Hi Andreas,
Sorry I took so long getting back to you, I got reassigned to a
different project temporarily...
1) There is a system property "java.security.debug" that allows you to
turn on debugging (logging) for Java 2 security.
Oh wow, did not know that was there. Log file in a bit.
2) I succeeded in starting the standalone server with security
enabled. Here is the policy:
I'm not running in a standalone server, but it should be more or less
the same, no?
I tried your policy (after modifying it to work with my paths), and
while it seems to somewhat work I'm still getting the following error in
the log:
java.security.AccessControlException: access denied
(java.lang.RuntimePermission setContextClassLoader)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:342)
at
java.security.AccessController.checkPermission(AccessController.java:553)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.Thread.setContextClassLoader(Thread.java:1368)
at
org.apache.axis2.jaxws.framework.JAXWSDeployer.deployServicesInWARClassPath(JAXWSDeployer.java:113)
at
org.apache.axis2.jaxws.framework.JAXWSDeployer.init(JAXWSDeployer.java:80)
at
org.apache.axis2.deployment.DeploymentEngine.initializeDeployers(DeploymentEngine.java:1130)
at
org.apache.axis2.deployment.DeploymentEngine.setConfigContext(DeploymentEngine.java:1122)
at
org.apache.axis2.deployment.WarBasedAxisConfigurator.setConfigContext(WarBasedAxisConfigurator.java:350)
at
org.apache.axis2.context.ConfigurationContextFactory.createConfigurationContext(ConfigurationContextFactory.java:89)
at
org.apache.axis2.transport.http.AxisServlet.initConfigContext(AxisServlet.java:568)
at
org.apache.axis2.transport.http.AxisServlet.init(AxisServlet.java:455)
at
org.apache.axis2.webapp.AxisAdminServlet.init(AxisAdminServlet.java:56)
3) To get this working, I also had to fix an issue in the code. See [1].
Compiled the SVN version yesterday and still the same problem.
Interestingly, I'm also getting other errors in the machine's syslog
(which is catching some of the output from Tomcat, thanks Ubuntu!).
Most of these are access denied trying to read timezone and logging
information. I don't know if this is causing the other error, but I
wouldn't be surprised if it's related.
The log file is still pretty large even after I removed all the
successful permission messages so I've put it up at
http://pastebin.com/m45de00c8
Andreas
[1] http://svn.apache.org/viewvc?view=rev&revision=804411
On Wed, Aug 12, 2009 at 01:02, Greg Logan<[email protected]> wrote:
Andreas Veithen wrote:
Greg,
My guess is that Axis2 doesn't have the right permissions to list the
content of the WEB-INF/modules directory. I had a quick look at the
Axis2 code and it seems to handle an I/O error in the same way as an
empty directory. On the other hand, the documentation of
FilePermission says that "A pathname that ends in "/*" [...] indicates
all the files and directories contained in that directory." The would
suggest that you only granted permissions to the files in the
WEB-INF/modules directory, but not the permission to read (list) the
directory itself. Probably you need to add the following permission as
well:
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/modules", "read";
No change change, sorry :(
After playing with the permissions some more I get a new, different
error message regardless of that line being present or not.
My permissions now look like:
// ================= Axis2 Permissions ========================
//
grant {
// For some mysterious reason these 2 are required outside the
Axis-specific permissions
// No idea what the codebase should be
permission java.io.FilePermission
"/var/lib/tomcat6/webapps/player/WEB-INF/*", "read";
permission java.lang.RuntimePermission "getClassLoader";
};
grant codeBase "file:/var/lib/tomcat6/webapps/player/-" {
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "checkPropertiesAccess";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission
"defineClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.util.PropertyPermission "*", "read,write";
permission java.net.SocketPermission "example.usask.ca", "resolve,
connect";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/modules/*", "read,write";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/services/*", "read,write";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/scriptServices/*", "read";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/lib", "read";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/lib/*", "read";
//TODO: Figure out what parts of /tmp Axis uses and lock this down
permission java.io.FilePermission "/tmp/*", "read,write";
permission java.io.FilePermission "/usr/share/tomcat6/lib", "read";
permission java.io.FilePermission
"${catalina.home}/bin/bootstrap.jar", "read";
permission java.io.FilePermission "${java.home}/lib/ext/*", "read";
// Other directories that are in the classpath
permission java.io.FilePermission "/usr/share/java/*", "read";
};
The log now complains:
SEVERE: Servlet /player threw load() exception
java.lang.ClassNotFoundException:
org.apache.axis2.deployment.scheduler.Scheduler
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1387)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1233)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:336)
Again, code works fine without the security manager. I've specifically
allowed read permission to the appropriate directory, but it still
throws that error.
If that is confirmed, could you please open a JIRA report about the
fact that Axis2 doesn't warn the user about an unreadable modules (and
services) directory?
Do I still file the report? I can't reproduce the error anymore :/
G
Andreas
On Tue, Aug 11, 2009 at 21:19, Greg Logan<[email protected]> wrote:
Hi List,
I'm trying to get my Axis2 application to run on a Tomcat 6.0.18 install
running on an Ubuntu server. This server runs with the Java 2 Security
framework in Tomcat turned ON, so solutions involving turning it off
won't
work for this case :P
Unfortunately I keep running into permissions issues, and there does not
appear to be any definitive (or working!) documentation as to precisely
what
permissions Axis2 needs. I've tried a number of different permissions
approaches, but I just can't seem to get the application going.
For example, adding the following to the permissions:
// ================= Axis2 Permissions ========================
//
grant {
// For some mysterious reason these 2 are required outside the
Axis-specific permissions
// No idea what the codebase should be
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/-", "read";
permission java.lang.RuntimePermission "getClassLoader";
};
grant codeBase "file:/var/lib/tomcat6/webapps/player/-" {
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "checkPropertiesAccess";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission
"defineClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.util.PropertyPermission "*", "read,write";
permission java.net.SocketPermission "ex.com", "resolve, connect";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/modules/*", "read,write";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/services/*", "read,write";
permission java.io.FilePermission "${catalina.home}/common/classes",
"read";
permission java.io.FilePermission "${catalina.home}/shared/classes",
"read";
permission java.io.FilePermission "${catalina.base}/common/classes",
"read";
permission java.io.FilePermission "${catalina.base}/shared/classes",
"read";
permission java.io.FilePermission "${catalina.home}/common/i18n/*",
"read";
permission java.io.FilePermission "${catalina.home}/common/lib/*",
"read";
permission java.io.FilePermission "${catalina.home}/bin/bootstrap.jar",
"read";
permission java.io.FilePermission
"${catalina.base}/webapps/player/WEB-INF/scriptServices/*", "read";
permission java.io.FilePermission "${java.home}/lib/ext/*", "read";
// Other directories that are in the classpath
permission java.io.FilePermission "/usr/share/java/*", "read";
};
gets me this result (note that this *exact* deployed war works fine when
security is off, so the module *is* there):
org.apache.axis2.AxisFault: The system is attempting to engage a module
that
is not available: addressing
at
org.apache.axis2.engine.AxisConfiguration.engageModule(AxisConfiguration.java:506)
at
org.apache.axis2.engine.AxisConfiguration.engageGlobalModules(AxisConfiguration.java:633)
The app does work when security is turned off, and also works when
granted
java.security.AllPermissions, but that's really not ideal. Does anyone
have
a working set of permissions for Axis2?
