Andreas Veithen wrote:
Greg,
My guess is that Axis2 doesn't have the right permissions to list the
content of the WEB-INF/modules directory. I had a quick look at the
Axis2 code and it seems to handle an I/O error in the same way as an
empty directory. On the other hand, the documentation of
FilePermission says that "A pathname that ends in "/*" [...] indicates
all the files and directories contained in that directory." The would
suggest that you only granted permissions to the files in the
WEB-INF/modules directory, but not the permission to read (list) the
directory itself. Probably you need to add the following permission as
well:
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/modules", "read";
No change change, sorry :(
After playing with the permissions some more I get a new, different
error message regardless of that line being present or not.
My permissions now look like:
// ================= Axis2 Permissions ========================
//
grant {
// For some mysterious reason these 2 are required outside the
Axis-specific permissions
// No idea what the codebase should be
permission java.io.FilePermission
"/var/lib/tomcat6/webapps/player/WEB-INF/*", "read";
permission java.lang.RuntimePermission "getClassLoader";
};
grant codeBase "file:/var/lib/tomcat6/webapps/player/-" {
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "checkPropertiesAccess";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission
"defineClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.util.PropertyPermission "*", "read,write";
permission java.net.SocketPermission "example.usask.ca", "resolve,
connect";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/modules/*", "read,write";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/services/*", "read,write";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/scriptServices/*", "read";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/lib", "read";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/lib/*", "read";
//TODO: Figure out what parts of /tmp Axis uses and lock this down
permission java.io.FilePermission "/tmp/*", "read,write";
permission java.io.FilePermission "/usr/share/tomcat6/lib", "read";
permission java.io.FilePermission
"${catalina.home}/bin/bootstrap.jar", "read";
permission java.io.FilePermission "${java.home}/lib/ext/*", "read";
// Other directories that are in the classpath
permission java.io.FilePermission "/usr/share/java/*", "read";
};
The log now complains:
SEVERE: Servlet /player threw load() exception
java.lang.ClassNotFoundException:
org.apache.axis2.deployment.scheduler.Scheduler
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1387)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:336)
Again, code works fine without the security manager. I've specifically
allowed read permission to the appropriate directory, but it still
throws that error.
If that is confirmed, could you please open a JIRA report about the
fact that Axis2 doesn't warn the user about an unreadable modules (and
services) directory?
Do I still file the report? I can't reproduce the error anymore :/
G
Andreas
On Tue, Aug 11, 2009 at 21:19, Greg Logan<[email protected]> wrote:
Hi List,
I'm trying to get my Axis2 application to run on a Tomcat 6.0.18 install
running on an Ubuntu server. This server runs with the Java 2 Security
framework in Tomcat turned ON, so solutions involving turning it off won't
work for this case :P
Unfortunately I keep running into permissions issues, and there does not
appear to be any definitive (or working!) documentation as to precisely what
permissions Axis2 needs. I've tried a number of different permissions
approaches, but I just can't seem to get the application going.
For example, adding the following to the permissions:
// ================= Axis2 Permissions ========================
//
grant {
// For some mysterious reason these 2 are required outside the
Axis-specific permissions
// No idea what the codebase should be
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/-", "read";
permission java.lang.RuntimePermission "getClassLoader";
};
grant codeBase "file:/var/lib/tomcat6/webapps/player/-" {
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "checkPropertiesAccess";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission
"defineClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.util.PropertyPermission "*", "read,write";
permission java.net.SocketPermission "ex.com", "resolve, connect";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/modules/*", "read,write";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/services/*", "read,write";
permission java.io.FilePermission "${catalina.home}/common/classes",
"read";
permission java.io.FilePermission "${catalina.home}/shared/classes",
"read";
permission java.io.FilePermission "${catalina.base}/common/classes",
"read";
permission java.io.FilePermission "${catalina.base}/shared/classes",
"read";
permission java.io.FilePermission "${catalina.home}/common/i18n/*", "read";
permission java.io.FilePermission "${catalina.home}/common/lib/*", "read";
permission java.io.FilePermission "${catalina.home}/bin/bootstrap.jar",
"read";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/scriptServices/*", "read";
permission java.io.FilePermission "${java.home}/lib/ext/*", "read";
// Other directories that are in the classpath
permission java.io.FilePermission "/usr/share/java/*", "read";
};
gets me this result (note that this *exact* deployed war works fine when
security is off, so the module *is* there):
org.apache.axis2.AxisFault: The system is attempting to engage a module that
is not available: addressing
at
org.apache.axis2.engine.AxisConfiguration.engageModule(AxisConfiguration.java:506)
at
org.apache.axis2.engine.AxisConfiguration.engageGlobalModules(AxisConfiguration.java:633)
The app does work when security is turned off, and also works when granted
java.security.AllPermissions, but that's really not ideal. Does anyone have
a working set of permissions for Axis2?
