Chris,
One thing that has bitten me is that the entire stack/call chain is
examined, not just permissions on a specific piece of code as you would
expect. This comes into play when you're trying to make calls into
trusted code from a JSP.
My experience has been that JSPs are not trusted. So, even if you grant
some code permissions to a specific codebase, the JSP making the call is
untrusted and things fail. I ran into this recently using the Apache
LDAP library with a JSP. A bunch of reads would fail.
I see the tomcat security manager howto makes a reference to
"pre-compiled jsp" but it's pretty vague (to my simple mind anyhow). I
think the intention was to have pre-compiled JSPs live in a trusted
codebase path. There's probably a way that you can mark all JSPs as
trusted (I'm thinking a grant to $CATALINA_BASE/work/Catalina), but that
kind of defeats the point. If you mark standard JSPs as trusted, then
anyone that can get a file in the context path can bypass your security
model.
What I ended up doing on the last project was putting all of the code
that made the calls into the Apache LDAP directory into a specific jar,
and signing that jar with a certificate. Then I have a grant that trusts
anything signed with that certificate.
The security manager can be maddening to work with. Just as a tip for my
specific usage, I have a skeleton policy file and the tomcat startup
script merges my policy file into Tomcat's policy file. I just found
there's another way of doing that, but it doesn't look any better since
it requires modifying a file in $JDK/JRE_HOME.
On 3/22/2018 3:39 PM, Christopher Schultz wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I'm working on getting my application working under a SecurityManager.
It's actually been a little less painful than I thought it would be.
I'm using Solr for some index searching. I'm using SolrJ for the
library to communicate via HTTP to a localhost Solr server. When using
this grant:
grant {
permission "java.util.PropertyPermission"
"solr.httpclient.builder.factory", "read";
permission "java.net.SocketPermission", "localhost:8983",
"resolve,connect";
}
My application can can contact Solr without any errors.
If I change the "grant" to include a codeBase to restrict those
connections to the Solr library, I get a AccessControlException:
access denied to the system property. Here is the modified grant:
grant codeBase
"file:${catalina.base}${file.separator}webapps${file.separator}myapp${fi
le.separator}WEB-INF${file.separator}lib${file.separator}solr-solrj-7.2.
1.jar"
{
permission "java.util.PropertyPermission"
"solr.httpclient.builder.factory", "read";
permission "java.net.SocketPermission" "localhost:8983",
"resolve,connect";
};
I have verified that the file exists under the path specified above. I
tried both ${file.separator} and '/' as the file separator. I also
tried "jar:/path/to/jar!/-" as the codeBase. No luck.
These grants are added to the end of the stock catalina.policy file
that ships with Tomcat.
What am I missing, here?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlq0IpkdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFj/og//dsN0nnYfal37ceL5
pEtIUtOGq87vwHRRMvTuWwxGmm5DqqfC+ZC07IWnJJt5Ap9ir8mYRiYluoCvx0yx
LdmUVEesygbhOmyLm6EX3deJ7ozaO5MkFcDx0084y/dHfx+L3mg2n/ysG/qnqoxS
69RvbQNh7ByRsDOnhlSXLc0ZSSB6L9GtE9UpgGdCdyvyBXKS5X3/XOvygJ13lHZH
lZH1/iXEUzatZtR7wSySfVdEXSx2JjSagClPmYVi4Lj4Fi9qugbwnpakT8Sr3mJx
A/lK/KLPA3NqH/T91fzZBzlmLXqZ6L5GFz2P9iOaQ+1QfcCiMktFxJ2tXzqYDQm1
g0OtE/k2Jf3+QZtpUDJ+cDzLjWdUXs/6oa0Uo37ZXTRU1wowPeX+PHsKr9aqQB+T
rx7OXTL/ZLh+bQobaQV4oyiF+mSRLZfrtI7cHoF8ZiwwsXpo4y+4CQqxzsWR6w4A
9wYV/lKecONJnwNey6JujapbcFcWmCZps5crvUyi/YNx/Rl/szdI2vWOevCJwnvQ
LgyvbNF8AglERID8bL0fT9RL9Ws5/taII3egavGBMUGi+VYu/qjY2c9unP3W7UR6
42NNGkDxQlum8M3uu3FpDMmsfcRcYzQSZ1yCEharMLzKR6zn0c4odnJpUWmVzLnO
brtsSvTBTsIlH3F7dlocMV63W+U=
=xlk2
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com
