Re: Security Policy Error
George, Did anyone get back to you about this? I myself don't have much of a clue, as I haven't run Tomcat 5.5.x Tomcat under a security manager. Yoav On 5/21/07, George Sexton [EMAIL PROTECTED] wrote: I'm running Tomcat 5.5.23 under a security manager, and I'm hitting this error on a call to HttpServletRequest.getAttributeNames() I'm only starting to understand security policies, so I would appreciate some insights on what the best way to approach this issue is. If it's a genuine bug, let me know and I'll open a ticket on bugzilla. Servlet.service() for servlet ErrorServlet threw exception java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264) at java.security.AccessController.checkPermission(AccessController.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) at org.apache.catalina.core.ApplicationHttpRequest.getAttributeNames(ApplicationHttpRequest.java:243) -- George Sexton MH Software, Inc. Voice: +1 303 438 9585 URL: http://www.mhsoftware.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security Policy Error
It pretty obviously a bug. It looks like we need another PA :(. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yoav Shapira Sent: Thursday, May 24, 2007 8:34 AM To: Tomcat Developers List Subject: Re: Security Policy Error George, Did anyone get back to you about this? I myself don't have much of a clue, as I haven't run Tomcat 5.5.x Tomcat under a security manager. Yoav On 5/21/07, George Sexton [EMAIL PROTECTED] wrote: I'm running Tomcat 5.5.23 under a security manager, and I'm hitting this error on a call to HttpServletRequest.getAttributeNames() I'm only starting to understand security policies, so I would appreciate some insights on what the best way to approach this issue is. If it's a genuine bug, let me know and I'll open a ticket on bugzilla. Servlet.service() for servlet ErrorServlet threw exception java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core) at java.security.AccessControlContext.checkPermission(AccessContr olContext.java:264) at java.security.AccessController.checkPermission(AccessControlle r.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.j ava:1512) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) at org.apache.catalina.core.ApplicationHttpRequest.getAttributeNa mes(ApplicationHttpRequest.java:243) -- George Sexton MH Software, Inc. Voice: +1 303 438 9585 URL: http://www.mhsoftware.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Policy Error
I'm really not sure if it's a bug or not. Here's exactly what's happening. I have an error handler com.mhsoftware.cdaily.servlet.ErrorServlet.based on a class com.MHSoftware.servlet.BaseServlet. The base class has a method called dumpRequest which dumps an HTTPServletRequestObject to a string for troubleshooting purposes. When an error is triggered, the Error Servlet gets invoked and this error happens: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264) at java.security.AccessController.checkPermission(AccessController.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) at org.apache.catalina.core.ApplicationHttpRequest.getAttributeNames(ApplicationHttpRequest.java:243) at com.MHSoftware.servlet.BaseServlet.dumpRequest(BaseServlet.java:805) at com.mhsoftware.cdaily.servlet.ErrorServlet.doGet(ErrorServlet.java:36) at com.mhsoftware.cdaily.servlet.ErrorServlet.doPost(ErrorServlet.java:105) at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) MHS.jar which contains BaseServlet is located in $CATALINA_BASE/shared/lib, while cdaily.jar, which contains ErrorServlet is located in Application/WEB-INF/classes I have a policy entry: // Add files in the shared classloader hierarchy // as well. grant codeBase file:${catalina.base}/shared/- { permission java.security.AllPermission; }; If I create a simple JSP, and call request.setAttribute() followed by request.getAttributeNames(), things work OK. So, I'm really uncertain what's exactly going on. I'm kind of thinking now that it's class loader related. I have another class that I noticed was doing something similar. I have a base object in MHS.jar, and in cdaily.jar, I have child classes. For reflection to work in those child classes, I had to add a policy entry: grant { permission java.lang.RuntimePermission accessClassInPackage.com.MHSoftware.db.*; }; Bill Barker wrote: It pretty obviously a bug. It looks like we need another PA :(. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yoav Shapira Sent: Thursday, May 24, 2007 8:34 AM To: Tomcat Developers List Subject: Re: Security Policy Error George, Did anyone get back to you about this? I myself don't have much of a clue, as I haven't run Tomcat 5.5.x Tomcat under a security manager. Yoav On 5/21/07, George Sexton [EMAIL PROTECTED] wrote: I'm running Tomcat 5.5.23 under a security manager, and I'm hitting this error on a call to HttpServletRequest.getAttributeNames() I'm only starting to understand security policies, so I would appreciate some insights on what the best way to approach this issue is. If it's a genuine bug, let me know and I'll open a ticket on bugzilla. Servlet.service() for servlet ErrorServlet threw exception java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core) at java.security.AccessControlContext.checkPermission(AccessContr olContext.java:264) at java.security.AccessController.checkPermission(AccessControlle r.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.j ava:1512) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) at org.apache.catalina.core.ApplicationHttpRequest.getAttributeNa mes(ApplicationHttpRequest.java:243) -- George Sexton MH Software, Inc. Voice: +1 303 438 9585 URL: http://www.mhsoftware.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail