Greg,
I don't know if you got it working in the meantime, but here are some
things that might help:
1) There is a system property "java.security.debug" that allows you to
turn on debugging (logging) for Java 2 security.
2) I succeeded in starting the standalone server with security
enabled. Here is the policy:
grant codeBase "file:${axis2.home}/lib/-" {
permission java.io.FilePermission "${axis2.home}", "read,write";
permission java.io.FilePermission "${axis2.home}/-", "read,write";
permission java.io.FilePermission "${java.io.tmpdir}", "read";
permission java.io.FilePermission "${java.io.tmpdir}/-",
"read,write,delete";
permission java.io.FilePermission
"${java.home}/lib/wsdl.properties", "read";
permission java.net.SocketPermission "*", "resolve,connect,listen,accept";
permission java.lang.RuntimePermission "*";
permission java.util.PropertyPermission "*", "read";
};
It is less restrictive on RuntimePermission (which is OK for the
standalone server). Note the very particular permissions on the temp
directory. Axis2 does some very nasty things there, but this seems to
be a recent change.
3) To get this working, I also had to fix an issue in the code. See [1].
Andreas
[1] http://svn.apache.org/viewvc?view=rev&revision=804411
On Wed, Aug 12, 2009 at 01:02, Greg Logan<[email protected]> wrote:
> Andreas Veithen wrote:
>>
>> Greg,
>>
>> My guess is that Axis2 doesn't have the right permissions to list the
>> content of the WEB-INF/modules directory. I had a quick look at the
>> Axis2 code and it seems to handle an I/O error in the same way as an
>> empty directory. On the other hand, the documentation of
>> FilePermission says that "A pathname that ends in "/*" [...] indicates
>> all the files and directories contained in that directory." The would
>> suggest that you only granted permissions to the files in the
>> WEB-INF/modules directory, but not the permission to read (list) the
>> directory itself. Probably you need to add the following permission as
>> well:
>>
>> permission java.io.FilePermission
>> "${catalina.base}/webapps/player/WEB-INF/modules", "read";
>
> No change change, sorry :(
> After playing with the permissions some more I get a new, different
> error message regardless of that line being present or not.
>
> My permissions now look like:
>
> // ================= Axis2 Permissions ========================
> //
> grant {
> // For some mysterious reason these 2 are required outside the
> Axis-specific permissions
> // No idea what the codebase should be
> permission java.io.FilePermission
> "/var/lib/tomcat6/webapps/player/WEB-INF/*", "read";
> permission java.lang.RuntimePermission "getClassLoader";
> };
>
> grant codeBase "file:/var/lib/tomcat6/webapps/player/-" {
> permission java.lang.RuntimePermission "createClassLoader";
> permission java.lang.RuntimePermission "setContextClassLoader";
> permission java.lang.RuntimePermission "checkPropertiesAccess";
> permission java.lang.RuntimePermission "getClassLoader";
> permission java.lang.RuntimePermission "getProtectionDomain";
> permission java.lang.RuntimePermission
> "defineClassInPackage.org.apache.jasper.runtime";
> permission java.lang.RuntimePermission "shutdownHooks";
> permission java.lang.RuntimePermission "accessDeclaredMembers";
> permission java.util.PropertyPermission "*", "read,write";
> permission java.net.SocketPermission "example.usask.ca", "resolve,
> connect";
> permission java.io.FilePermission
> "${catalina.base}/webapps/player/WEB-INF/modules/*", "read,write";
> permission java.io.FilePermission
> "${catalina.base}/webapps/player/WEB-INF/services/*", "read,write";
> permission java.io.FilePermission
> "${catalina.base}/webapps/player/WEB-INF/scriptServices/*", "read";
> permission java.io.FilePermission
> "${catalina.base}/webapps/player/WEB-INF/lib", "read";
> permission java.io.FilePermission
> "${catalina.base}/webapps/player/WEB-INF/lib/*", "read";
> //TODO: Figure out what parts of /tmp Axis uses and lock this down
> permission java.io.FilePermission "/tmp/*", "read,write";
> permission java.io.FilePermission "/usr/share/tomcat6/lib", "read";
> permission java.io.FilePermission
> "${catalina.home}/bin/bootstrap.jar", "read";
> permission java.io.FilePermission "${java.home}/lib/ext/*", "read";
> // Other directories that are in the classpath
> permission java.io.FilePermission "/usr/share/java/*", "read";
> };
>
> The log now complains:
>
> SEVERE: Servlet /player threw load() exception
> java.lang.ClassNotFoundException:
> org.apache.axis2.deployment.scheduler.Scheduler
> at
> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1387)
> at
> org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233)
> at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:336)
>
> Again, code works fine without the security manager. I've specifically
> allowed read permission to the appropriate directory, but it still
> throws that error.
>
>> If that is confirmed, could you please open a JIRA report about the
>> fact that Axis2 doesn't warn the user about an unreadable modules (and
>> services) directory?
>
> Do I still file the report? I can't reproduce the error anymore :/
>
> G
>
>> Andreas
>>
>> On Tue, Aug 11, 2009 at 21:19, Greg Logan<[email protected]> wrote:
>>>
>>> Hi List,
>>>
>>> I'm trying to get my Axis2 application to run on a Tomcat 6.0.18 install
>>> running on an Ubuntu server. This server runs with the Java 2 Security
>>> framework in Tomcat turned ON, so solutions involving turning it off
>>> won't
>>> work for this case :P
>>>
>>> Unfortunately I keep running into permissions issues, and there does not
>>> appear to be any definitive (or working!) documentation as to precisely
>>> what
>>> permissions Axis2 needs. I've tried a number of different permissions
>>> approaches, but I just can't seem to get the application going.
>>>
>>> For example, adding the following to the permissions:
>>>
>>> // ================= Axis2 Permissions ========================
>>> //
>>> grant {
>>> // For some mysterious reason these 2 are required outside the
>>> Axis-specific permissions
>>> // No idea what the codebase should be
>>> permission java.io.FilePermission
>>> "${catalina.base}/webapps/player/WEB-INF/-", "read";
>>> permission java.lang.RuntimePermission "getClassLoader";
>>> };
>>>
>>> grant codeBase "file:/var/lib/tomcat6/webapps/player/-" {
>>> permission java.lang.RuntimePermission "createClassLoader";
>>> permission java.lang.RuntimePermission "setContextClassLoader";
>>> permission java.lang.RuntimePermission "checkPropertiesAccess";
>>> permission java.lang.RuntimePermission "getClassLoader";
>>> permission java.lang.RuntimePermission "getProtectionDomain";
>>> permission java.lang.RuntimePermission
>>> "defineClassInPackage.org.apache.jasper.runtime";
>>> permission java.lang.RuntimePermission "shutdownHooks";
>>> permission java.lang.RuntimePermission "accessDeclaredMembers";
>>> permission java.util.PropertyPermission "*", "read,write";
>>> permission java.net.SocketPermission "ex.com", "resolve, connect";
>>> permission java.io.FilePermission
>>> "${catalina.base}/webapps/player/WEB-INF/modules/*", "read,write";
>>> permission java.io.FilePermission
>>> "${catalina.base}/webapps/player/WEB-INF/services/*", "read,write";
>>> permission java.io.FilePermission "${catalina.home}/common/classes",
>>> "read";
>>> permission java.io.FilePermission "${catalina.home}/shared/classes",
>>> "read";
>>> permission java.io.FilePermission "${catalina.base}/common/classes",
>>> "read";
>>> permission java.io.FilePermission "${catalina.base}/shared/classes",
>>> "read";
>>> permission java.io.FilePermission "${catalina.home}/common/i18n/*",
>>> "read";
>>> permission java.io.FilePermission "${catalina.home}/common/lib/*",
>>> "read";
>>> permission java.io.FilePermission "${catalina.home}/bin/bootstrap.jar",
>>> "read";
>>> permission java.io.FilePermission
>>> "${catalina.base}/webapps/player/WEB-INF/scriptServices/*", "read";
>>> permission java.io.FilePermission "${java.home}/lib/ext/*", "read";
>>> // Other directories that are in the classpath
>>> permission java.io.FilePermission "/usr/share/java/*", "read";
>>> };
>>>
>>> gets me this result (note that this *exact* deployed war works fine when
>>> security is off, so the module *is* there):
>>>
>>> org.apache.axis2.AxisFault: The system is attempting to engage a module
>>> that
>>> is not available: addressing
>>> at
>>>
>>> org.apache.axis2.engine.AxisConfiguration.engageModule(AxisConfiguration.java:506)
>>> at
>>>
>>> org.apache.axis2.engine.AxisConfiguration.engageGlobalModules(AxisConfiguration.java:633)
>>>
>>>
>>> The app does work when security is turned off, and also works when
>>> granted
>>> java.security.AllPermissions, but that's really not ideal. Does anyone
>>> have
>>> a working set of permissions for Axis2?
>>>
>
>
>
