a null pointer exception. Perhaps the next thing to try is to ask builder in jdom.jar to do something simple instead of building from fs... and if that works....?
I'll let you know how that goes. If you have any other ideas, please let me know. I definitely appreciate it! > -----Original Message----- > From: Jean-Francois Arcand [mailto:jfarcand@;apache.org] > Sent: Thursday, October 17, 2002 4:08 PM > To: Tomcat Users List > Subject: Re: socket permission catalina.policy question > > > Well, then let go back and do something simple. First, set: > > grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/jdom.jar" > { > permission java.net.SocketPermission "the.third.machine:8080", "accept, > connect, listen, resolve"; > permission java.security.AllPermission; > }; > > Then in your code, just try: > > try { > > doc = (org.jdom.Document)AccessController.doPrivileged > > (new PrivilegedExceptionAction() { > > public Object run() throws org.jdom.JDOMException { > > new java.io.StringReader(fs); > return null; > > } > > } > > ); > > > Let me know if you still have some exception. We need to find > which resource is causing the problem. I'm not convinved > regarding the doPrivilege block, but that doesn't make a difference. > > We're coming :-) > > -- jeanfrancois > > > > > Andrew Cheng wrote: > > >I corrected the extra "!"... however it still gives the same exception. > > > >Then I tried directly calling builder.build() outside the > AccessController. > >However it still gives the same exception, just from a different > line number > >which corresponds to the invocation of builder.build() > > > >Below is an excerpt of why I was using a privileged block. I hope I > >had the right idea.......................... > >"...whenever a resource access is attempted, all code traversed by the > >execution thread up to that point must have permission for that resource > >access, unless some code on the thread has been marked as > "privileged". That > >is, suppose access control checking occurs in a thread of > execution that has > >a chain of multiple callers. (Think of this as multiple method calls that > >potentially cross the protection domain boundaries.) When the > >AccessController checkPermission method is invoked by the most recent > >caller, the basic algorithm for deciding whether to allow or deny the > >requested access is as follows: > > > >If the code for any caller in the call chain does not have the requested > >permission, AccessControlException is thrown, unless the > following is true - > >a caller whose code is granted the said permission has been marked as > >"privileged" (see below) and all parties subsequently called by > this caller > >(directly or indirectly) all have the said permission. > > > >Marking code as "privileged" enables a piece of trusted code to > temporarily > >enable access to more resources than are available directly to > the code that > >called it. This is necessary in some situations. For example, an > application > >may not be allowed direct access to files that contain fonts, > but the system > >utility to display a document must obtain those fonts, on behalf of the > >user. In order to do this, the system utility becomes privileged while > >obtaining the fonts." > > > > > > > >>-----Original Message----- > >> > >>Have you try to directly invoke builder.build outside the > >>AccessController? Also, I think you have an extra ! at the end of the > >>jdom jar file: > >> > >>grant codeBase > >>"file:${catalina.home}/myApplication/WEB-INF/lib/jdom.jar!/-" > >>{ > >> permission java.net.SocketPermission "the.third.machine:8080", "accept, > >>connect, listen, resolve"; > >> permission java.security.AllPermission; > >>}; > >> > >> > >>should be > >> > >>grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/jdom.jar" >>{ >> permission java.net.SocketPermission "the.third.machine:8080", "accept, >>connect, listen, resolve"; >> permission java.security.AllPermission; >>}; >> >>--Jeanfrancois >> >> > > >-- >To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> >For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> > > > > -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
