I'm really not sure if it's a bug or not. Here's exactly what's
happening. I have an error handler
com.mhsoftware.cdaily.servlet.ErrorServlet.based on a class
com.MHSoftware.servlet.BaseServlet.
The base class has a method called dumpRequest which dumps an
HTTPServletRequestObject to a string for troubleshooting purposes.
When an error is triggered, the Error Servlet gets invoked and this
error happens:
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at
java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)
at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
at
org.apache.catalina.core.ApplicationHttpRequest.getAttributeNames(ApplicationHttpRequest.java:243)
at com.MHSoftware.servlet.BaseServlet.dumpRequest(BaseServlet.java:805)
at
com.mhsoftware.cdaily.servlet.ErrorServlet.doGet(ErrorServlet.java:36)
at
com.mhsoftware.cdaily.servlet.ErrorServlet.doPost(ErrorServlet.java:105)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
MHS.jar which contains BaseServlet is located in
$CATALINA_BASE/shared/lib, while cdaily.jar, which contains ErrorServlet
is located in Application/WEB-INF/classes
I have a policy entry:
// Add files in the shared classloader hierarchy
// as well.
grant codeBase "file:${catalina.base}/shared/-" {
permission java.security.AllPermission;
};
If I create a simple JSP, and call request.setAttribute() followed by
request.getAttributeNames(), things work OK.
So, I'm really uncertain what's exactly going on. I'm kind of thinking
now that it's class loader related.
I have another class that I noticed was doing something similar. I have
a base object in MHS.jar, and in cdaily.jar, I have child classes. For
reflection to work in those child classes, I had to add a policy entry:
grant {
permission java.lang.RuntimePermission
"accessClassInPackage.com.MHSoftware.db.*";
};
Bill Barker wrote:
It pretty obviously a bug. It looks like we need another PA :(.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Yoav Shapira
Sent: Thursday, May 24, 2007 8:34 AM
To: Tomcat Developers List
Subject: Re: Security Policy Error
George,
Did anyone get back to you about this?
I myself don't have much of a clue, as I haven't run Tomcat 5.5.x
Tomcat under a security manager.
Yoav
On 5/21/07, George Sexton <[EMAIL PROTECTED]> wrote:
I'm running Tomcat 5.5.23 under a security manager, and I'm
hitting this
error on a call to HttpServletRequest.getAttributeNames()
I'm only starting to understand security policies, so I
would appreciate
some insights on what the best way to approach this issue is.
If it's a genuine bug, let me know and I'll open a ticket
on bugzilla.
Servlet.service() for servlet ErrorServlet threw exception
java.security.AccessControlException: access denied
(java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.core)
at
java.security.AccessControlContext.checkPermission(AccessContr
olContext.java:264)
at
java.security.AccessController.checkPermission(AccessControlle
r.java:427)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.j
ava:1512)
at
sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)
at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at
java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
at
org.apache.catalina.core.ApplicationHttpRequest.getAttributeNa
mes(ApplicationHttpRequest.java:243)
--
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL: http://www.mhsoftware.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This message is intended only for the use of the person(s) listed above as the
intended recipient(s), and may contain information that is PRIVILEGED and
CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or
distribute this message or any attachment. If you received this communication
in error, please notify us immediately by e-mail and then delete all copies of
this message and any attachments.
In addition you should be aware that ordinary (unencrypted) e-mail sent through
the Internet is not secure. Do not send confidential or sensitive information,
such as social security numbers, account numbers, personal identification
numbers and passwords, to us via ordinary (unencrypted) e-mail.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL: http://www.mhsoftware.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]