[
http://issues.apache.org/jira/browse/JS2-205?page=comments#action_12330254 ]
David Le Strat commented on JS2-205:
------------------------------------
All,
I have been working on this issue and have a fix to solve both problems. I
will commit Saturday morning. As part of the changes I have been implementing,
the Authorization provider is now configurable to specify whether J2 should
enforce additional J2SE policies configured on top of the RdbmsPolicy. If this
setting is set to true, the AuthorizationProvider will load a SecurityPolicies
singleton that will provide a list of all Policies configured. I am still
debating whether this is really needed and comments on this are welcome.
See authorization provider configuration below:
<!-- Security: Authorization Provider -->
<bean id="org.apache.jetspeed.security.AuthorizationProvider"
class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
>
<constructor-arg index="0"><ref
bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
<!-- Does not use the default policy as a default behavior -->
<constructor-arg index="1"><value>false</value></constructor-arg>
</bean>
The RdbmsPolicy code has been changed quite a bit. Checking whether a resource
is authorized is now done in the implies method. The getPermissions method
should not return permissions from the database configuration as those map to
principals, not codesources.
getPermissions will return the permission configured for the J2SE policies if
configured to do so through the AuthorizationProvider.
This code fixes the StackOverFlow issue with Tomcat -security enabled. It also
remove the hard code dependency from Sun PolicyFile.
On another note, there are some differencies in folder constraints checking
when running with -security or not. For instance admin can see the
Administrative pages when running Tomcat in normal mode but cannot with the
security mode. This may need to be reported as a separate issue.
Regards,
David Le Strat.
> Using Tomcat Security Policy breaks RdbmsPolicy
> -----------------------------------------------
>
> Key: JS2-205
> URL: http://issues.apache.org/jira/browse/JS2-205
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-M2
> Reporter: David Sean Taylor
> Assignee: David Le Strat
> Fix For: 2.0-M2
> Attachments: Rdbms.patch
>
> I set my Tomcat Security policy to:
> grant {
> permission java.security.AllPermission;
> };
> Start Tomcat 5.0.31 as:
> catalina run -security
> And it gets a stack overflow from recursive loop in policy setup:
> at
> java.security.AccessController.checkPermission(AccessController.java:
> 401)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> at javax.security.auth.Subject.getSubject(Subject.java:251)
> at
> org.apache.jetspeed.security.impl.RdbmsPolicy.getPermissions(RdbmsPol
> icy.java:90)
> at java.security.Policy.getPermissions(Policy.java:343)
> at java.security.Policy.implies(Policy.java:397)
> at java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
> at
> java.security.AccessControlContext.checkPermission(AccessControlConte
> As an interim fix, if you don't need the Rdbms Policy,
> In the jetspeed-spring.xml, comment out:
> <!-- Security: RDBMS Policy implementation for JAAS -->
> <!--
> <bean id="org.apache.jetspeed.security.impl.RdbmsPolicy"
> class="org.apache.jetspeed.security.impl.RdbmsPolicy"
> >
> <constructor-arg ><ref
> bean="org.apache.jetspeed.security.PermissionManager"/></constructor-arg>
>
> </bean>
> -->
> <!-- Security: Authorization Provider -->
> <!--
> <bean id="org.apache.jetspeed.security.AuthorizationProvider"
> class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
> >
> <constructor-arg ><ref
> bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
> </bean>
> -->
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
