Re: Tomcat with Security manager

Jeanfrancois Arcand Fri, 07 Feb 2003 07:02:38 -0800

That's strange since you policy file seems OK. Is /my_jspfolder path has the proper privileges on your disj? Seems you have created this folder as the root, and then running Tomcat as a user....

-- Jeanfrancois

Harish Kumar K.K. wrote:

Hi Jean

Thanks for responding.

Below is my catalina.policy file contents. The lines granting
java.security.AllPermission to file:${catalina.home}/bin/bootstrap.jar are
there as you said. Also at the end of the policy file I have added the
permission to allow write operations in the folder to which I want to save
uploaded files.

//
============================================================================
// catalina.corepolicy - Security Policy Permissions for Tomcat 4.0
//
// This file contains a default set of security policies to be enforced (by
the
// JVM) when Catalina is executed with the "-security" option. In addition
// to the permissions granted here, the following additional permissions are
// granted to the codebase specific to each web application:
//
// * Read access to the document root directory
//
// $Id: catalina.policy,v 1.14.2.1 2001/10/06 18:51:03 remm Exp $
//
============================================================================

// ========== SYSTEM CODE PERMISSIONS
=========================================

// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};

// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};

// These permissions apply to javac when ${java.home] points at
$JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
permission java.security.AllPermission;
};

// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};

// ========== CATALINA CODE PERMISSIONS
=======================================

// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};

// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "common" directory
grant codeBase "file:${catalina.home}/common/-" {
permission java.security.AllPermission;
};

// These permissions apply to the container's core code, plus any additional
// libraries installed in the "server" directory
grant codeBase "file:${catalina.home}/server/-" {
permission java.security.AllPermission;
};

// These permissions apply to shared web application libraries
// including the Jasper page compiler in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};

// These permissions apply to shared web application classes
// located in the "classes" directory
grant codeBase "file:${catalina.home}/classes/-" {
permission java.security.AllPermission;
};

// ========== WEB APPLICATION PERMISSIONS
=====================================

// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.naming.*", "read";
permission java.util.PropertyPermission "javax.sql.*", "read";

// OS Specific properties to allow read access
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";

// JVM properties to allow read access
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version",
"read";
permission java.util.PropertyPermission
"java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor",
"read";
permission java.util.PropertyPermission "java.specification.name",
"read";

permission java.util.PropertyPermission
"java.vm.specification.version", "read";
permission java.util.PropertyPermission
"java.vm.specification.vendor", "read";
permission java.util.PropertyPermission
"java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";

// Required for getting BeanInfo
permission java.lang.RuntimePermission
"accessClassInPackage.sun.beans.*";

// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
};

// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
//
// Different permissions can be granted to JSP pages, classes loaded from
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
// directory, or even to individual jar files in the /WEB-INF/lib/
directory.
//
// For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to
the
// corresponding database and used the scrape taglib to get the weather from
// the NOAA web server. You might create a "grant" entries like this:
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.home}/webapps/examples/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432",
"connect";
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-"
{
// };
//
// The permission granted to your JDBC driver
// grant codeBase
"file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432",
"connect";
// };
// The permission granted to the scrape taglib
// grant codeBase
"file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };

grant codeBase "file:/my_jspfolderpath/-" {
permission java.io.FilePermission
"my_jspfolderpath/images/site","read,write";
};

************************** End of catalina.policy
******************************

----- Original Message -----
From: "Jeanfrancois Arcand" <[EMAIL PROTECTED]>
To: "Tomcat Users List" <[EMAIL PROTECTED]>
Sent: Thursday, February 06, 2003 7:34 AM
Subject: Re: Tomcat with Security manager

Can you post your catalina.policy file? Your file should contains that
permission:

// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
}

-- Jeanfrancois

Harish Kumar K.K. wrote:

Hello All

Hope somebody can help me!

I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27,

and it works fine if started without the security manager. Recently I had to
put up a file upload form on one of my web sites, and when I deployed the
jsp to accept the form data and save the uploaded file to disk...it came up
with the error "File cannot be saved". I am using jspSmartUpload class to
handle the multipart form data and to save the file to disk, which can be
downloaded from www.jspsmart.com

So I read the documentation and figured, the security manager might have

to be enabled with appropriate File IO permissions set for the directory to
which I was trying to save the file.

I proceeded to add the required "grant" directive in the catalina.policy

file, and when I started Tomcat with the security manager enabled....it
wouldn't start! I checked catalina.out and saw that Tomcat is not able to
read server.xml. Here is the stacktrace I found in catalina.out

Catalina.start: java.security.AccessControlException: access denied

(java.io.FilePermission /var/tomcat4/conf/server.xml read)

java.security.AccessControlException: access denied

(java.io.FilePermission /var/tomcat4/conf/server.xml read)

at

java.security.AccessControlContext.checkPermission(AccessControlContext.java
:270)

at

java.security.AccessController.checkPermission(AccessController.java:401)

at

java.lang.SecurityManager.checkPermission(SecurityManager.java:542)

at java.lang.SecurityManager.checkRead(SecurityManager.java:887)
at java.io.File.isDirectory(File.java:698)
at

sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:6
5)

at

sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection
.java:148)

at java.net.URL.openStream(URL.java:955)
at

org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFac
tory.java)

at

org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(Defa
ultEntityHandler.java)

at

org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java)

at org.apache.xerces.framework.XMLParser.parse(XMLParser.java)
at

org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223)

at javax.xml.parsers.SAXParser.parse(SAXParser.java:314)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:253)
at

org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228)

at org.apache.catalina.startup.Catalina.start(Catalina.java:725)
at

org.apache.catalina.startup.Catalina.execute(Catalina.java:681)

at

org.apache.catalina.startup.Catalina.process(Catalina.java:179)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
)

at

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
.java:25)

at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)

Then, I found from the security manager howto on the web site, that if no

security manager is enabled, its just like giving all permissions...I am
guessing this means that in that case the operating system file permission
system only will be in effect. So I made the directory I wanted to save the
file into, world writable, just to make sure the OS is not preventing the
save operation. Then started Tomcat without the security manager...still the
same result!

Now I am totally confused! What am I doing wrong?
Can anybody help me? Please?

Thanks and Regards
Harish

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat with Security manager

Reply via email to