Re: AW: Tomcat 4.1.24 + Security Manager + weird Exceptions
I'm experiencing this same issue. I've got Tomcat 5.0.27, Apache 2.0.46, and jk2 version 2.0.4. Has there been any solution? It occurs primarily under heavy load. -Joshua Szmajda We've got a similar issue, though this in on Linux and using channelUnix/JNI instead of normal tcp channelSocket. We're using Apache2/mod_jk2 (built from tomcat-connectors-1.1M1). On heavy load, there are over 3000 sockets open by one Tomcat/JVM, they don't seem to go down again too while Tomcat is running. (since File Descriptor limit on Solaris is lower normally (1024 or summat i think) this would cause us heavy problems there too) The Tomcats and Apache are restarted during the night to free up Memory, so socket count goes down then. However the application doesn't seem to be affected by this. In catalina.out there are many errors like this: org.apache.jk.common.ChannelUn receive SEVERE: receive error: 12 java.lang.Throwable at org.apache.jk.common.ChannelUn.receive(ChannelUn.java:230) at org.apache.jk.common.ChannelUn.processConnection(ChannelUn.java:282) at org.apache.jk.common.AprConnection.runIt(ChannelUn.java:350) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:631) at java.lang.Thread.run(Thread.java:536) org.apache.jk.common.JniHandler nativeDispatch SEVERE: nativeDispatch: error -3 java.lang.Throwable at org.apache.jk.common.JniHandler.nativeDispatch(JniHandler.java:312) at org.apache.jk.common.ChannelUn.send(ChannelUn.java:221) at org.apache.jk.common.ChannelUn.invoke(ChannelUn.java:306) at org.apache.jk.server.JkCoyoteHandler.doWrite(JkCoyoteHandler.java:249) at org.apache.coyote.Response.doWrite(Response.java:530) at org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.java:384) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:439) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:359) at org.apache.coyote.tomcat4.OutputBuffer.writeBytes(OutputBuffer.java:411) at org.apache.coyote.tomcat4.OutputBuffer.write(OutputBuffer.java:398) at org.apache.coyote.tomcat4.CoyoteOutputStream.write(CoyoteOutputStream.java:110) at org.apache.catalina.servlets.DefaultServlet.copyRange(DefaultServlet.java:1996) at org.apache.catalina.servlets.DefaultServlet.copy(DefaultServlet.java:1745) at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:1073) at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:506) . - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Tomcat 4.1.24 + Security Manager + weird Exceptions
I'm experiencing this same issue. I've got Tomcat 5.0.27, Apache 2.0.46, and jk2 version 2.0.4. Has there been any solution? It occurs primarily under heavy load. -Joshua Szmajda We've got a similar issue, though this in on Linux and using channelUnix/JNI instead of normal tcp channelSocket. We're using Apache2/mod_jk2 (built from tomcat-connectors-1.1M1). On heavy load, there are over 3000 sockets open by one Tomcat/JVM, they don't seem to go down again too while Tomcat is running. (since File Descriptor limit on Solaris is lower normally (1024 or summat i think) this would cause us heavy problems there too) The Tomcats and Apache are restarted during the night to free up Memory, so socket count goes down then. However the application doesn't seem to be affected by this. In catalina.out there are many errors like this: org.apache.jk.common.ChannelUn receive SEVERE: receive error: 12 java.lang.Throwable at org.apache.jk.common.ChannelUn.receive(ChannelUn.java:230) at org.apache.jk.common.ChannelUn.processConnection(ChannelUn.java:282) at org.apache.jk.common.AprConnection.runIt(ChannelUn.java:350) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:631) at java.lang.Thread.run(Thread.java:536) org.apache.jk.common.JniHandler nativeDispatch SEVERE: nativeDispatch: error -3 java.lang.Throwable at org.apache.jk.common.JniHandler.nativeDispatch(JniHandler.java:312) at org.apache.jk.common.ChannelUn.send(ChannelUn.java:221) at org.apache.jk.common.ChannelUn.invoke(ChannelUn.java:306) at org.apache.jk.server.JkCoyoteHandler.doWrite(JkCoyoteHandler.java:249) at org.apache.coyote.Response.doWrite(Response.java:530) at org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.java:384) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:439) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:359) at org.apache.coyote.tomcat4.OutputBuffer.writeBytes(OutputBuffer.java:411) at org.apache.coyote.tomcat4.OutputBuffer.write(OutputBuffer.java:398) at org.apache.coyote.tomcat4.CoyoteOutputStream.write(CoyoteOutputStream.java:110) at org.apache.catalina.servlets.DefaultServlet.copyRange(DefaultServlet.java:1996) at org.apache.catalina.servlets.DefaultServlet.copy(DefaultServlet.java:1745) at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:1073) at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:506) . - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat + Hibernate2 + Security Manager
Hi !
On Tue, 27 Jan 2004 12:14:16 -0500, Jeanfrancois Arcand [EMAIL PROTECTED] escreveu:
De: Jeanfrancois Arcand [EMAIL PROTECTED]
Data: Tue, 27 Jan 2004 12:14:16 -0500
Para: Tomcat Users List [EMAIL PROTECTED]
Assunto: Re: Tomcat + Hibernate2 + Security Manager
Webmaster wrote:
Hi all,
I know this is a little bit out of topic, but the general concept is useful for
everybody.
I run tomcat with security manager for a dozen users. Recently, people started to
use the hibernate 2 which requires some funky permissions.
I had to put these lines in the 'global' permission to make it work:
grant {
...
permission java.lang.RuntimePermission accessDeclaredMembers;
permission java.lang.reflect.ReflectPermission suppressAccessChecks;
permission java.lang.RuntimePermission defineCGLIBClassInJavaPackage;
...
}
Note: I DID test using a codebase like:
grant codeBase file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/- {
but the classes hibernate creates after reflection stop obeying the security
manager.
Do you have the exception? Which Tomcat version are you using?
I'm using 4.1.29. The classes that hibernate creates dinamically are the ones that
don't follow the codebase anymore, it's like they have a 'null' codebase after they
are created.
Are there any security risks on a security setup with those 3 lines for all classes
in the JVM ?
Yes. It will now allow a Servlet to load tomcat internal classes and
maybe do malicious things.
Right now, my clients don't have permissions to read the classes in /server/lib
directory ( I don't give file io permission to this directory, only to /common/lib ).
Would that be enough to stop these malicious things ?
-- Jeanfrancois
Thanks
Renato.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat + Hibernate2 + Security Manager
Webmaster wrote:
Hi !
On Tue, 27 Jan 2004 12:14:16 -0500, Jeanfrancois Arcand [EMAIL PROTECTED] escreveu:
De: Jeanfrancois Arcand [EMAIL PROTECTED]
Data: Tue, 27 Jan 2004 12:14:16 -0500
Para: Tomcat Users List [EMAIL PROTECTED]
Assunto: Re: Tomcat + Hibernate2 + Security Manager
Webmaster wrote:
Hi all,
I know this is a little bit out of topic, but the general concept is useful for everybody.
I run tomcat with security manager for a dozen users. Recently, people started to use the hibernate 2 which requires some funky permissions.
I had to put these lines in the 'global' permission to make it work:
grant {
...
permission java.lang.RuntimePermission accessDeclaredMembers;
permission java.lang.reflect.ReflectPermission suppressAccessChecks;
permission java.lang.RuntimePermission defineCGLIBClassInJavaPackage;
...
}
Note: I DID test using a codebase like:
grant codeBase file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/- {
but the classes hibernate creates after reflection stop obeying the security manager.
Do you have the exception? Which Tomcat version are you using?
I'm using 4.1.29. The classes that hibernate creates dinamically are the ones that don't follow the codebase anymore, it's like they have a 'null' codebase after they are created.
Are there any security risks on a security setup with those 3 lines for all classes in the JVM ?
Yes. It will now allow a Servlet to load tomcat internal classes and
maybe do malicious things.
Right now, my clients don't have permissions to read the classes in /server/lib directory ( I don't give file io permission to this directory, only to /common/lib ). Would that be enough to stop these malicious things ?
Yes. But you should only grant those permission to the Hibernate jar
files, not the entire folder.
-- Jeanfrancois
-- Jeanfrancois
Thanks
Renato.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat + Hibernate2 + Security Manager
Hi all,
I know this is a little bit out of topic, but the general concept is useful for
everybody.
I run tomcat with security manager for a dozen users. Recently, people started to use
the hibernate 2 which requires some funky permissions.
I had to put these lines in the 'global' permission to make it work:
grant {
...
permission java.lang.RuntimePermission accessDeclaredMembers;
permission java.lang.reflect.ReflectPermission suppressAccessChecks;
permission java.lang.RuntimePermission defineCGLIBClassInJavaPackage;
...
}
Note: I DID test using a codebase like:
grant codeBase file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/- {
but the classes hibernate creates after reflection stop obeying the security manager.
Are there any security risks on a security setup with those 3 lines for all classes in
the JVM ?
Thanks
Renato.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat + Hibernate2 + Security Manager
Howdy,
I know this is a little bit out of topic, but the general concept is
useful
for everybody.
I agree this is useful for everyone. Posting off-topic is fine as long
as you mark it by placing [OFF-TOPIC] at the beginning of the subject
line.
Note: I DID test using a codebase like:
grant codeBase file:/home//client/public_html/WEB-
INF/lib/hibernate2.jar!/- {
but the classes hibernate creates after reflection stop obeying the
security manager.
Yeah, that's too bad. The SuppressAccessChecks permission is dangerous,
if malicious code is running inside your VM.
Yoav Shapira
This e-mail, including any attachments, is a confidential business communication, and
may contain information that is confidential, proprietary and/or privileged. This
e-mail is intended only for the individual(s) to whom it is addressed, and may not be
saved, copied, printed, disclosed or used by anyone else. If you are not the(an)
intended recipient, please immediately delete this e-mail from your computer system
and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
[OT] RE: Tomcat + Hibernate2 + Security Manager
Could you give an example of how a malicious code could affect the security of the JVM
?
Usually I have a codebase policy like this for each user:
permission java.io.FilePermission /home/client/public_html/-, read,write,delete;
I guess that if someone writes a piece of code that tries to acess private functions,
static variables, etc from other libraries in different directories, this policy will
intercept the request and the malicious code will not work. Am I right ? Is there a
way that somebody could write code that uses the catalina classes in order to do
something bad ?
On Tue, 27 Jan 2004 12:04:21 -0500, Shapira, Yoav [EMAIL PROTECTED] escreveu:
De: Shapira, Yoav [EMAIL PROTECTED]
Data: Tue, 27 Jan 2004 12:04:21 -0500
Para: Tomcat Users List [EMAIL PROTECTED]
Assunto: RE: Tomcat + Hibernate2 + Security Manager
Howdy,
I know this is a little bit out of topic, but the general concept is
useful
for everybody.
I agree this is useful for everyone. Posting off-topic is fine as long
as you mark it by placing [OFF-TOPIC] at the beginning of the subject
line.
Note: I DID test using a codebase like:
grant codeBase file:/home//client/public_html/WEB-
INF/lib/hibernate2.jar!/- {
but the classes hibernate creates after reflection stop obeying the
security manager.
Yeah, that's too bad. The SuppressAccessChecks permission is dangerous,
if malicious code is running inside your VM.
Yoav Shapira
This e-mail, including any attachments, is a confidential business communication,
and may contain information that is confidential, proprietary and/or privileged.
This e-mail is intended only for the individual(s) to whom it is addressed, and may
not be saved, copied, printed, disclosed or used by anyone else. If you are not
the(an) intended recipient, please immediately delete this e-mail from your computer
system and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: [OT] RE: Tomcat + Hibernate2 + Security Manager
Howdy, Could you give an example of how a malicious code could affect the security of the JVM ? You mean in general? How about System.exit()? Usually I have a codebase policy like this for each user: permission java.io.FilePermission /home/client/public_html/-, read,write,delete; I guess that if someone writes a piece of code that tries to acess private functions, static variables, etc from other libraries in different directories, this policy will intercept the request and the malicious code will not work. Am I right ? Is there a way that somebody could write code that uses the catalina classes in order to do something bad ? Your IO permissions are not related to the reflection private access permission. Yoav Shapira This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat + Hibernate2 + Security Manager
Webmaster wrote:
Hi all,
I know this is a little bit out of topic, but the general concept is useful for everybody.
I run tomcat with security manager for a dozen users. Recently, people started to use the hibernate 2 which requires some funky permissions.
I had to put these lines in the 'global' permission to make it work:
grant {
...
permission java.lang.RuntimePermission accessDeclaredMembers;
permission java.lang.reflect.ReflectPermission suppressAccessChecks;
permission java.lang.RuntimePermission defineCGLIBClassInJavaPackage;
...
}
Note: I DID test using a codebase like:
grant codeBase file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/- {
but the classes hibernate creates after reflection stop obeying the security manager.
Do you have the exception? Which Tomcat version are you using?
Are there any security risks on a security setup with those 3 lines for all classes in the JVM ?
Yes. It will now allow a Servlet to load tomcat internal classes and
maybe do malicious things.
-- Jeanfrancois
Thanks
Renato.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat + Hibernate2 + Security Manager
FYI: This has also been discussed here:
http://freeroller.net/page/jcarreira/20040126
-Original Message-
From: Shapira, Yoav [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 27, 2004 11:04 AM
To: Tomcat Users List
Subject: RE: Tomcat + Hibernate2 + Security Manager
Howdy,
I know this is a little bit out of topic, but the general concept is
useful
for everybody.
I agree this is useful for everyone. Posting off-topic is
fine as long as you mark it by placing [OFF-TOPIC] at the
beginning of the subject line.
Note: I DID test using a codebase like:
grant codeBase file:/home//client/public_html/WEB-
INF/lib/hibernate2.jar!/- {
but the classes hibernate creates after reflection stop obeying the
security manager.
Yeah, that's too bad. The SuppressAccessChecks permission is
dangerous, if malicious code is running inside your VM.
Yoav Shapira
This e-mail, including any attachments, is a confidential
business communication, and may contain information that is
confidential, proprietary and/or privileged. This e-mail is
intended only for the individual(s) to whom it is addressed,
and may not be saved, copied, printed, disclosed or used by
anyone else. If you are not the(an) intended recipient,
please immediately delete this e-mail from your computer
system and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
AW: Tomcat 4.1.24 + Security Manager + weird Exceptions
Hi Tim, thanks for the advise. The interesting part is that tomcat (process) doesn't seem to survive the re-initialization of the ServerSocket. It this a known bug? Regards, Thomas -Ursprüngliche Nachricht- Von: Tim Funk [mailto:[EMAIL PROTECTED] Gesendet am: Dienstag, 15. Juli 2003 13:02 An: Tomcat Users List Betreff: Re: Tomcat 4.1.24 + Security Manager + weird Exceptions - man ulimit - Google (java Too many open files solaris) -Tim Haug Thomas wrote: Hi everybody, I am experiencing some strange behaviour with Tomcat 4.1.24 running with a SecurityManager. The system is running on Solaris 8 using Jdk 1.4.1_02 and/or 1.4.2 Our software seems to use up all available file descriptors. If then tomcat tries to accept a new request the IO system throws an SocketException telling us that there are too many files open (see stacktrace below). Tomcat seems to reinitialize the ServerSocket but then the whole Tomcat (or the Coyote HTTP connector) 'breaks down': The securityManager starts to throw exceptions that class files are not allowed to be loaded, Sockets are not allowed to be opened (see below), and other strange things. At last we are not able anymore to request any http page from tomcat. Has anybody experienced a similar behaviour of tomcat. Or even better does anybody know how to fix this problem (beside not using all file descriptors ;-) ) Thank you very much, Thomas - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Tomcat 4.1.24 + Security Manager + weird Exceptions
We've got a similar issue, though this in on Linux and using channelUnix/JNI instead of normal tcp channelSocket. We're using Apache2/mod_jk2 (built from tomcat-connectors-1.1M1). On heavy load, there are over 3000 sockets open by one Tomcat/JVM, they don't seem to go down again too while Tomcat is running. (since File Descriptor limit on Solaris is lower normally (1024 or summat i think) this would cause us heavy problems there too) The Tomcats and Apache are restarted during the night to free up Memory, so socket count goes down then. However the application doesn't seem to be affected by this. In catalina.out there are many errors like this: org.apache.jk.common.ChannelUn receive SEVERE: receive error: 12 java.lang.Throwable at org.apache.jk.common.ChannelUn.receive(ChannelUn.java:230) at org.apache.jk.common.ChannelUn.processConnection(ChannelUn.java:282) at org.apache.jk.common.AprConnection.runIt(ChannelUn.java:350) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:631) at java.lang.Thread.run(Thread.java:536) org.apache.jk.common.JniHandler nativeDispatch SEVERE: nativeDispatch: error -3 java.lang.Throwable at org.apache.jk.common.JniHandler.nativeDispatch(JniHandler.java:312) at org.apache.jk.common.ChannelUn.send(ChannelUn.java:221) at org.apache.jk.common.ChannelUn.invoke(ChannelUn.java:306) at org.apache.jk.server.JkCoyoteHandler.doWrite(JkCoyoteHandler.java:249) at org.apache.coyote.Response.doWrite(Response.java:530) at org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.java:384) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:439) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:359) at org.apache.coyote.tomcat4.OutputBuffer.writeBytes(OutputBuffer.java:411) at org.apache.coyote.tomcat4.OutputBuffer.write(OutputBuffer.java:398) at org.apache.coyote.tomcat4.CoyoteOutputStream.write(CoyoteOutputStream.java:110) at org.apache.catalina.servlets.DefaultServlet.copyRange(DefaultServlet.java:1996) at org.apache.catalina.servlets.DefaultServlet.copy(DefaultServlet.java:1745) at org.apache.catalina.servlets.DefaultServlet.serveResource(DefaultServlet.java:1073) at org.apache.catalina.servlets.DefaultServlet.doGet(DefaultServlet.java:506) . - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: AW: Tomcat 4.1.24 + Security Manager + weird Exceptions
How do you mean survive? The JVM core dumps (which then is a JVM vendor issue) or the JVM stays up buit sits there uselessly? -Tim Haug Thomas wrote: Hi Tim, thanks for the advise. The interesting part is that tomcat (process) doesn't seem to survive the re-initialization of the ServerSocket. It this a known bug? Regards, Thomas -Ursprüngliche Nachricht- Von: Tim Funk [mailto:[EMAIL PROTECTED] Gesendet am: Dienstag, 15. Juli 2003 13:02 An: Tomcat Users List Betreff: Re: Tomcat 4.1.24 + Security Manager + weird Exceptions - man ulimit - Google (java Too many open files solaris) -Tim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 4.1.24 + Security Manager + weird Exceptions
Hi everybody, I am experiencing some strange behaviour with Tomcat 4.1.24 running with a SecurityManager. The system is running on Solaris 8 using Jdk 1.4.1_02 and/or 1.4.2 Our software seems to use up all available file descriptors. If then tomcat tries to accept a new request the IO system throws an SocketException telling us that there are too many files open (see stacktrace below). Tomcat seems to reinitialize the ServerSocket but then the whole Tomcat (or the Coyote HTTP connector) 'breaks down': The securityManager starts to throw exceptions that class files are not allowed to be loaded, Sockets are not allowed to be opened (see below), and other strange things. At last we are not able anymore to request any http page from tomcat. Has anybody experienced a similar behaviour of tomcat. Or even better does anybody know how to fix this problem (beside not using all file descriptors ;-) ) Thank you very much, Thomas * StackTrace (in catalina.out) * Jul 14, 2003 5:06:32 PM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket SEVERE: Endpoint ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8080] ignored exception: java.net.SocketException: Too many open files java.net.SocketException: Too many open files at java.net.PlainSocketImpl.socketAccept(Native Method) at java.net.PlainSocketImpl.accept(PlainSocketImpl.java:353) at java.net.ServerSocket.implAccept(ServerSocket.java:448) at java.net.ServerSocket.accept(ServerSocket.java:419) at org.apache.tomcat.util.net.DefaultServerSocketFactory.acceptSocket(DefaultSe rverSocketFactory.java:107) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java :356) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:529) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:619) at java.lang.Thread.run(Thread.java:534) Jul 14, 2003 5:06:32 PM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket WARNING: Reinitializing ServerSocket Jul 14, 2003 5:06:33 PM org.apache.tomcat.util.net.TcpWorkerThread runIt SEVERE: Exception in acceptSocket java.security.AccessControlException: access denied (java.net.SocketPermission 146.254.108.60:3156 accept,resolve) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :269) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) at java.lang.SecurityManager.checkAccept(SecurityManager.java:1149) at java.net.ServerSocket.implAccept(ServerSocket.java:452) at java.net.ServerSocket.accept(ServerSocket.java:419) at org.apache.tomcat.util.net.DefaultServerSocketFactory.acceptSocket(DefaultSe rverSocketFactory.java:107) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java :356) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:529) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:619) at java.lang.Thread.run(Thread.java:534) Jul 14, 2003 5:06:33 PM org.apache.tomcat.util.threads.ThreadPool$ControlRunnable run SEVERE: Caught exception executing [EMAIL PROTECTED], terminating thread java.lang.IllegalStateException: Terminating thread at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:532) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:619) at java.lang.Thread.run(Thread.java:534) ... (a whole lot more) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 4.1.24 + Security Manager + weird Exceptions
- man ulimit - Google (java Too many open files solaris) -Tim Haug Thomas wrote: Hi everybody, I am experiencing some strange behaviour with Tomcat 4.1.24 running with a SecurityManager. The system is running on Solaris 8 using Jdk 1.4.1_02 and/or 1.4.2 Our software seems to use up all available file descriptors. If then tomcat tries to accept a new request the IO system throws an SocketException telling us that there are too many files open (see stacktrace below). Tomcat seems to reinitialize the ServerSocket but then the whole Tomcat (or the Coyote HTTP connector) 'breaks down': The securityManager starts to throw exceptions that class files are not allowed to be loaded, Sockets are not allowed to be opened (see below), and other strange things. At last we are not able anymore to request any http page from tomcat. Has anybody experienced a similar behaviour of tomcat. Or even better does anybody know how to fix this problem (beside not using all file descriptors ;-) ) Thank you very much, Thomas - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[REPOST]Tomcat with security manager + NoClassDefFoundError
Don't know if this mailing list filters my post, try it again. I am frustrated. I have a webapp developed by struts. If I start Tomcat without security manager, everything works fine. I can access https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. After I start Tomcat -security and access the above link, I got the following error. There is an index.jsp. When some one type https://myhost.mydomain.com/myapp, this index.jsp will redirect him to the home page. It is simply a META refresh. The frustration is, if I access https://myhost.mydomain.com/myapp once, then I can always access https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. I suspect there are permission that I need to grant in Catalina.policy. Any input? java.lang.NoClassDefFoundError: org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession at org.apache.coyote.tomcat4.CoyoteRequest.getSession(CoyoteRequest.java:1728) at org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade .java:365) at org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade .java:375) at org.apache.struts.action.RequestProcessor.processLocale(RequestProcessor.jav a:631) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:230) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1480) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:506) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter Chain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain .java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:256) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 46) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 ) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172 ) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:509) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
Is there a part in your error message that says Root Cause? If so, what is it? John On Mon, 23 Jun 2003 14:24:36 -0400, Phillip Qin [EMAIL PROTECTED] wrote: Don't know if this mailing list filters my post, try it again. I am frustrated. I have a webapp developed by struts. If I start Tomcat without security manager, everything works fine. I can access https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. After I start Tomcat -security and access the above link, I got the following error. There is an index.jsp. When some one type https://myhost.mydomain.com/myapp, this index.jsp will redirect him to the home page. It is simply a META refresh. The frustration is, if I access https://myhost.mydomain.com/myapp once, then I can always access https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. I suspect there are permission that I need to grant in Catalina.policy. Any input? java.lang.NoClassDefFoundError: org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession at org.apache.coyote.tomcat4.CoyoteRequest.getSession(CoyoteRequest.java:1728) at org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade .java:365) at org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade .java:375) at org.apache.struts.action.RequestProcessor.processLocale(RequestProcessor.jav a:631) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:230) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1480) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:506) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter Chain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain .java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:256) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:191) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2 46) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 ) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:171) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172 ) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:509) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok eNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:261) at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:360) at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:604) at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:562) at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:679
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
The exception that I posted is root cause. The exception is
javax.servlet.ServletException: Servlet execution threw an exception
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:269)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter
Chain.java:98)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain
.java:176)
..
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar {
permission java.security.AllPermission;
};
But I am wondering if this AllPermission is secure enough or I am opening
more holes.
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 2:34 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
Is there a part in your error message that says Root Cause? If so, what
is it?
John
On Mon, 23 Jun 2003 14:24:36 -0400, Phillip Qin
[EMAIL PROTECTED] wrote:
Don't know if this mailing list filters my post, try it again.
I am frustrated. I have a webapp developed by struts. If I start Tomcat
without security manager, everything works fine. I can access
https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue.
After I start Tomcat -security and access the above link, I got the
following error. There is an index.jsp. When some one type
https://myhost.mydomain.com/myapp, this index.jsp will redirect him to
the
home page. It is simply a META refresh. The frustration is, if I access
https://myhost.mydomain.com/myapp once, then I can always access
https://myhost.mydomain.com/myapp/mylink.do?myparam=myvalue. I suspect
there
are permission that I need to grant in Catalina.policy.
Any input?
java.lang.NoClassDefFoundError:
org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession
at
org.apache.coyote.tomcat4.CoyoteRequest.getSession(CoyoteRequest.java:1728)
at
org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade
.java:365)
at
org.apache.coyote.tomcat4.CoyoteRequestFacade.getSession(CoyoteRequestFacade
.java:375)
at
org.apache.struts.action.RequestProcessor.processLocale(RequestProcessor.jav
a:631)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:230)
at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1480)
at
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:506)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:247)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter
Chain.java:98)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain
.java:176)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
ain.java:172)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja
va:256)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja
va:191)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.java:2
46)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2415)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:643)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
java:171)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:172
)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invok
eNext(StandardPipeline.java:641
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar {
permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant
entry as it isn't the usual place to store jar files.
Regards,
--
Jason Bainbridge
http://jblinux.org
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
Typo, it is WEB-INF/lib.
When there is no grant entry for this jar, tomcat throws
NoClassDefFoundError.
-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 2:44 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar {
permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib ? That is probably why you had to add that grant
entry as it isn't the usual place to store jar files.
Regards,
--
Jason Bainbridge
http://jblinux.org
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
Good eye, Jason.
John
On Tue, 24 Jun 2003 02:43:59 +0800, Jason Bainbridge [EMAIL PROTECTED]
wrote:
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar
{
permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib ? That is probably why you had to add that
grant entry as it isn't the usual place to store jar files.
Regards,
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
What other struts.jar files have you got laying around? Have you maybe got one
in common/lib? I'm not sure why setting a grant like that would make a
NoClassDefFoundError go away, maybe it tricks the classloader into looking at
a specific class somehow.
Either way I don't think you have fixed the problem it just appears you
have...
Regards,
--
Jason Bainbridge
http://jblinux.org
On Tue, 24 Jun 2003 02:46, Phillip Qin wrote:
Typo, it is WEB-INF/lib.
When there is no grant entry for this jar, tomcat throws
NoClassDefFoundError.
-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 2:44 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar {
permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib ? That is probably why you had to add that
grant
entry as it isn't the usual place to store jar files.
Regards,
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
Howdy,
The curious part about the stack trace is the doPrivileged throwing the exception.
Are you using JAAS or a custom realm to do your authentication? If so, are you sure
this realm is properly configured?
Yoav Shapira
Millennium ChemInformatics
-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
Sent: Monday, June 23, 2003 2:53 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
What other struts.jar files have you got laying around? Have you maybe got
one
in common/lib? I'm not sure why setting a grant like that would make a
NoClassDefFoundError go away, maybe it tricks the classloader into looking
at
a specific class somehow.
Either way I don't think you have fixed the problem it just appears you
have...
Regards,
--
Jason Bainbridge
http://jblinux.org
On Tue, 24 Jun 2003 02:46, Phillip Qin wrote:
Typo, it is WEB-INF/lib.
When there is no grant entry for this jar, tomcat throws
NoClassDefFoundError.
-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 2:44 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar
{
permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib ? That is probably why you had to add that
grant
entry as it isn't the usual place to store jar files.
Regards,
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This e-mail, including any attachments, is a confidential business communication, and
may contain information that is confidential, proprietary and/or privileged. This
e-mail is intended only for the individual(s) to whom it is addressed, and may not be
saved, copied, printed, disclosed or used by anyone else. If you are not the(an)
intended recipient, please immediately delete this e-mail from your computer system
and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
NoClassDefFound is not the same as ClassNotFound...NoClassDefFound
typically means Tomcat is confused about which class you want it to use. I
agree with Jason, I think you have a couple struts.jar files around, and
Tomcat isn't sure which one to use.
John
On Mon, 23 Jun 2003 14:46:44 -0400, Phillip Qin
[EMAIL PROTECTED] wrote:
Typo, it is WEB-INF/lib.
When there is no grant entry for this jar, tomcat throws
NoClassDefFoundError.
-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003
2:44 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar
{
permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib ? That is probably why you had to add that
grant
entry as it isn't the usual place to store jar files.
Regards,
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
1. There is no struts installation at all outside Catalina directories on
this production box.
2. There are two webapps using struts, but struts.jars are located in
webapps/myapp1/WEB-INF/lib and webapps/myapp2/WEB-INF/lib respectively.
3. No environment variables set for struts.jars so I assume tomcat
classloader should take care of them.
To Yoav:
I start Tomcat with -security option. Tomcat will use Catalina.policy to
manage the permissions. I don't use JAAS or realm at all (realms were
cleaned up in server.xml).
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 3:01 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
NoClassDefFound is not the same as ClassNotFound...NoClassDefFound
typically means Tomcat is confused about which class you want it to use. I
agree with Jason, I think you have a couple struts.jar files around, and
Tomcat isn't sure which one to use.
John
On Mon, 23 Jun 2003 14:46:44 -0400, Phillip Qin
[EMAIL PROTECTED] wrote:
Typo, it is WEB-INF/lib.
When there is no grant entry for this jar, tomcat throws
NoClassDefFoundError.
-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003
2:44 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar
{
permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib ? That is probably why you had to add that
grant
entry as it isn't the usual place to store jar files.
Regards,
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
Howdy,
Is your catalina.policy the default or modified?
Yoav Shapira
Millennium ChemInformatics
-Original Message-
From: Phillip Qin [mailto:[EMAIL PROTECTED]
Sent: Monday, June 23, 2003 3:10 PM
To: 'Tomcat Users List'
Subject: RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
1. There is no struts installation at all outside Catalina directories on
this production box.
2. There are two webapps using struts, but struts.jars are located in
webapps/myapp1/WEB-INF/lib and webapps/myapp2/WEB-INF/lib respectively.
3. No environment variables set for struts.jars so I assume tomcat
classloader should take care of them.
To Yoav:
I start Tomcat with -security option. Tomcat will use Catalina.policy to
manage the permissions. I don't use JAAS or realm at all (realms were
cleaned up in server.xml).
-Original Message-
From: John Turner [mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 3:01 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
NoClassDefFound is not the same as ClassNotFound...NoClassDefFound
typically means Tomcat is confused about which class you want it to use. I
agree with Jason, I think you have a couple struts.jar files around, and
Tomcat isn't sure which one to use.
John
On Mon, 23 Jun 2003 14:46:44 -0400, Phillip Qin
[EMAIL PROTECTED] wrote:
Typo, it is WEB-INF/lib.
When there is no grant entry for this jar, tomcat throws
NoClassDefFoundError.
-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003
2:44 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar
{
permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib ? That is probably why you had to add that
grant
entry as it isn't the usual place to store jar files.
Regards,
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
This e-mail, including any attachments, is a confidential business communication, and
may contain information that is confidential, proprietary and/or privileged. This
e-mail is intended only for the individual(s) to whom it is addressed, and may not be
saved, copied, printed, disclosed or used by anyone else. If you are not the(an)
intended recipient, please immediately delete this e-mail from your computer system
and notify the sender. Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
I even deleted server/webapps which contains struts.jar for admin
application.
To Yoav:
I modified Catalina default policy file to allow log4j writing to files and
myapps sending out emails and connecting to credit card processing company.
-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 2:53 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
What other struts.jar files have you got laying around? Have you maybe got
one
in common/lib? I'm not sure why setting a grant like that would make a
NoClassDefFoundError go away, maybe it tricks the classloader into looking
at
a specific class somehow.
Either way I don't think you have fixed the problem it just appears you
have...
Regards,
--
Jason Bainbridge
http://jblinux.org
On Tue, 24 Jun 2003 02:46, Phillip Qin wrote:
Typo, it is WEB-INF/lib.
When there is no grant entry for this jar, tomcat throws
NoClassDefFoundError.
-Original Message-
From: Jason Bainbridge [mailto:[EMAIL PROTECTED]
Sent: June 23, 2003 2:44 PM
To: Tomcat Users List
Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
On Tue, 24 Jun 2003 02:41, Phillip Qin wrote:
I solved this problem by including a grant entry
grant codeBase file:${catalina.home}/webapps/myapp/WEB-INF/struts.jar
{
permission java.security.AllPermission;
};
Why isn't it in WEB-INF/lib ? That is probably why you had to add that
grant
entry as it isn't the usual place to store jar files.
Regards,
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
Was just doing a bit of reading: http://jakarta.apache.org/struts/userGuide/installation.html Running Struts Applications Under A Security Manager Many application servers execute web applications under the control of a Java security manager, with restricted permissions on what classes in the web application can do. If you utilize form beans with mapped properties, you may encounter security exceptions unless you add the following permission to the set of permissions granted to your Struts application's codebase: permission java.lang.RuntimePermission accessDeclaredMembers; It still seems strange though that it was throwing a NoClassDefFoundError, can you maybe try the above as an alternative fix and see if that resolves the problem? Regards, -- Jason Bainbridge http://jblinux.org On Tue, 24 Jun 2003 03:30, Phillip Qin wrote: I even deleted server/webapps which contains struts.jar for admin application. To Yoav: I modified Catalina default policy file to allow log4j writing to files and myapps sending out emails and connecting to credit card processing company. -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:53 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError What other struts.jar files have you got laying around? Have you maybe got one in common/lib? I'm not sure why setting a grant like that would make a NoClassDefFoundError go away, maybe it tricks the classloader into looking at a specific class somehow. Either way I don't think you have fixed the problem it just appears you have... Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
I have already added that one, plus - ReflectPermission suppressAccessChecks for a commons-beanutils bug - FilePermission for log4j -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 3:48 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError Was just doing a bit of reading: http://jakarta.apache.org/struts/userGuide/installation.html Running Struts Applications Under A Security Manager Many application servers execute web applications under the control of a Java security manager, with restricted permissions on what classes in the web application can do. If you utilize form beans with mapped properties, you may encounter security exceptions unless you add the following permission to the set of permissions granted to your Struts application's codebase: permission java.lang.RuntimePermission accessDeclaredMembers; It still seems strange though that it was throwing a NoClassDefFoundError, can you maybe try the above as an alternative fix and see if that resolves the problem? Regards, -- Jason Bainbridge http://jblinux.org On Tue, 24 Jun 2003 03:30, Phillip Qin wrote: I even deleted server/webapps which contains struts.jar for admin application. To Yoav: I modified Catalina default policy file to allow log4j writing to files and myapps sending out emails and connecting to credit card processing company. -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 2:53 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError What other struts.jar files have you got laying around? Have you maybe got one in common/lib? I'm not sure why setting a grant like that would make a NoClassDefFoundError go away, maybe it tricks the classloader into looking at a specific class somehow. Either way I don't think you have fixed the problem it just appears you have... Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [REPOST]Tomcat with security manager + NoClassDefFoundError
Hi, that's a bug in Tomcat. You should not received that exception, which means that the classloader is unable to load some package protected classes. The org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession needs to be loaded when Tomcat starts, not when you do your first invokation (Tomcat 5 handles the current case). Which Tomcat version are you using (4.1.?)? -- Jeanfrancois Phillip Qin wrote: I have already added that one, plus - ReflectPermission suppressAccessChecks for a commons-beanutils bug - FilePermission for log4j -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 3:48 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError Was just doing a bit of reading: http://jakarta.apache.org/struts/userGuide/installation.html Running Struts Applications Under A Security Manager Many application servers execute web applications under the control of a Java security manager, with restricted permissions on what classes in the web application can do. If you utilize form beans with mapped properties, you may encounter security exceptions unless you add the following permission to the set of permissions granted to your Struts application's codebase: permission java.lang.RuntimePermission accessDeclaredMembers; It still seems strange though that it was throwing a NoClassDefFoundError, can you maybe try the above as an alternative fix and see if that resolves the problem? Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [REPOST]Tomcat with security manager + NoClassDefFoundError
Apache 2.0.46, tomcat 4.1.24 and jk2 connector, struts-1.1-rc2 In my original posting, I said I am frustrated because, - if I start index.jsp first which is simply a meta refresh, I didn't receive the exception, and then I can access .../mylink.do?... from browser. - if I access .../mylink.do?... first, I got this error. I looked into catalina.out, there was no permission exception. -Original Message- From: Jean-Francois Arcand [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 4:42 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError Hi, that's a bug in Tomcat. You should not received that exception, which means that the classloader is unable to load some package protected classes. The org/apache/coyote/tomcat4/CoyoteRequest$PrivilegedGetSession needs to be loaded when Tomcat starts, not when you do your first invokation (Tomcat 5 handles the current case). Which Tomcat version are you using (4.1.?)? -- Jeanfrancois Phillip Qin wrote: I have already added that one, plus - ReflectPermission suppressAccessChecks for a commons-beanutils bug - FilePermission for log4j -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: June 23, 2003 3:48 PM To: Tomcat Users List Subject: Re: [REPOST]Tomcat with security manager + NoClassDefFoundError Was just doing a bit of reading: http://jakarta.apache.org/struts/userGuide/installation.html Running Struts Applications Under A Security Manager Many application servers execute web applications under the control of a Java security manager, with restricted permissions on what classes in the web application can do. If you utilize form beans with mapped properties, you may encounter security exceptions unless you add the following permission to the set of permissions granted to your Struts application's codebase: permission java.lang.RuntimePermission accessDeclaredMembers; It still seems strange though that it was throwing a NoClassDefFoundError, can you maybe try the above as an alternative fix and see if that resolves the problem? Regards, - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with Security manager
java.util.PropertyPermission java.vm.version, read;
permission java.util.PropertyPermission java.vm.vendor, read;
permission java.util.PropertyPermission java.vm.name, read;
// Required for getting BeanInfo
permission java.lang.RuntimePermission
accessClassInPackage.sun.beans.*;
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission jaxp.debug, read;
};
// You can assign additional permissions to particular web applications by
// adding additional grant entries here, based on the code base for that
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
//
// Different permissions can be granted to JSP pages, classes loaded from
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
// directory, or even to individual jar files in the /WEB-INF/lib/
directory.
//
// For instance, assume that the standard examples application
// included a JDBC driver that needed to establish a network connection to
the
// corresponding database and used the scrape taglib to get the weather from
// the NOAA web server. You might create a grant entries like this:
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase file:${catalina.home}/webapps/examples/- {
// permission java.net.SocketPermission dbhost.mycompany.com:5432,
connect;
// permission java.net.SocketPermission *.noaa.gov:80, connect;
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/classes/-
{
// };
//
// The permission granted to your JDBC driver
// grant codeBase
file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/- {
// permission java.net.SocketPermission dbhost.mycompany.com:5432,
connect;
// };
// The permission granted to the scrape taglib
// grant codeBase
file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/- {
// permission java.net.SocketPermission *.noaa.gov:80, connect;
// };
grant codeBase file:/my_jspfolderpath/- {
permission java.io.FilePermission
my_jspfolderpath/images/site,read,write;
};
** End of catalina.policy
**
- Original Message -
From: Jeanfrancois Arcand [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Thursday, February 06, 2003 7:34 AM
Subject: Re: Tomcat with Security manager
Can you post your catalina.policy file? Your file should contains that
permission:
// These permissions apply to the server startup code
grant codeBase file:${catalina.home}/bin/bootstrap.jar {
permission java.security.AllPermission;
}
-- Jeanfrancois
Harish Kumar K.K. wrote:
Hello All
Hope somebody can help me!
I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27,
and it works fine if started without the security manager. Recently I had to
put up a file upload form on one of my web sites, and when I deployed the
jsp to accept the form data and save the uploaded file to disk...it came up
with the error File cannot be saved. I am using jspSmartUpload class to
handle the multipart form data and to save the file to disk, which can be
downloaded from www.jspsmart.com
So I read the documentation and figured, the security manager might have
to be enabled with appropriate File IO permissions set for the directory to
which I was trying to save the file.
I proceeded to add the required grant directive in the catalina.policy
file, and when I started Tomcat with the security manager enabledit
wouldn't start! I checked catalina.out and saw that Tomcat is not able to
read server.xml. Here is the stacktrace I found in catalina.out
Catalina.start: java.security.AccessControlException: access denied
(java.io.FilePermission /var/tomcat4/conf/server.xml read)
java.security.AccessControlException: access denied
(java.io.FilePermission /var/tomcat4/conf/server.xml read)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java
:270)
at
java.security.AccessController.checkPermission(AccessController.java:401)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at java.lang.SecurityManager.checkRead(SecurityManager.java:887)
at java.io.File.isDirectory(File.java:698)
at
sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:6
5)
at
sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection
.java:148)
at java.net.URL.openStream(URL.java:955)
at
org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFac
tory.java)
at
org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(Defa
ultEntityHandler.java)
at
org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java
Re: Tomcat with Security manager
Can you post your catalina.policy file? Your file should contains that
permission:
// These permissions apply to the server startup code
grant codeBase file:${catalina.home}/bin/bootstrap.jar {
permission java.security.AllPermission;
}
-- Jeanfrancois
Harish Kumar K.K. wrote:
Hello All
Hope somebody can help me!
I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works fine if started without the security manager. Recently I had to put up a file upload form on one of my web sites, and when I deployed the jsp to accept the form data and save the uploaded file to disk...it came up with the error File cannot be saved. I am using jspSmartUpload class to handle the multipart form data and to save the file to disk, which can be downloaded from www.jspsmart.com
So I read the documentation and figured, the security manager might have to be enabled with appropriate File IO permissions set for the directory to which I was trying to save the file.
I proceeded to add the required grant directive in the catalina.policy file, and when I started Tomcat with the security manager enabledit wouldn't start! I checked catalina.out and saw that Tomcat is not able to read server.xml. Here is the stacktrace I found in catalina.out
Catalina.start: java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read)
java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
at java.security.AccessController.checkPermission(AccessController.java:401)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at java.lang.SecurityManager.checkRead(SecurityManager.java:887)
at java.io.File.isDirectory(File.java:698)
at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:65)
at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:148)
at java.net.URL.openStream(URL.java:955)
at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFactory.java)
at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(DefaultEntityHandler.java)
at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java)
at org.apache.xerces.framework.XMLParser.parse(XMLParser.java)
at org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:314)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:253)
at org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228)
at org.apache.catalina.startup.Catalina.start(Catalina.java:725)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:681)
at org.apache.catalina.startup.Catalina.process(Catalina.java:179)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)
Then, I found from the security manager howto on the web site, that if no security manager is enabled, its just like giving all permissions...I am guessing this means that in that case the operating system file permission system only will be in effect. So I made the directory I wanted to save the file into, world writable, just to make sure the OS is not preventing the save operation. Then started Tomcat without the security manager...still the same result!
Now I am totally confused! What am I doing wrong?
Can anybody help me? Please?
Thanks and Regards
Harish
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with Security manager
Hi, You could try a chmod on the directory your uploading ur files onto. Regards, Neville On Thursday 06 February 2003 10:27, you wrote: Hello All Hope somebody can help me! I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works fine if started without the security manager. Recently I had to put up a file upload form on one of my web sites, and when I deployed the jsp to accept the form data and save the uploaded file to disk...it came up with the error File cannot be saved. I am using jspSmartUpload class to handle the multipart form data and to save the file to disk, which can be downloaded from www.jspsmart.com So I read the documentation and figured, the security manager might have to be enabled with appropriate File IO permissions set for the directory to which I was trying to save the file. I proceeded to add the required grant directive in the catalina.policy file, and when I started Tomcat with the security manager enabledit wouldn't start! I checked catalina.out and saw that Tomcat is not able to read server.xml. Here is the stacktrace I found in catalina.out Catalina.start: java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) at java.security.AccessControlContext.checkPermission(AccessControlContext.jav a:270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkRead(SecurityManager.java:887) at java.io.File.isDirectory(File.java:698) at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java: 65) at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnectio n.java:148) at java.net.URL.openStream(URL.java:955) at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFa ctory.java) at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(Def aultEntityHandler.java) at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java) at org.apache.xerces.framework.XMLParser.parse(XMLParser.java) at org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223) at javax.xml.parsers.SAXParser.parse(SAXParser.java:314) at javax.xml.parsers.SAXParser.parse(SAXParser.java:253) at org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228) at org.apache.catalina.startup.Catalina.start(Catalina.java:725) at org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:3 9) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp l.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243) Then, I found from the security manager howto on the web site, that if no security manager is enabled, its just like giving all permissions...I am guessing this means that in that case the operating system file permission system only will be in effect. So I made the directory I wanted to save the file into, world writable, just to make sure the OS is not preventing the save operation. Then started Tomcat without the security manager...still the same result! Now I am totally confused! What am I doing wrong? Can anybody help me? Please? Thanks and Regards Harish - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat with Security manager
;
// Required for getting BeanInfo
permission java.lang.RuntimePermission
accessClassInPackage.sun.beans.*;
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission jaxp.debug, read;
};
// You can assign additional permissions to particular web applications by
// adding additional grant entries here, based on the code base for that
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
//
// Different permissions can be granted to JSP pages, classes loaded from
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
// directory, or even to individual jar files in the /WEB-INF/lib/
directory.
//
// For instance, assume that the standard examples application
// included a JDBC driver that needed to establish a network connection to
the
// corresponding database and used the scrape taglib to get the weather from
// the NOAA web server. You might create a grant entries like this:
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase file:${catalina.home}/webapps/examples/- {
// permission java.net.SocketPermission dbhost.mycompany.com:5432,
connect;
// permission java.net.SocketPermission *.noaa.gov:80, connect;
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/classes/-
{
// };
//
// The permission granted to your JDBC driver
// grant codeBase
file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/- {
// permission java.net.SocketPermission dbhost.mycompany.com:5432,
connect;
// };
// The permission granted to the scrape taglib
// grant codeBase
file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/- {
// permission java.net.SocketPermission *.noaa.gov:80, connect;
// };
grant codeBase file:/my_jspfolderpath/- {
permission java.io.FilePermission
my_jspfolderpath/images/site,read,write;
};
** End of catalina.policy
**
- Original Message -
From: Jeanfrancois Arcand [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Thursday, February 06, 2003 7:34 AM
Subject: Re: Tomcat with Security manager
Can you post your catalina.policy file? Your file should contains that
permission:
// These permissions apply to the server startup code
grant codeBase file:${catalina.home}/bin/bootstrap.jar {
permission java.security.AllPermission;
}
-- Jeanfrancois
Harish Kumar K.K. wrote:
Hello All
Hope somebody can help me!
I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27,
and it works fine if started without the security manager. Recently I had to
put up a file upload form on one of my web sites, and when I deployed the
jsp to accept the form data and save the uploaded file to disk...it came up
with the error File cannot be saved. I am using jspSmartUpload class to
handle the multipart form data and to save the file to disk, which can be
downloaded from www.jspsmart.com
So I read the documentation and figured, the security manager might have
to be enabled with appropriate File IO permissions set for the directory to
which I was trying to save the file.
I proceeded to add the required grant directive in the catalina.policy
file, and when I started Tomcat with the security manager enabledit
wouldn't start! I checked catalina.out and saw that Tomcat is not able to
read server.xml. Here is the stacktrace I found in catalina.out
Catalina.start: java.security.AccessControlException: access denied
(java.io.FilePermission /var/tomcat4/conf/server.xml read)
java.security.AccessControlException: access denied
(java.io.FilePermission /var/tomcat4/conf/server.xml read)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java
:270)
at
java.security.AccessController.checkPermission(AccessController.java:401)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at java.lang.SecurityManager.checkRead(SecurityManager.java:887)
at java.io.File.isDirectory(File.java:698)
at
sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:6
5)
at
sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection
.java:148)
at java.net.URL.openStream(URL.java:955)
at
org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFac
tory.java)
at
org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(Defa
ultEntityHandler.java)
at
org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java)
at org.apache.xerces.framework.XMLParser.parse(XMLParser.java)
at
org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:314)
at javax.xml.parsers.SAXParser.parse(SAXParser.java:253
Tomcat with Security manager
Hello All Hope somebody can help me! I am using Tomcat 4.0.3 on a Red Hat Linux 7.1 system with Apache 1.3.27, and it works fine if started without the security manager. Recently I had to put up a file upload form on one of my web sites, and when I deployed the jsp to accept the form data and save the uploaded file to disk...it came up with the error File cannot be saved. I am using jspSmartUpload class to handle the multipart form data and to save the file to disk, which can be downloaded from www.jspsmart.com So I read the documentation and figured, the security manager might have to be enabled with appropriate File IO permissions set for the directory to which I was trying to save the file. I proceeded to add the required grant directive in the catalina.policy file, and when I started Tomcat with the security manager enabledit wouldn't start! I checked catalina.out and saw that Tomcat is not able to read server.xml. Here is the stacktrace I found in catalina.out Catalina.start: java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) java.security.AccessControlException: access denied (java.io.FilePermission /var/tomcat4/conf/server.xml read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkRead(SecurityManager.java:887) at java.io.File.isDirectory(File.java:698) at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:65) at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:148) at java.net.URL.openStream(URL.java:955) at org.apache.xerces.readers.DefaultReaderFactory.createReader(DefaultReaderFactory.java) at org.apache.xerces.readers.DefaultEntityHandler.startReadingFromDocument(DefaultEntityHandler.java) at org.apache.xerces.framework.XMLParser.parseSomeSetup(XMLParser.java) at org.apache.xerces.framework.XMLParser.parse(XMLParser.java) at org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223) at javax.xml.parsers.SAXParser.parse(SAXParser.java:314) at javax.xml.parsers.SAXParser.parse(SAXParser.java:253) at org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228) at org.apache.catalina.startup.Catalina.start(Catalina.java:725) at org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243) Then, I found from the security manager howto on the web site, that if no security manager is enabled, its just like giving all permissions...I am guessing this means that in that case the operating system file permission system only will be in effect. So I made the directory I wanted to save the file into, world writable, just to make sure the OS is not preventing the save operation. Then started Tomcat without the security manager...still the same result! Now I am totally confused! What am I doing wrong? Can anybody help me? Please? Thanks and Regards Harish
Tomcat and security manager: unexpected java.security.AccessControlException on sun linux cobalt
Hi!
I've been working on this since beginnig last week together with a friend
and can't find a clue:
My friend owns a sun cobalt with linux, apache and tomcat.
The system seems to be ready to use for providers - there is a config
utility
to add new user sites with a lot of options (like: user gets mysql, pop3,
tomcat, or whatever)
After creating a site with jsp, we deployed a jsp-testsuite which tests the
given infrastructure:
reading files, instancing classes, trying a db-query on mysql and so on
(Which works fine on
our local system). But every time we try to execute the testsuite we get one
of these SecurityExceptions:
java.security.AccessControlException: access denied (java.io.FilePermission
/home/.sites/143/site40/web/test.txt read)
(Test.txt is the file we want to read in the first part of our testsuite:
File permissions 777)
We looked into the tomcat docs how to setup the security manager correctly
and looked into the tomcat.policy file
in the {tomcat.home}/conf dir just to see that everything was set correctly
(for us) from the site management utility:
...
grant codeBase file:/home/.sites/143/site40/web/- {
permission SocketPermission localhost:1024-, listen,connect,resolve;
permission java.util.PropertyPermission *, read,write;
permission java.io.FilePermission /home/.sites/143/site40/-,
read,write,delete;
permission java.lang.RuntimePermission accessClassInPackage.sun.io;
};
...
Tomcat seems to run secure with the right file (as seen under ps -Af) but
seems to ignore all grants for the user sites:
...
java -Djava.security.manager -Djava.security.policy==/usr/java/jakarta-tomca
t/conf/tomcat.policy -Dtomcat.home=/usr/java/jakarta-tomcat
org.apache.tomcat.startup.Tomcat
Some users on groups.google mentioned, that the codeBase should be the same
as the docBase in the server.xml:
...
Host name=johannes.jarolim.com !-- Site site40 --
Context path= docBase=/home/.sites/143/site40/web debug=0/
!-- user web contexts --
/Host
...
but this looks correct to me too. We even tried to give my site all
permissions:
grant codeBase file:/home/.sites/143/site40/web/- {
permission java.security.AllPermission;
};
But that is ignored too. The testsuite is neither able to open a file nor
just to read the length.
We have the same problems when instancing a class which tries to dynamically
instance another class. Like:
myDriver = (Driver)Class.forName(DriverName).newInstance(); // This is a
part of opening a connection to the mysql-db
To get that straight: Everything runs fine without security manager - But
who wants to run a root-tomcat without a security manager ;-)
Could anyone give me a clue where we could look at? After one week of
googling we're somehow out of ideas...
thanks in advance,
mfG,
J.P.Jarolim, ADWERBA
-
ADWERBA, Gesellschaft für Verkaufsförderung und Werbung
A-5020 Salzburg - Schallmooser Hauptstraße 85 A
Telefon: +43(0)662 643125, 643126 - Telefax: +43(0)662 643128
ISDN: +43(0)662 648058 - Email: [EMAIL PROTECTED] - ICQ 44284507
-
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat and security manager: unexpected java.security.AccessControlException on sun linux cobalt
* J.P.Jarolim [EMAIL PROTECTED] [1217 11:17]:
java.security.AccessControlException: access denied (java.io.FilePermission
/home/.sites/143/site40/web/test.txt read)
We looked into the tomcat docs how to setup the security manager correctly
and looked into the tomcat.policy file
in the {tomcat.home}/conf dir just to see that everything was set correctly
(for us) from the site management utility:
...
grant codeBase file:/home/.sites/143/site40/web/- {
permission SocketPermission localhost:1024-, listen,connect,resolve;
permission java.util.PropertyPermission *, read,write;
permission java.io.FilePermission /home/.sites/143/site40/-,
read,write,delete;
permission java.lang.RuntimePermission accessClassInPackage.sun.io;
};
Does the class trying to read that directory live in :
'/home/.sites/143/site40/web/-' ? I doubt it.
I'm no expert, but that sounds wrong to me, unless the class files live
there. The codebase parameter lists where the Java classes were
loaded from. Writing to a direcotry you load code from is a bad idea
unless you really need to.
Host name=johannes.jarolim.com !-- Site site40 --
Context path= docBase=/home/.sites/143/site40/web debug=0/
!-- user web contexts --
/Host
grant codeBase file:/home/.sites/143/site40/web/- {
permission java.security.AllPermission;
};
I think your codeBase is wrong - try allowing all code to read it, just to
check.
Also, if you want security, you might want to think twice about running
tomcat as root - it doesn't need to be IMO.
--
Rasputin :: Jack of All Trades - Master of Nuns
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat and security manager: unexpected java.security.AccessControlExceptionon sun linux cobalt
J.P.Jarolim wrote:
Hi!
I've been working on this since beginnig last week together with a friend
and can't find a clue:
My friend owns a sun cobalt with linux, apache and tomcat.
The system seems to be ready to use for providers - there is a config
utility
to add new user sites with a lot of options (like: user gets mysql, pop3,
tomcat, or whatever)
After creating a site with jsp, we deployed a jsp-testsuite which tests the
given infrastructure:
reading files, instancing classes, trying a db-query on mysql and so on
(Which works fine on
our local system). But every time we try to execute the testsuite we get one
of these SecurityExceptions:
java.security.AccessControlException: access denied (java.io.FilePermission
/home/.sites/143/site40/web/test.txt read)
(Test.txt is the file we want to read in the first part of our testsuite:
File permissions 777)
We looked into the tomcat docs how to setup the security manager correctly
and looked into the tomcat.policy file
in the {tomcat.home}/conf dir just to see that everything was set correctly
(for us) from the site management utility:
...
grant codeBase file:/home/.sites/143/site40/web/- {
permission SocketPermission localhost:1024-, listen,connect,resolve;
permission java.util.PropertyPermission *, read,write;
permission java.io.FilePermission /home/.sites/143/site40/-,
read,write,delete;
This is the problem. You need to put the file name, not the path. If
need to put ALL FILES if you want to grant access to all file under
your context, or test.txt if you only want to be able to read that file.
-- Jeanfrancois
permission java.lang.RuntimePermission accessClassInPackage.sun.io;
};
...
Tomcat seems to run secure with the right file (as seen under ps -Af) but
seems to ignore all grants for the user sites:
...
java -Djava.security.manager -Djava.security.policy==/usr/java/jakarta-tomca
t/conf/tomcat.policy -Dtomcat.home=/usr/java/jakarta-tomcat
org.apache.tomcat.startup.Tomcat
Some users on groups.google mentioned, that the codeBase should be the same
as the docBase in the server.xml:
...
Host name=johannes.jarolim.com !-- Site site40 --
Context path= docBase=/home/.sites/143/site40/web debug=0/
!-- user web contexts --
/Host
...
but this looks correct to me too. We even tried to give my site all
permissions:
grant codeBase file:/home/.sites/143/site40/web/- {
permission java.security.AllPermission;
};
But that is ignored too. The testsuite is neither able to open a file nor
just to read the length.
We have the same problems when instancing a class which tries to dynamically
instance another class. Like:
myDriver = (Driver)Class.forName(DriverName).newInstance(); // This is a
part of opening a connection to the mysql-db
To get that straight: Everything runs fine without security manager - But
who wants to run a root-tomcat without a security manager ;-)
Could anyone give me a clue where we could look at? After one week of
googling we're somehow out of ideas...
thanks in advance,
mfG,
J.P.Jarolim, ADWERBA
-
ADWERBA, Gesellschaft für Verkaufsförderung und Werbung
A-5020 Salzburg - Schallmooser Hauptstraße 85 A
Telefon: +43(0)662 643125, 643126 - Telefax: +43(0)662 643128
ISDN: +43(0)662 648058 - Email: [EMAIL PROTECTED] - ICQ 44284507
-
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat and security manager: unexpected java.security.AccessControlException on sun linux cobalt
Hi - thanks for the answer;
I found the following line in the description for java.io.FilePermission
indicating that i could have a serious problem in understanding english
(nosarkasm):
A pathname that ends with /- indicates (recursively) all files and
subdirectories contained in that directory. A pathname consisting of the
special token ALL FILES matches any file.
Is there a difference between all files and subdirectories and any file?
Nevertheless i'll try every posted solution until tomcat stops ignoring my
settings ;-)
thanks,
J.P.Jarolim
...
grant codeBase file:/home/.sites/143/site40/web/- {
permission SocketPermission localhost:1024-,
listen,connect,resolve;
permission java.util.PropertyPermission *, read,write;
permission java.io.FilePermission /home/.sites/143/site40/-,
read,write,delete;
This is the problem. You need to put the file name, not the path. If
need to put ALL FILES if you want to grant access to all file under
your context, or test.txt if you only want to be able to read that file.
-- Jeanfrancois
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Solved: Tomcat and security manager: unexpected java.security.AccessControlException on sun linux cobalt
Hi all. We solved the problem with tomcat ignoring all grants for individual user sites. It was a pure RTFM. For every user site, a unique context is created on startup (as seen in tomcat.log on debug level) There is a outcommented line in the server.xml which has to be activated: !-- ContextInterceptor className=org.apache.tomcat.context.PolicyInterceptor -- After activating the line it should look like this: ContextInterceptor className=org.apache.tomcat.context.PolicyInterceptor / After that, tomcat actually assigns the permissions granted in the tomcat.policy to the individual user sites. thanx for your all your help on this group, J.P.Jarolim P.S.: Keywords for other googlers like me: tomcat ignoring ignore tomcat.policy grant java server.xml security manager FilePermission java.security.AccessControlException secure security sun cobalt -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: tomcat/unix security manager questions
Richard Smith wrote: Hi All, Just wondering if you could help me clarify a few questions I have about tomcat and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with mod_jk on solaris with about 300+ users, all of whom can deploy jsp/servlets from their public_html directory. I have never setup Tomcat to do this, but from reading the docs it looks like Tomcat instantiates a separate web application context for each user. A user requirement is that they must is to be able to read/write files in their home directory. This is what im a little confused about. I understand I can put an entry like: permission java.io.FilePermission /home/-, read,write,delete,execute; I would never grant the execute permission, this allows Tomcat to use Runtime.exec() to execute shell scripts, etc.! The above permission w/o execute should be fine. in catalina.policy, but how does this enable tomcat to write to other user's home directories (when tomcat is running as a user with minimal privledges)? Or must I change permissions on the file to allow the user that is running tomcat to write to it (is this the normal practice?). Yes, if you want to allow the user web applications to write and delete files in their own home directory Tomcat would need r/w file permissions. This can be done by adding the tomcat user tomcat to the group(s) which your users are members of. Then setup permissions on the public_html directory of mode 2775. Also, this is probably more a java question, but do standard unix permissions always take precedence over what is set in catalina.policy? (In my understanding the unix permissions take precedence, but I just wanted to make sure(please excuse my java ignorance)) Yes, unix file/dir ownership and permissions take precedence. Any help appreciated, Cheers, -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: tomcat/unix security manager questions
Unix permissions do take precedence over java security policy. Regards, Rossen -Original Message- From: Richard Smith [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 18, 2002 11:12 PM To: [EMAIL PROTECTED] Subject: tomcat/unix security manager questions Hi All, Just wondering if you could help me clarify a few questions I have about tomcat and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with mod_jk on solaris with about 300+ users, all of whom can deploy jsp/servlets from their public_html directory. A user requirement is that they must is to be able to read/write files in their home directory. This is what im a little confused about. I understand I can put an entry like: permission java.io.FilePermission /home/-, read,write,delete,execute; in catalina.policy, but how does this enable tomcat to write to other user's home directories (when tomcat is running as a user with minimal privledges)? Or must I change permissions on the file to allow the user that is running tomcat to write to it (is this the normal practice?). Also, this is probably more a java question, but do standard unix permissions always take precedence over what is set in catalina.policy? (In my understanding the unix permissions take precedence, but I just wanted to make sure(please excuse my java ignorance)) Any help appreciated, Cheers, _ Join the world's largest e-mail service with MSN Hotmail. http://www.hotmail.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: tomcat/unix security manager questions
On Tue, 2002-08-20 at 03:13, Rossen Raykov wrote: Unix permissions do take precedence over java security policy. With a logical AND. If unix permissions say you do have write access, but the java security policy says you do not, then you do not have write access, and vice versa. This, of course, assumes that there are no bugs in the unix or java security policy implementations. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
tomcat/unix security manager questions
Hi All, Just wondering if you could help me clarify a few questions I have about tomcat and catalina.policy. Im running tomcat 4.0.4 (w/ security manager) with mod_jk on solaris with about 300+ users, all of whom can deploy jsp/servlets from their public_html directory. A user requirement is that they must is to be able to read/write files in their home directory. This is what im a little confused about. I understand I can put an entry like: permission java.io.FilePermission /home/-, read,write,delete,execute; in catalina.policy, but how does this enable tomcat to write to other user's home directories (when tomcat is running as a user with minimal privledges)? Or must I change permissions on the file to allow the user that is running tomcat to write to it (is this the normal practice?). Also, this is probably more a java question, but do standard unix permissions always take precedence over what is set in catalina.policy? (In my understanding the unix permissions take precedence, but I just wanted to make sure(please excuse my java ignorance)) Any help appreciated, Cheers, _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
tomcat with security manager
I'm developing a webapp with tomcat and struts and must use a security manager in tomcat (the -security startup arg). I have the following problem: Tomcat has and uses commons-logging.jar Struts has and uses commons-logging.jar The two jar files are identical. Normally, one is supposed to include strust jar files and a bunch of other stuff with the webapp (basically static linking, which seems tragic with a platform like java :-( so all the jars in $STRUTS_HOME/lib are copied to WEB_INF/lib. If I run with -security, TOMCAT finds the commons-logging.jar in WEB_INF/lib first, which has the webapp permissions (ie. NOT java.security.AllPermission :-) and fails. It looks like a java.lang.ExceptionInInitializerError: org.apache.commons.logging.LogConfigurationException: org.apache.commons.logging.LogConfigurationException: java.lang.NullPointerException but if I turn on java.security.debug I see it is really that it is a security access problem - which is expected: code in the webapp should not be able to open and write files in $CATALINA_HOME/logs. If I remove the commons-logging.jar from the webapp, then tomcat is happy (it uses $CATALINA_HOME/server/lib/commons-logging.jar, which has the right permissions) BUT then struts can't find the logging classes, which looks like: java.lang.NoClassDefFoundError: org/apache/commons/logging/LogFactory at org.apache.struts.util.MessageResourcesFactory.(MessageResourcesFactory.java:135) ... Granting java.security.AllPermission to webapps makes them work but is not an acceptable alternative because the webapp loads dynamic code that can't be trusted (either 'cause I wrote it and it's buggy or because someone else wrote it and it is buggy and/or malicious :-). Any ideas for a solution would be appreciated? cheers, -- Patrick Dowler Canadian Astronomy Data Centre National Research Council Victoria, BC -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
tomcat and security manager
i have an application in servlet and
jsp
in directory format
in /myapp
i have put the /myapp in
c:\sites\myapp
i have created a host int server.xml file
like
Host name="10.0.0.1"
Context
path=""
docBase="c:\sites\myapp" //Host
now i start the tomcat in secure mode by giving
command
startup.bat -security
now i request in browser
like
http://10.0.0.0/servlet/MyServlet
it gives error like
java.security.AccessControlException: access denied (java.io.FilePermission
C:\sites\myapp\web-inf\classes read)
i add lines in tomcat.policy
grant codeBase "file:C:\sites\myapp\-" {
permission java.io.FilePermission "*", "read";};
still geting same error
any idea
please help me
thanks in advance
