Re: Security Policy Error
George, Did anyone get back to you about this? I myself don't have much of a clue, as I haven't run Tomcat 5.5.x Tomcat under a security manager. Yoav On 5/21/07, George Sexton [EMAIL PROTECTED] wrote: I'm running Tomcat 5.5.23 under a security manager, and I'm hitting this error on a call to HttpServletRequest.getAttributeNames() I'm only starting to understand security policies, so I would appreciate some insights on what the best way to approach this issue is. If it's a genuine bug, let me know and I'll open a ticket on bugzilla. Servlet.service() for servlet ErrorServlet threw exception java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264) at java.security.AccessController.checkPermission(AccessController.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) at org.apache.catalina.core.ApplicationHttpRequest.getAttributeNames(ApplicationHttpRequest.java:243) -- George Sexton MH Software, Inc. Voice: +1 303 438 9585 URL: http://www.mhsoftware.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Security Policy Error
It pretty obviously a bug. It looks like we need another PA :(. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yoav Shapira Sent: Thursday, May 24, 2007 8:34 AM To: Tomcat Developers List Subject: Re: Security Policy Error George, Did anyone get back to you about this? I myself don't have much of a clue, as I haven't run Tomcat 5.5.x Tomcat under a security manager. Yoav On 5/21/07, George Sexton [EMAIL PROTECTED] wrote: I'm running Tomcat 5.5.23 under a security manager, and I'm hitting this error on a call to HttpServletRequest.getAttributeNames() I'm only starting to understand security policies, so I would appreciate some insights on what the best way to approach this issue is. If it's a genuine bug, let me know and I'll open a ticket on bugzilla. Servlet.service() for servlet ErrorServlet threw exception java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core) at java.security.AccessControlContext.checkPermission(AccessContr olContext.java:264) at java.security.AccessController.checkPermission(AccessControlle r.java:427) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.j ava:1512) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:299) at java.lang.ClassLoader.loadClass(ClassLoader.java:251) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319) at org.apache.catalina.core.ApplicationHttpRequest.getAttributeNa mes(ApplicationHttpRequest.java:243) -- George Sexton MH Software, Inc. Voice: +1 303 438 9585 URL: http://www.mhsoftware.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security Policy Error
I'm really not sure if it's a bug or not. Here's exactly what's
happening. I have an error handler
com.mhsoftware.cdaily.servlet.ErrorServlet.based on a class
com.MHSoftware.servlet.BaseServlet.
The base class has a method called dumpRequest which dumps an
HTTPServletRequestObject to a string for troubleshooting purposes.
When an error is triggered, the Error Servlet gets invoked and this
error happens:
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.core)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at
java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1512)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)
at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
at
org.apache.catalina.core.ApplicationHttpRequest.getAttributeNames(ApplicationHttpRequest.java:243)
at com.MHSoftware.servlet.BaseServlet.dumpRequest(BaseServlet.java:805)
at
com.mhsoftware.cdaily.servlet.ErrorServlet.doGet(ErrorServlet.java:36)
at
com.mhsoftware.cdaily.servlet.ErrorServlet.doPost(ErrorServlet.java:105)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
MHS.jar which contains BaseServlet is located in
$CATALINA_BASE/shared/lib, while cdaily.jar, which contains ErrorServlet
is located in Application/WEB-INF/classes
I have a policy entry:
// Add files in the shared classloader hierarchy
// as well.
grant codeBase file:${catalina.base}/shared/- {
permission java.security.AllPermission;
};
If I create a simple JSP, and call request.setAttribute() followed by
request.getAttributeNames(), things work OK.
So, I'm really uncertain what's exactly going on. I'm kind of thinking
now that it's class loader related.
I have another class that I noticed was doing something similar. I have
a base object in MHS.jar, and in cdaily.jar, I have child classes. For
reflection to work in those child classes, I had to add a policy entry:
grant {
permission java.lang.RuntimePermission
accessClassInPackage.com.MHSoftware.db.*;
};
Bill Barker wrote:
It pretty obviously a bug. It looks like we need another PA :(.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Yoav Shapira
Sent: Thursday, May 24, 2007 8:34 AM
To: Tomcat Developers List
Subject: Re: Security Policy Error
George,
Did anyone get back to you about this?
I myself don't have much of a clue, as I haven't run Tomcat 5.5.x
Tomcat under a security manager.
Yoav
On 5/21/07, George Sexton [EMAIL PROTECTED] wrote:
I'm running Tomcat 5.5.23 under a security manager, and I'm
hitting this
error on a call to HttpServletRequest.getAttributeNames()
I'm only starting to understand security policies, so I
would appreciate
some insights on what the best way to approach this issue is.
If it's a genuine bug, let me know and I'll open a ticket
on bugzilla.
Servlet.service() for servlet ErrorServlet threw exception
java.security.AccessControlException: access denied
(java.lang.RuntimePermission
accessClassInPackage.org.apache.catalina.core)
at
java.security.AccessControlContext.checkPermission(AccessContr
olContext.java:264)
at
java.security.AccessController.checkPermission(AccessControlle
r.java:427)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.j
ava:1512)
at
sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)
at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
at
java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
at
org.apache.catalina.core.ApplicationHttpRequest.getAttributeNa
mes(ApplicationHttpRequest.java:243)
--
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL: http://www.mhsoftware.com/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail
