Re: grant codeBase not working for my jar
On 18 Sep 2007, at 03:08, Mark Thomas wrote: I am not sure if my mail client is mangling the urls you are using but it looks like you are using '/' characters after 'file:' Must be your e-mail client... I've tried jar and file (no slash after file:) jar:file:${catalina.home}/webapps/scanner/WEB-INF/lib/scanner.jar!/- file only (no slash after file:) file:${catalina.home}/webapps/scanner/WEB-INF/lib/scanner.jar and explicit path (slash after file) file:/var/lib/tomcat5.5/webapps/scanner/WEB-INF/lib/scanner.jar and confirmed that this is where the jar file is... but tomcat is still refusing to give the permissions on a per-jar basis! Maybe this is a bug with the Ubuntu release? -- Sam http://javablog.co.uk - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: grant codeBase not working for my jar
Sam Halliday wrote: and confirmed that this is where the jar file is... but tomcat is still refusing to give the permissions on a per-jar basis. Maybe this is a bug with the Ubuntu release? This is all standard JVM stuff. The only bit Tomcat adds is the odd PrivilegedAction but that won't stop things working. I would suggest a simple test case that you run with -Djava.security.debug=all try and get that working. You don't want to use that option with Tomcat, you'll have far too much information to look at. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: grant codeBase not working for my jar
Sam Halliday wrote: Does anyone have any ideas? Start Tomcat with -Djava.security.debug=access,failure That should tell you what permissions you are missing. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: grant codeBase not working for my jar
Hello Mark, That doesn't give me any additional input... I already know which permissions I need, I just want to restrict them to the one Servlet. If you really want to know the exception, I'll print it here but I don't think it's relevant... Caused by: java.security.AccessControlException: access denied (java.io.FilePermission /bin/sh execute) at java.security.AccessControlContext.checkPermission (AccessControlContext.java:323) at java.security.AccessController.checkPermission (AccessController.java:546) at java.lang.SecurityManager.checkPermission (SecurityManager.java:532) at java.lang.SecurityManager.checkExec(SecurityManager.java: 779) at java.lang.ProcessBuilder.start(ProcessBuilder.java:447) at thinktank.scanner.server.ScanImage.scan(ScanImage.java:116) On 17 Sep 2007, at 16:26, Mark Thomas wrote: Sam Halliday wrote: Does anyone have any ideas? Start Tomcat with -Djava.security.debug=access,failure That should tell you what permissions you are missing. -- Sam - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: grant codeBase not working for my jar
Sam Halliday wrote: Hello Mark, That doesn't give me any additional input... I already know which permissions I need, I just want to restrict them to the one Servlet. The debug output should tell you what coedbase is requesting what permission. I can't tell where, but you are missing at least one permission somewhere. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: grant codeBase not working for my jar
Hmm, where should I expect to see the extra debugging output. It isn't in any of the log files. The permissions are perfectly fine... it is in the assignation of the permissions to the correct jar file/servlet that things are getting messed up. Will the debugging output really point to that? On 17 Sep 2007, at 17:14, Mark Thomas wrote: Sam Halliday wrote: That doesn't give me any additional input... I already know which permissions I need, I just want to restrict them to the one Servlet. The debug output should tell you what coedbase is requesting what permission. I can't tell where, but you are missing at least one permission somewhere. -- Sam - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: grant codeBase not working for my jar
Sam Halliday wrote: Hmm, where should I expect to see the extra debugging output. It isn't in any of the log files. Should be on standard out. The permissions are perfectly fine... it is in the assignation of the permissions to the correct jar file/servlet that things are getting messed up. Will the debugging output really point to that? Yes. This is how I debug this sort of issue all the time. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: grant codeBase not working for my jar
On 17 Sep 2007, at 18:16, Mark Thomas wrote: Sam Halliday wrote: Hmm, where should I expect to see the extra debugging output. It isn't in any of the log files. Should be on standard out. Aah! That's why I wasn't seeing it. There is a pretty bad bug in Ubuntu which puts the output into a pipe which is never read. The standard workaround to allow tomcat to start up is to pipe it into / dev/null (unbelievable! and it's been like this since the year began)... report is here https://bugs.launchpad.net/ubuntu/+source/ tomcat5.5/+bug/97096 Anyway that's not all that important. I was able to redirect it to a file and have obtained the output. Again, it's quite clear that the permissions are not being set for my jar file access: domain that failed ProtectionDomain (file:/var/lib/tomcat5.5/ webapps/scanner/WEB-INF/lib/scanner.jar no signer certificates) despite the fact that the security policy is grant codeBase jar:file:${catalina.home}/webapps/scanner/WEB-INF/lib/ scanner.jar!/- { permission java.io.FilePermission /bin/sh, execute; permission java.io.FilePermission /tmp/thinktank-scanner.bmp, read,delete; }; I've even tried it with file:${catalina.home}/webapps/scanner/WEB- INF/lib/scanner.jar and with the explicit path file:/var/lib/ tomcat5.5/webapps/scanner/WEB-INF/lib/scanner.jar, but no success.. (remember, these permissions are correct... it works when I remove the explicit codeBase piece). I'd be greatly obliged if somebody could please see if my syntax for specifying a jar file is correct. log output follows: access: access denied (java.io.FilePermission /bin/sh execute) java.lang.Exception: Stack trace at java.lang.Thread.dumpStack(Thread.java:1206) at java.security.AccessControlContext.checkPermission (AccessControlContext.java:313) at java.security.AccessController.checkPermission (AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkExec(SecurityManager.java:779) at java.lang.ProcessBuilder.start(ProcessBuilder.java:447) at thinktank.scanner.server.ScanImage.scan(ScanImage.java:116) at thinktank.scanner.server.ScannerSetupImpl.setScannerSettings (ScannerSetupImpl.java:67) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse (RPC.java:528) at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall (RemoteServiceServlet.java:265) at com.google.gwt.user.server.rpc.RemoteServiceServlet.doPost (RemoteServiceServlet.java:187) at javax.servlet.http.HttpServlet.service(HttpServlet.java:709) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java: 243) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute (SecurityUtil.java:275) at org.apache.catalina.security.SecurityUtil.doAsPrivilege (SecurityUtil.java:161) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter (ApplicationFilterChain.java:245) at org.apache.catalina.core.ApplicationFilterChain.access$0 (ApplicationFilterChain.java:177) at org.apache.catalina.core.ApplicationFilterChain$1.run (ApplicationFilterChain.java:156) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter (ApplicationFilterChain.java:152) at org.apache.catalina.core.StandardWrapperValve.invoke (StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke (StandardContextValve.java:178) at org.apache.catalina.core.StandardHostValve.invoke (StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke (StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service (CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process (Http11Processor.java:869) at org.apache.coyote.http11.Http11BaseProtocol $Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket (PoolTcpEndpoint.java:527) at
Re: grant codeBase not working for my jar
Hmm. The output shows that your jar isn't getting the permissions. You are right that the codebase is the problem. I am not sure if my mail client is mangling the urls you are using but it looks like you are using '/' characters after 'file:' Try without these as per the entries in the TC6 policy file. Eg: grant codeBase file:${catalina.home}/bin/commons-daemon.jar { permission java.security.AllPermission; }; I had similar problems on windows recently and ended up playing with a simple test case until I figured out what was going wrong. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]