Re: Granting permission to a single application-supplied JAR

Thu, 22 Mar 2018 15:12:53 -0700 

2018-03-23 0:39 GMT+03:00 Christopher Schultz <ch...@christopherschultz.net>:
> All,
>
> I'm working on getting my application working under a SecurityManager.
> It's actually been a little less painful than I thought it would be.
>
> I'm using Solr for some index searching. I'm using SolrJ for the
> library to communicate via HTTP to a localhost Solr server. When using
> this grant:
>
> grant {
>   permission "java.util.PropertyPermission"
> "solr.httpclient.builder.factory", "read";
>   permission "java.net.SocketPermission", "localhost:8983",
> "resolve,connect";
> }
>
> My application can can contact Solr without any errors.
>
> If I change the "grant" to include a codeBase to restrict those
> connections to the Solr library, I get a AccessControlException:
> access denied to the system property. Here is the modified grant:
>
>
> grant codeBase
> "file:${catalina.base}${file.separator}webapps${file.separator}myapp${fi
> le.separator}WEB-INF${file.separator}lib${file.separator}solr-solrj-7.2.
> 1.jar"
> {
>   permission "java.util.PropertyPermission"
> "solr.httpclient.builder.factory", "read";
>   permission "java.net.SocketPermission" "localhost:8983",
> "resolve,connect";
> };
>
> I have verified that the file exists under the path specified above. I
> tried both ${file.separator} and '/' as the file separator. I also
> tried "jar:/path/to/jar!/-" as the codeBase. No luck.

1) The "grant" clause uses an URL, with '/'.

${file.separator} is used in file paths for a file system: in
java.io.FilePermission


> These grants are added to the end of the stock catalina.policy file
> that ships with Tomcat.
>
> What am I missing, here?

2) Tomcat version=? ;)

See "Troubleshooting" recipe here:

http://tomcat.apache.org/tomcat-8.5-doc/security-manager-howto.html#Troubleshooting

You need to know the actual permission that failed.

You need to know java.security.CodeSource.getLocation() for all
classes in stacktrace up to the failing point (starting from the
nearest AccessController.doPrivileged()).

All those CodeSources should have that permission. If you missed one,
you will fail.


Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to