Another comment, grant codeBase will not accept !, check
${java.home}/docs/guide/security/permissions.html or api javadoc. You have
to use
- file:${path}/- for all classes and jars in this dir and subdirs;
- file:${path}/* for all classes and jars in this dir;
- file:${path}/my.jar for this jar
-----Original Message-----
From: Phillip Qin [mailto:[EMAIL PROTECTED]
Sent: June 25, 2003 9:42 AM
To: 'Tomcat Users List'
Subject: RE: Tomcat 4.1.24 Security
If you grant resolve to jdbc jar, then you don't need to specify the ip in
the url, use host.domain:port
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: June 24, 2003 5:57 PM
To: [EMAIL PROTECTED]
Subject: Tomcat 4.1.24 Security
I am in the process of expanding a web site I am developing to attach to a
"test" server. In the process of my expansion into further testing, I've
altered my data base access to point to a different server than my Tomcat
server.
Everything runs just fine until I attempt to access the "test" data base
server. I get a security error message - as I expected. Looking thru all
of the documentation I could find - I discovered that I needed to add a
grant statement to the catalina.policy file pointing to the codeBase for my
JDBC driver.
(as an aside, I am uncertain what I broke, but as soon as I get a security
access violation on my external DataBase jar, tomcat server stops accepting
commands on 127.0.0.1 to shutdown)
I opened catalina.policy and added my DataBase driver via this grant
statement:
grant codeBase
"file:${catalina.home}/common/lib/mysql-connector-java-3.0.8-stable-bin.jar"
{
permission java.net.SocketPermission "127.0.0.1:3306", "accept, connect,
listen, resolve";
};
I loaded Tomcat up with the -security command line option and reloaded my
servlet. Problem is - now, instead of getting access to my data, I get a
message in the Tomcat screen saying that the dbcp code had tried 3 times to
load before it gave up. Making matters worse, with -security active, I can
no longer access my data source on 127.0.0.1
Reading thru any message I could find on this subject, I noticed someone
mentioned having your codeBase say "jar:file:". I also noticed someone
mentioning putting "!/-" at the end of the codeBase string.
I've tried both of these and get the same error from the dbcp code whenever
it tries to create a database connection. I noticed that I should turn
debugging on with an option to CATALINA_OPTS - but the volume of output is
so overwhelming that I can't see SecurityManager determine if my data base
access is valid.
I gotta believe someone is using Tomcat 4.1.24 is a multi-tier environment.
This tells me I'm missing something...
Bob Bateman
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
