Did you ever try running tomcat with the property -Djava.security.debug=access,failure set? The debug output from that can usually help you track down the source of a security policy configuration problem.
Regards, Glenn Andrew Cheng wrote:
I am using tomcat version 4.0. I have tried adding the extra "jar:" and "!/-" and restarting tomcat... however it still does not work. I tried removing that extra syntax and it does not work in that case either. (In fact, when I added the extra syntax to all of the jar files in catalina.policy, it complained about bootstrap.jar... so I tried three different cases. [1] absolutely no extra syntax anywhere in the file [2] extra syntax just for the jar files at the end of the file that have to do with my Web applications only [3] extra syntax for every jar file... and none of these cases works) catalina.policy is definitely being used. /var/log/tomcat.log says it is using the security manager. There was a time when it was complaining that my JDBC driver did not have socket permission to connect to the database. However I gave all permission to the JDBC driver and to the code that calls it. That particular socket permission denial was resolved. However the original socket permission denial refuses to submit to this solution. Perhaps I will try listing the actual IP address instead of the machine's name.... ***Could my directory structure be an issue? In ${catalina.home} I have a directory/Web-application called myApplication: ${catalina.home}/myApplication Inside this directory, I have several servlets... each in their own directory: myServlet1, myServlet2, etc... ${catalina.home}/myApplication/myServlet1 Inside each of these servlet directories, the classes directory is a symbolic link to ${catalina.home}/myApplication/WEB-INF/classes ... ${catalina.home}/myApplication/myServlet1/classes -> ${catalina.home}/myApplication/WEB-INF/classes I am assuming that the following entry in my policy file correctly credits the same set of permissions to each of my servlets... is this a good or bad assumption? grant codeBase "file:${catalina.home}/myApplication/WEB-INF/classes/-" { permission java.security.AllPermission; }; My .policy file is at the very end of this message-----Original Message----- From: Erik Erskine [mailto:erik@;sundayta.com] I'm having similar problems which I've tracked down to a bug in Tomcat 4.0 (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7319). If you're using that this may help. Basically if you have grant statements like these the jar files don't get included: grant codeBase "file:/path/to/foo/-" grant codeBase "file:/path/to/foo.jar" You have to explicitly refer to a jar file like this: grant codeBase "jar:file:/path/to/foo.jar!/-" Unfortuanately you get no error, it's just as if you did not specify the grant statement at all :( The "file:/foo/-" version does pick up class files, so you could unpack each jar file into WEB-INF/classes when you build the WAR file. Having read the bug report this seems to have been fixed in Tomcat 4.1 so I'm about to try that. Erik// ============================================================================ // catalina.corepolicy - Security Policy Permissions for Tomcat 4.0 // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the "-security" option. In addition // to the permissions granted here, the following additional permissions are // granted to the codebase specific to each web application: // // * Read access to the document root directory // // $Id: catalina.policy,v 1.14.2.1 2001/10/06 18:51:03 remm Exp $ // ============================================================================ // ========== SYSTEM CODE PERMISSIONS ========================================= // These permissions apply to javac grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase "file:${java.home}/jre/lib/ext/-" { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // ========== CATALINA CODE PERMISSIONS ======================================= // These permissions apply to the server startup code grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; // These permissions apply to the servlet API classes // and those that are shared across all class loaders // located in the "common" directory grant codeBase "file:${catalina.home}/common/-" { permission java.security.AllPermission; }; // These permissions apply to the container's core code, plus any additional // libraries installed in the "server" directory grant codeBase "file:${catalina.home}/server/-" { permission java.security.AllPermission; }; // These permissions apply to shared web application libraries // including the Jasper page compiler in the "lib" directory grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; // These permissions apply to shared web application classes // located in the "classes" directory grant codeBase "file:${catalina.home}/classes/-" { permission java.security.AllPermission; }; // ========== WEB APPLICATION PERMISSIONS ===================================== // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { permission java.security.AllPermission; // will remove and restore orig. }; // You can assign additional permissions to particular web applications by...snip // http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7319 // EXTRA SYNTAX tomcat 4.0 "jar:file......jar!/-" grant codeBase "file:${catalina.home}/myApplication/WEB-INF/classes/-" { permission java.security.AllPermission; }; grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/pgjdbc2.jar" { permission java.security.AllPermission; }; grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/jdom.jar" { permission java.security.AllPermission; }; grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/cos.jar" { permission java.security.AllPermission; }; grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/crimson.jar" { permission java.security.AllPermission; }; grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/xalan.jar" { permission java.security.AllPermission; }; grant codeBase "file:${catalina.home}/myApplication/WEB-INF/lib/jaxp.jar" { permission java.security.AllPermission; }; -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
-- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
