Re: Security Policy Error

George Sexton Thu, 24 May 2007 11:51:35 -0700

I'm really not sure if it's a bug or not. Here's exactly what'shappening. I have an error handlercom.mhsoftware.cdaily.servlet.ErrorServlet.based on a classcom.MHSoftware.servlet.BaseServlet.

The base class has a method called dumpRequest which dumps anHTTPServletRequestObject to a string for troubleshooting purposes.

When an error is triggered, the Error Servlet gets invoked and thiserror happens:


java.security.AccessControlException: access denied 
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core)
        at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
        at 
java.security.AccessController.checkPermission(AccessController.java:427)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at 
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
        at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
        at 
org.apache.catalina.core.ApplicationHttpRequest.getAttributeNames(ApplicationHttpRequest.java:243)
        at com.MHSoftware.servlet.BaseServlet.dumpRequest(BaseServlet.java:805)
        at 
com.mhsoftware.cdaily.servlet.ErrorServlet.doGet(ErrorServlet.java:36)
        at 
com.mhsoftware.cdaily.servlet.ErrorServlet.doPost(ErrorServlet.java:105)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)

MHS.jar which contains BaseServlet is located in$CATALINA_BASE/shared/lib, while cdaily.jar, which contains ErrorServletis located in Application/WEB-INF/classes


I have a policy entry:

//      Add files in the shared classloader hierarchy
//      as well.
grant codeBase "file:${catalina.base}/shared/-" {

permission java.security.AllPermission;};

If I create a simple JSP, and call request.setAttribute() followed byrequest.getAttributeNames(), things work OK.

So, I'm really uncertain what's exactly going on. I'm kind of thinkingnow that it's class loader related.

I have another class that I noticed was doing something similar. I havea base object in MHS.jar, and in cdaily.jar, I have child classes. Forreflection to work in those child classes, I had to add a policy entry:

grant {

permission java.lang.RuntimePermission"accessClassInPackage.com.MHSoftware.db.*";

};

Bill Barker wrote:

It pretty obviously a bug. It looks like we need another PA :(.

-----Original Message-----

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] OnBehalf Of Yoav Shapira

Sent: Thursday, May 24, 2007 8:34 AM
To: Tomcat Developers List
Subject: Re: Security Policy Error

George,
Did anyone get back to you about this?

I myself don't have much of a clue, as I haven't run Tomcat 5.5.x
Tomcat under a security manager.

Yoav

On 5/21/07, George Sexton <[EMAIL PROTECTED]> wrote:

hitting this

would appreciate

on bugzilla.

(java.lang.RuntimePermissionaccessClassInPackage.org.apache.catalina.core)

java.security.AccessControlContext.checkPermission(AccessContr
olContext.java:264)

java.security.AccessController.checkPermission(AccessControlle
r.java:427)

java.lang.SecurityManager.checkPermission(SecurityManager.java:532)

java.lang.SecurityManager.checkPackageAccess(SecurityManager.j
ava:1512)

sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)

        at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:251)

at

java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)

org.apache.catalina.core.ApplicationHttpRequest.getAttributeNa
mes(ApplicationHttpRequest.java:243)

--
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

---------------------------------------------------------------------

To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




This message is intended only for the use of the person(s) listed above as the 
intended recipient(s), and may contain information that is PRIVILEGED and 
CONFIDENTIAL.  If you are not an intended recipient, you may not read, copy, or 
distribute this message or any attachment. If you received this communication 
in error, please notify us immediately by e-mail and then delete all copies of 
this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent through 
the Internet is not secure. Do not send confidential or sensitive information, 
such as social security numbers, account numbers, personal identification 
numbers and passwords, to us via ordinary (unencrypted) e-mail.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


--
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Security Policy Error

Reply via email to