For reasons that are difficult to predict or calculate, some other protection domain (i.e. codeBase) for somebody in the stack may be missing this permission. I've given up trying to figure these out after the obvious doesn't fix it.
Try adding: -Djava.security.debug=access,failure to your Tomcat startup arguments. Hopefully you can capture the output around the point of failure. There will be a lot of output. Look for "access denied". That will give you the missing permission. Not to far below that you can find the domain that failed, which will give you the codeBase missing the permission. It is not unusual to see something unexpected. Somewhere below that you can see the permissions that this domain does currently have. This is where you might find that a permission you tried to grant has a typo, so it doesn't serve its purpose. Give it a try and see if anything turns up. Cheers, Larry > -----Original Message----- > From: George Sexton [mailto:[EMAIL PROTECTED] > Sent: Friday, January 20, 2006 3:46 PM > To: 'Tomcat Users List' > Subject: ClassLoader/Security Manager Question > > I'm trying to get my app to run under the security manager > and I'm hitting some problems. > > I have class B, derived from class A, in Jar B in the > WEB-INF/lib directory > > Class A is in Jar A in the shared/lib directory. > > I created an entry in the catalina.policy file: > > grant codeBase "file:${catalina.base}/shared/-" { > permission java.lang.RuntimePermission > "accessClassInPackage.*"; > permission java.security.AllPermission; }; > > When a method defined in Class A uses reflection to get the > constructors for Class B, the following error message happens: > > 01/20/2006 13:24:36 java.security.AccessControlException: > access denied (java.lang.RuntimePermission > accessDeclaredMembers) at > java.security.AccessControlContext.checkPermission(AccessContr > olContext.java > :264) > at > java.security.AccessController.checkPermission(AccessControlle > r.java:427) > at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) > at > java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662) > at java.lang.Class.checkMemberAccess(Class.java:2125) > at java.lang.Class.getDeclaredConstructor(Class.java:1952) > > I've done some research and it seems like what I'm trying to > do should work if I specify accessClassInPackage. I've tried > explicitly setting the class A package in the > accessClassInPackage statement but I'm not making any headway. > > I would rather not put Jar A in WEB-INF/lib because I have > something like 100 contexts that all use that jar and I'm > already hitting issues with PermGenSpace. I also can't put > Jar B in shared/lib because of design (or lack thereof). > > Does anyone have any ideas (other than the obvious one of > putting Jar A in WEB-INF/lib)? > > George Sexton > MH Software, Inc. > http://www.mhsoftware.com/ > Voice: 303 438 9585 > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
