Re: JavaMail Under Security Manager
One other fine point. The call hierarchy is: application/app.jar lib/wrapper.jar App.jar is signed and has java.security.AllPermission based on signedBy lib/wrapper.jar is in ${catalina.base}/lib which has java.security.AllPermission because it's in ${catalina.base}/lib and there's an explicit grant. On 7/24/2022 10:08 PM, George Sexton wrote: Everyone, I'm running Tomcat 9 under the security manager and when I try to use JavaMail to send a message, I'm getting: javax.mail.MessagingException: IOException while sending message; nested exception is: javax.activation.UnsupportedDataTypeException: no object DCH for MIME type multipart/mixed; boundary="=_Part_0_1399981359.1658719078369" I've confirmed the code works as expected without the security manager. From searching around, it seems like the issue is that the Activation jar can't read configuration settings in javax-mail-1.6.2.jar/META-INF javax-mail-1.6.2.jar is in $CATALINA_BASE/lib I've tried various workarounds (setting mailcap values, and setting class loader) that are suggested on Stack Exchange but they don't help. Does anyone have any ideas of what I should put in the catalina.policy to allow this? Should I move the javax-mail.jar? System Information: Tomcat: 9.0.65 OS: OpenSuse Java Mail Version: 1.6.2 JDK: OpenJDK 11.0.15 22-04-19 Any help would be appreciated. -- George Sexton (303) 438 9585 x102 MH Software, Inc. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JavaMail Under Security Manager
Everyone, I'm running Tomcat 9 under the security manager and when I try to use JavaMail to send a message, I'm getting: javax.mail.MessagingException: IOException while sending message; nested exception is: javax.activation.UnsupportedDataTypeException: no object DCH for MIME type multipart/mixed; boundary="=_Part_0_1399981359.1658719078369" I've confirmed the code works as expected without the security manager. From searching around, it seems like the issue is that the Activation jar can't read configuration settings in javax-mail-1.6.2.jar/META-INF javax-mail-1.6.2.jar is in $CATALINA_BASE/lib I've tried various workarounds (setting mailcap values, and setting class loader) that are suggested on Stack Exchange but they don't help. Does anyone have any ideas of what I should put in the catalina.policy to allow this? Should I move the javax-mail.jar? System Information: Tomcat: 9.0.65 OS: OpenSuse Java Mail Version: 1.6.2 JDK: OpenJDK 11.0.15 22-04-19 Any help would be appreciated. -- George Sexton (303) 438 9585 x102 MH Software, Inc. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 9 Error under Security Manager
I'm setting up a new server with Tomcat9 and I'm running it under a security manager. I'm getting this error: WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.apache.tomcat.util.security.PrivilegedSetAccessControlContext (file:/usr/local/apache-tomcat-9.0.64/lib/tomcat-util.jar) to field java.lang.Thread.inheritedAccessControlContext WARNING: Please consider reporting this to the maintainers of org.apache.tomcat.util.security.PrivilegedSetAccessControlContext WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Host Information: Apache Tomcat Version: 9.0.64 host:/srv/tomcat # java -version openjdk version "11.0.15" 2022-04-19 OpenJDK Runtime Environment (build 11.0.15+10-suse-15.3.80.1-x8664) OpenJDK 64-Bit Server VM (build 11.0.15+10-suse-15.3.80.1-x8664, mixed mode) Thanks -- George Sexton (303) 438 9585 x102 MH Software, Inc. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat with Security Manager for SAP Business Objects issues
On 09/05/2022 16:23, Chavez Ortiz, Oscar (Externo) wrote: Hello Mark, thank you for your answer. - With Security reasons i mean from head quarters the server must be certified by accomplishing a set of security hardening rules. One of those is Security Manager. It would be worth making sure they are aware that the security manager is going away eventually. - In this case our system uses Tomcat 9.0.58, at this moment newer versions of Tomcat are not recommended by SAP. There haven't been any recent changes I can think of related to the security manager so I don't think that running a slightly older version than the latest is going to be a factor in this instance. - Actually the Windows Server 2016 (which hosts the SAP BO System) is a VM but as i've said it must be certified on Hardening Security. The security manager probably isn't gaining you that much then. Run Tomcat under an appropriately locked down OS user and you'll get most of the benefits. - I just have launched Tomcat with -Djava.security.debug=access,failure option and after checked log file there aren't any AccessControlException error in it. That wasn't what I was expecting. A few things to try. The 500 error should trigger an entry in a log somewhere. What does that log entry say? You could try "-Djava.security.debug=all" but that is likely to be very verbose. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat with Security Manager for SAP Business Objects issues
Hello Mark, thank you for your answer. - With Security reasons i mean from head quarters the server must be certified by accomplishing a set of security hardening rules. One of those is Security Manager. - In this case our system uses Tomcat 9.0.58, at this moment newer versions of Tomcat are not recommended by SAP. - Actually the Windows Server 2016 (which hosts the SAP BO System) is a VM but as i've said it must be certified on Hardening Security. - I just have launched Tomcat with -Djava.security.debug=access,failure option and after checked log file there aren't any AccessControlException error in it. Thank you. Best regards. Oscar. -Mensaje original- De: Mark Thomas Enviado el: lunes, 9 de mayo de 2022 14:57 Para: users@tomcat.apache.org Asunto: Re: Tomcat with Security Manager for SAP Business Objects issues On 09/05/2022 13:20, Chavez Ortiz, Oscar (Externo) wrote: > Hello group. > > I have a SAP Business Object 4.2 server wich uses Tomcat 9.0.58 as web > container. > > For Security reasons this server needs to implement Security Manager > for Tomcat on it, thus, i’ve configured starting configuration in java > options with “– Security Manager” option. Could you expand on what you mean by "security reasons"? Newer version of Java have deprecated the security manager and it is likely that Jakarta EE 11 onwards (and hence Tomcat 11 onwards) will not support the use of a security manager. Generally, you should be be able to achieve similar results by running Tomcat on a dedicated server / VM / container / etc. > Also i’ve configured catalina.policy file by adding needed permissions > every time log file gets the *AccessControlException* message, today, > there aren’t any AccessControlException errors in log file. > > Now, the problem is when opening SAP BO Launch Pad tool in web browser > i’m gettint the HTTP 500 error: > > I’ve asked to SAP BO Support for help and they answered me that Tomcat > configuration is not covered by SAP Suppor, they recommend me to ask > for help in Tomcat support. > > Please, i would like to know why i can’t get Tomcat with Security > Manager and how to solve to get it working. I suspect that an exception or two is being swallowed rather than reported. Adding "-Djava.security.debug=access,failure" to CATLINA_OPTS should highlight any additional permissions that are required. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org AVISO LEGAL Este mensaje y su contenido está dirigido únicamente a su destinatario y es confidencial. Por ello, se informa a quien lo reciba por error o tenga conocimiento del mismo sin ser su destinatario, que la información contenida en él es reservada y su uso no autorizado, por lo que en tal caso le rogamos nos lo comunique por la misma vía o por teléfono 91.427.99.03, así como que se abstenga de reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo a otra persona, procediendo a su destrucción de manera inmediata. VOLKSWAGEN RENTING SA se reserva las acciones legales que le correspondan contra todo tercero que acceda de forma ilegítima al contenido de cualquier mensaje externo procedente del mismo. VOLKSWAGEN FINANCIAL SERVICES es una marca comercializada por Volkswagen Renting SA Se le informa que sus datos personales son tratados por Volkswagen Renting S.A., con domicilio social en Avda. de Bruselas, nº 34, 28108, Alcobendas (Madrid). Ud. podrá ejercitar los derechos de acceso, rectificación o supresión, oposición y portabilidad de los datos, bien por correo postal a VOLKSWAGEN RENTING S.A. a la dirección indicada arriba o por correo electrónico a clientes.rent...@vwfs.com<mailto:clientes.rent...@vwfs.com>. Asimismo, y en las mismas direcciones, Ud. podrá solicitar la limitación del tratamiento de sus datos en los casos legalmente previstos. Igualmente, puede contactar con nuestro Delegado de Protección de Datos en la siguiente dirección dpo...@vwfs.com<mailto:dpo...@vwfs.com>. Asimismo, podrá dirigirse a la Agencia Española de Protección de Datos.
Re: Tomcat with Security Manager for SAP Business Objects issues
On 09/05/2022 13:20, Chavez Ortiz, Oscar (Externo) wrote: Hello group. I have a SAP Business Object 4.2 server wich uses Tomcat 9.0.58 as web container. For Security reasons this server needs to implement Security Manager for Tomcat on it, thus, i’ve configured starting configuration in java options with “– Security Manager” option. Could you expand on what you mean by "security reasons"? Newer version of Java have deprecated the security manager and it is likely that Jakarta EE 11 onwards (and hence Tomcat 11 onwards) will not support the use of a security manager. Generally, you should be be able to achieve similar results by running Tomcat on a dedicated server / VM / container / etc. Also i’ve configured catalina.policy file by adding needed permissions every time log file gets the *AccessControlException* message, today, there aren’t any AccessControlException errors in log file. Now, the problem is when opening SAP BO Launch Pad tool in web browser i’m gettint the HTTP 500 error: I’ve asked to SAP BO Support for help and they answered me that Tomcat configuration is not covered by SAP Suppor, they recommend me to ask for help in Tomcat support. > Please, i would like to know why i can’t get Tomcat with Security Manager and how to solve to get it working. I suspect that an exception or two is being swallowed rather than reported. Adding "-Djava.security.debug=access,failure" to CATLINA_OPTS should highlight any additional permissions that are required. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat with Security Manager for SAP Business Objects issues
Hello group. I have a SAP Business Object 4.2 server wich uses Tomcat 9.0.58 as web container. For Security reasons this server needs to implement Security Manager for Tomcat on it, thus, i've configured starting configuration in java options with "- Security Manager" option. Also i've configured catalina.policy file by adding needed permissions every time log file gets the AccessControlException message, today, there aren't any AccessControlException errors in log file. Now, the problem is when opening SAP BO Launch Pad tool in web browser i'm gettint the HTTP 500 error: [cid:image001.png@01D863AD.2435D770] I've asked to SAP BO Support for help and they answered me that Tomcat configuration is not covered by SAP Suppor, they recommend me to ask for help in Tomcat support. Please, i would like to know why i can't get Tomcat with Security Manager and how to solve to get it working. Any help will be appreciated. Thank you in advance. Best regards. Oscar. AVISO LEGAL Este mensaje y su contenido est? dirigido ?nicamente a su destinatario y es confidencial. Por ello, se informa a quien lo reciba por error o tenga conocimiento del mismo sin ser su destinatario, que la informaci?n contenida en ?l es reservada y su uso no autorizado, por lo que en tal caso le rogamos nos lo comunique por la misma v?a o por tel?fono 91.427.99.03, as? como que se abstenga de reproducir el mensaje mediante cualquier medio o remitirlo o entregarlo a otra persona, procediendo a su destrucci?n de manera inmediata. VOLKSWAGEN RENTING SA se reserva las acciones legales que le correspondan contra todo tercero que acceda de forma ileg?tima al contenido de cualquier mensaje externo procedente del mismo. VOLKSWAGEN FINANCIAL SERVICES es una marca comercializada por Volkswagen Renting SA Se le informa que sus datos personales son tratados por Volkswagen Renting S.A., con domicilio social en Avda. de Bruselas, n? 34, 28108, Alcobendas (Madrid). Ud. podr? ejercitar los derechos de acceso, rectificaci?n o supresi?n, oposici?n y portabilidad de los datos, bien por correo postal a VOLKSWAGEN RENTING S.A. a la direcci?n indicada arriba o por correo electr?nico a clientes.rent...@vwfs.com<mailto:clientes.rent...@vwfs.com>. Asimismo, y en las mismas direcciones, Ud. podr? solicitar la limitaci?n del tratamiento de sus datos en los casos legalmente previstos. Igualmente, puede contactar con nuestro Delegado de Protecci?n de Datos en la siguiente direcci?n dpo...@vwfs.com<mailto:dpo...@vwfs.com>. Asimismo, podr? dirigirse a la Agencia Espa?ola de Protecci?n de Datos.
Re: JEP 411: Deprecate the Security Manager for Removal
On 19/05/2021 17:37, Robert Hicks wrote: Is that the "same" security manager we flip on for Tomcat or just an unfortunate naming coincidence? It is the same one. If you need the security manager I'd expect, based on typical lifetimes of Tomcat major versions, that you'd have a supported version of Tomcat where you could use a security manager in its current form for at least the next decade. Longer term solutions are still very much TBD. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JEP 411: Deprecate the Security Manager for Removal
Is that the "same" security manager we flip on for Tomcat or just an unfortunate naming coincidence? -- Bob
Re: JEP 411 Deprecate the Security Manager for removal
On 15/04/2021 21:03, Me Self wrote: Hi All It appears the security manager is going to be removed from a future release of java according to https://openjdk.java.net/jeps/411. That will be quite a chunk of code we could remove / would have to remove from Tomcat. When running Tomcat on Linux there are many excellent alternatives to locking down the JVM process with sandboxing/mandatory access control for instance Systemd and AppArmor and various LSM modules or even SELinux for the masochists. But what about Windows - I'm kind of blank here? The primary use case is to prevent Remote Code Execution attacks from spilling out into the OS. These attacks have been plentiful in some web frameworks (for instance struts2) and ĺibraries that are often used with Tomcat. Most of the severe ones we have had in the past fail in the presence of a sandbox because the remote code relies on privileged operations that are typically not permitted by the sandbox. The requirements for a sandbox I believe would be 1. Mandatory Access Control: Central configuration of security properties. Cannot be modified by the JVM process or user. 2. Principle of Least Privilege: Everything is forbidden except for explicit permissions that are granted for operations that are actually needed. 3. Preferably also with some level of app firewall built in. So does this exist for Windows? Run a VM? You can run a service as a custom user but I haven't looked at just how minimal the privileges for that user can be. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JEP 411 Deprecate the Security Manager for removal
Hi All It appears the security manager is going to be removed from a future release of java according to https://openjdk.java.net/jeps/411. When running Tomcat on Linux there are many excellent alternatives to locking down the JVM process with sandboxing/mandatory access control for instance Systemd and AppArmor and various LSM modules or even SELinux for the masochists. But what about Windows - I'm kind of blank here? The primary use case is to prevent Remote Code Execution attacks from spilling out into the OS. These attacks have been plentiful in some web frameworks (for instance struts2) and ĺibraries that are often used with Tomcat. Most of the severe ones we have had in the past fail in the presence of a sandbox because the remote code relies on privileged operations that are typically not permitted by the sandbox. The requirements for a sandbox I believe would be 1. Mandatory Access Control: Central configuration of security properties. Cannot be modified by the JVM process or user. 2. Principle of Least Privilege: Everything is forbidden except for explicit permissions that are granted for operations that are actually needed. 3. Preferably also with some level of app firewall built in. So does this exist for Windows?
Re: Unable to start tomcat with Security Manager
Here's the error I see only when starting/using SecurityManager. If I start Tomcat without -secuirty, it loads fine. Greatly appreciated if someone can explain what this means and how I can fix it. TIA. 01-Jul-2019 05:59:21.623 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.listenerStart Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener javax.xml.parsers.FactoryConfigurationError: Provider org.apache.xerces.jaxp.DocumentBuilderFactoryImpl not found at javax.xml.parsers.DocumentBuilderFactory.newInstance(Unknown Source) at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java:694) at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java:618) at org.apache.log4j.helpers.OptionConverter.selectAndConfigure(OptionConverter.java:470) at org.apache.log4j.LogManager.(LogManager.java:122) at org.slf4j.impl.Log4jLoggerFactory.getLogger(Log4jLoggerFactory.java:73) at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:243) at org.apache.commons.logging.impl.SLF4JLogFactory.getInstance(SLF4JLogFactory.java:155) at org.apache.commons.logging.impl.SLF4JLogFactory.getInstance(SLF4JLogFactory.java:131) at org.apache.commons.logging.LogFactory.getLog(LogFactory.java:655) at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:282) at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:106) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4710) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5135) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:917) at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1701) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) On Thu, Jun 27, 2019 at 10:12 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Jeff, > > Aha. There is a "SEVERE .. [/supportcentral] startup failed due to > previous errors". If no errors are showing in catalina.out, check the > other log files like perhaps locahost-*.log in your logs directory. > > At some point, the web application is failing to start (probably > because of a SecurityManager thing!) and this ungraceful shutdown is > just a symptom. You should definitely fix the symptom, too, but the > real cause of the failed startup should be in one of those log files. > > - -chris > > > Jeff, > > > > On 6/27/19 09:24, Jeff wrote: > >>>> Hello all, > >>>> > >>>> Hit a roadblock trying to start tomcat with Security Manager > >>>> and don't even know where to start looking. Any help would > >>>> be appreciated. > >>>> > >>>> catalina.out: 27-Jun-2019 06:01:57.627 INFO [main] > >>>> org.apache.catalina.core.StandardEngine.startInternal > >>>> Starting Servlet Engine: Apache Tomcat/8.0.17 27-Jun-2019 > >>>> 06:01:57.646 INFO [localhost-startStop-1] > >>>> org.apache.catalina.startup.HostConfig.deployDescriptor > >>>> Deploying configuration descriptor > >>>> /apps/supp/server/tomcat/apache-tomca > >>>> t-8.0.17-SupportCentral/conf/Catalina/localhost/host-manager.xml > >>>> > >>>> > 27-Jun-2019 06:01:58.060 INFO [localhost-startStop-1] > >>>> org.apache.jasper.servlet.TldScanner.scanJars At least one > >>>> JAR was scanned for TLDs yet contained no TLDs. Enable debug > >>>> lo
Re: Unable to start tomcat with Security Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeff, Aha. There is a "SEVERE .. [/supportcentral] startup failed due to previous errors". If no errors are showing in catalina.out, check the other log files like perhaps locahost-*.log in your logs directory. At some point, the web application is failing to start (probably because of a SecurityManager thing!) and this ungraceful shutdown is just a symptom. You should definitely fix the symptom, too, but the real cause of the failed startup should be in one of those log files. - -chris > Jeff, > > On 6/27/19 09:24, Jeff wrote: >>>> Hello all, >>>> >>>> Hit a roadblock trying to start tomcat with Security Manager >>>> and don't even know where to start looking. Any help would >>>> be appreciated. >>>> >>>> catalina.out: 27-Jun-2019 06:01:57.627 INFO [main] >>>> org.apache.catalina.core.StandardEngine.startInternal >>>> Starting Servlet Engine: Apache Tomcat/8.0.17 27-Jun-2019 >>>> 06:01:57.646 INFO [localhost-startStop-1] >>>> org.apache.catalina.startup.HostConfig.deployDescriptor >>>> Deploying configuration descriptor >>>> /apps/supp/server/tomcat/apache-tomca >>>> t-8.0.17-SupportCentral/conf/Catalina/localhost/host-manager.xml >>>> >>>> 27-Jun-2019 06:01:58.060 INFO [localhost-startStop-1] >>>> org.apache.jasper.servlet.TldScanner.scanJars At least one >>>> JAR was scanned for TLDs yet contained no TLDs. Enable debug >>>> logging for this logger for a complete list of JARs that were >>>> scanned but no TLDs were found in them. Skipping unneeded >>>> JARs during scanning can improve startup time and JSP >>>> compilation time. 27-Jun-2019 06:01:58.167 INFO >>>> [localhost-startStop-1] >>>> org.apache.catalina.startup.HostConfig.deployDescriptor >>>> Deployment of configuration descriptor >>>> /apps/supp/server/tomcat/apache-t >>>> omcat-8.0.17-SupportCentral/conf/Catalina/localhost/host-manager.xm l >>>> >>>> has finished in 521 ms 27-Jun-2019 06:01:58.167 INFO >>>> [localhost-startStop-1] >>>> org.apache.catalina.startup.HostConfig.deployDescriptor >>>> Deploying configuration descriptor >>>> /apps/supp/server/tomcat/apache-tomca >>>> t-8.0.17-SupportCentral/conf/Catalina/localhost/manager.xml >>>> 27-Jun-2019 06:01:58.233 INFO [localhost-startStop-1] >>>> org.apache.jasper.servlet.TldScanner.scanJars At least one >>>> JAR was scanned for TLDs yet contained no TLDs. Enable debug >>>> logging for this logger for a complete list of JARs that were >>>> scanned but no TLDs were found in them. Skipping unneeded >>>> JARs during scanning can improve startup time and JSP >>>> compilation time. 27-Jun-2019 06:01:58.238 INFO >>>> [localhost-startStop-1] >>>> org.apache.catalina.startup.HostConfig.deployDescriptor >>>> Deployment of configuration descriptor >>>> /apps/supp/server/tomcat/apache-t >>>> omcat-8.0.17-SupportCentral/conf/Catalina/localhost/manager.xml >>>> >>>> has finished in 71 ms 27-Jun-2019 06:01:58.243 INFO >>>> [localhost-startStop-1] >>>> org.apache.catalina.startup.HostConfig.deployWAR Deploying >>>> web application archive >>>> /apps/supp/server/tomcat/apache-tomcat-8.0.17 >>>> -SupportCentral/webapps/supportcentral.war 27-Jun-2019 >>>> 06:02:07.797 SEVERE [localhost-startStop-1] >>>> org.apache.catalina.core.StandardContext.startInternal Error >>>> listenerStart 27-Jun-2019 06:02:07.833 SEVERE >>>> [localhost-startStop-1] >>>> org.apache.catalina.core.StandardContext.startInternal >>>> Context [/supportcentral] startup failed due to previous >>>> errors 27-Jun-2019 06:02:07.854 INFO [localhost-startStop-1] >>>> org.apache.catalina.startup.HostConfig.deployWAR Deployment >>>> of web application archive >>>> /apps/supp/server/tomcat/apache-tomcat-8. >>>> 0.17-SupportCentral/webapps/supportcentral.war has finished >>>> in 9,611 ms >>>> >>>> >>>> Further down in the logs I see: >>>> >>>> 27-Jun-2019 06:07:00.125 INFO [AD Thread Pool-Global0] >>>> org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResou rce > >>>> Loading >>>> >>>> > Illegal access: this web application instance has be >>&g
Re: Unable to start tomcat with Security Manager
Thanks Chris. How can I determine what is causing it to stop? Within seconds of starting it fails "due to previous errors" but the only thing mentioned before is regarding "Deploying configuration descriptor" which I didn't think it would cause tomcat not to start. Both manager.xml and host-manager.xml exist but only contain the following: On Thu, Jun 27, 2019 at 9:55 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Jeff, > > On 6/27/19 09:24, Jeff wrote: > > Hello all, > > > > Hit a roadblock trying to start tomcat with Security Manager and > > don't even know where to start looking. Any help would be > > appreciated. > > > > catalina.out: 27-Jun-2019 06:01:57.627 INFO [main] > > org.apache.catalina.core.StandardEngine.startInternal Starting > > Servlet Engine: Apache Tomcat/8.0.17 27-Jun-2019 06:01:57.646 INFO > > [localhost-startStop-1] > > org.apache.catalina.startup.HostConfig.deployDescriptor Deploying > > configuration descriptor /apps/supp/server/tomcat/apache-tomca > > t-8.0.17-SupportCentral/conf/Catalina/localhost/host-manager.xml > > 27-Jun-2019 06:01:58.060 INFO [localhost-startStop-1] > > org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was > > scanned for TLDs yet contained no TLDs. Enable debug logging for > > this logger for a complete list of JARs that were scanned but no > > TLDs were found in them. Skipping unneeded JARs during scanning can > > improve startup time and JSP compilation time. 27-Jun-2019 > > 06:01:58.167 INFO [localhost-startStop-1] > > org.apache.catalina.startup.HostConfig.deployDescriptor Deployment > > of configuration descriptor /apps/supp/server/tomcat/apache-t > > omcat-8.0.17-SupportCentral/conf/Catalina/localhost/host-manager.xml > > has finished in 521 ms 27-Jun-2019 06:01:58.167 INFO > > [localhost-startStop-1] > > org.apache.catalina.startup.HostConfig.deployDescriptor Deploying > > configuration descriptor /apps/supp/server/tomcat/apache-tomca > > t-8.0.17-SupportCentral/conf/Catalina/localhost/manager.xml > > 27-Jun-2019 06:01:58.233 INFO [localhost-startStop-1] > > org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was > > scanned for TLDs yet contained no TLDs. Enable debug logging for > > this logger for a complete list of JARs that were scanned but no > > TLDs were found in them. Skipping unneeded JARs during scanning can > > improve startup time and JSP compilation time. 27-Jun-2019 > > 06:01:58.238 INFO [localhost-startStop-1] > > org.apache.catalina.startup.HostConfig.deployDescriptor Deployment > > of configuration descriptor /apps/supp/server/tomcat/apache-t > > omcat-8.0.17-SupportCentral/conf/Catalina/localhost/manager.xml > > has finished in 71 ms 27-Jun-2019 06:01:58.243 INFO > > [localhost-startStop-1] > > org.apache.catalina.startup.HostConfig.deployWAR Deploying web > > application archive /apps/supp/server/tomcat/apache-tomcat-8.0.17 > > -SupportCentral/webapps/supportcentral.war 27-Jun-2019 06:02:07.797 > > SEVERE [localhost-startStop-1] > > org.apache.catalina.core.StandardContext.startInternal Error > > listenerStart 27-Jun-2019 06:02:07.833 SEVERE > > [localhost-startStop-1] > > org.apache.catalina.core.StandardContext.startInternal Context > > [/supportcentral] startup failed due to previous errors 27-Jun-2019 > > 06:02:07.854 INFO [localhost-startStop-1] > > org.apache.catalina.startup.HostConfig.deployWAR Deployment of web > > application archive /apps/supp/server/tomcat/apache-tomcat-8. > > 0.17-SupportCentral/webapps/supportcentral.war has finished in > > 9,611 ms > > > > > > Further down in the logs I see: > > > > 27-Jun-2019 06:07:00.125 INFO [AD Thread Pool-Global0] > > org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResource > Loading > > > > > Illegal access: this web application instance has be > > en stopped already. Could not load [org.slf4j.Marker]. The > > following stack trace is thrown for debugging purposes as well as > > to attempt to terminate the thread which caused the illegal > > access. java.lang.IllegalStateException: Illegal access: this web > > application instance has been stopped already. Could not load > > [org.slf4j.Marker]. The following stack trace is thrown for debu > > gging purposes as well as to attempt to terminate the thread which > > caused the illegal access. at > > org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResource > Loading(WebappClassLoaderBase.java:1
Re: Unable to start tomcat with Security Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeff, On 6/27/19 09:24, Jeff wrote: > Hello all, > > Hit a roadblock trying to start tomcat with Security Manager and > don't even know where to start looking. Any help would be > appreciated. > > catalina.out: 27-Jun-2019 06:01:57.627 INFO [main] > org.apache.catalina.core.StandardEngine.startInternal Starting > Servlet Engine: Apache Tomcat/8.0.17 27-Jun-2019 06:01:57.646 INFO > [localhost-startStop-1] > org.apache.catalina.startup.HostConfig.deployDescriptor Deploying > configuration descriptor /apps/supp/server/tomcat/apache-tomca > t-8.0.17-SupportCentral/conf/Catalina/localhost/host-manager.xml > 27-Jun-2019 06:01:58.060 INFO [localhost-startStop-1] > org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was > scanned for TLDs yet contained no TLDs. Enable debug logging for > this logger for a complete list of JARs that were scanned but no > TLDs were found in them. Skipping unneeded JARs during scanning can > improve startup time and JSP compilation time. 27-Jun-2019 > 06:01:58.167 INFO [localhost-startStop-1] > org.apache.catalina.startup.HostConfig.deployDescriptor Deployment > of configuration descriptor /apps/supp/server/tomcat/apache-t > omcat-8.0.17-SupportCentral/conf/Catalina/localhost/host-manager.xml > has finished in 521 ms 27-Jun-2019 06:01:58.167 INFO > [localhost-startStop-1] > org.apache.catalina.startup.HostConfig.deployDescriptor Deploying > configuration descriptor /apps/supp/server/tomcat/apache-tomca > t-8.0.17-SupportCentral/conf/Catalina/localhost/manager.xml > 27-Jun-2019 06:01:58.233 INFO [localhost-startStop-1] > org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was > scanned for TLDs yet contained no TLDs. Enable debug logging for > this logger for a complete list of JARs that were scanned but no > TLDs were found in them. Skipping unneeded JARs during scanning can > improve startup time and JSP compilation time. 27-Jun-2019 > 06:01:58.238 INFO [localhost-startStop-1] > org.apache.catalina.startup.HostConfig.deployDescriptor Deployment > of configuration descriptor /apps/supp/server/tomcat/apache-t > omcat-8.0.17-SupportCentral/conf/Catalina/localhost/manager.xml > has finished in 71 ms 27-Jun-2019 06:01:58.243 INFO > [localhost-startStop-1] > org.apache.catalina.startup.HostConfig.deployWAR Deploying web > application archive /apps/supp/server/tomcat/apache-tomcat-8.0.17 > -SupportCentral/webapps/supportcentral.war 27-Jun-2019 06:02:07.797 > SEVERE [localhost-startStop-1] > org.apache.catalina.core.StandardContext.startInternal Error > listenerStart 27-Jun-2019 06:02:07.833 SEVERE > [localhost-startStop-1] > org.apache.catalina.core.StandardContext.startInternal Context > [/supportcentral] startup failed due to previous errors 27-Jun-2019 > 06:02:07.854 INFO [localhost-startStop-1] > org.apache.catalina.startup.HostConfig.deployWAR Deployment of web > application archive /apps/supp/server/tomcat/apache-tomcat-8. > 0.17-SupportCentral/webapps/supportcentral.war has finished in > 9,611 ms > > > Further down in the logs I see: > > 27-Jun-2019 06:07:00.125 INFO [AD Thread Pool-Global0] > org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResource Loading > > Illegal access: this web application instance has be > en stopped already. Could not load [org.slf4j.Marker]. The > following stack trace is thrown for debugging purposes as well as > to attempt to terminate the thread which caused the illegal > access. java.lang.IllegalStateException: Illegal access: this web > application instance has been stopped already. Could not load > [org.slf4j.Marker]. The following stack trace is thrown for debu > gging purposes as well as to attempt to terminate the thread which > caused the illegal access. at > org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResource Loading(WebappClassLoaderBase.java:1327) > > at > org.apache.catalina.loader.WebappClassLoaderBase.checkStateForClassLoa ding(WebappClassLoaderBase.java:1313) > > at > org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClass LoaderBase.java:1196) > > at > org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClass LoaderBase.java:1157) > > at java.lang.Class.getDeclaredMethods0(Native Method) > at java.lang.Class.privateGetDeclaredMethods(Class.java:2701) at > java.lang.Class.getDeclaredMethods(Class.java:1975) at > com.singularity.ee.agent.appagent.services.o.a(o.java:445) at > com.singularity.ee.agent.appagent.services.o.a(o.java:94) at > com.singularity.ee.agent.appagent.services.F.a(F.java:847) at > com.singularity.ee.agent.appagent.services.F.run(F.java:736) at > com.singularity.ee.
Unable to start tomcat with Security Manager
Hello all, Hit a roadblock trying to start tomcat with Security Manager and don't even know where to start looking. Any help would be appreciated. catalina.out: 27-Jun-2019 06:01:57.627 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.0.17 27-Jun-2019 06:01:57.646 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDescriptor Deploying configuration descriptor /apps/supp/server/tomcat/apache-tomca t-8.0.17-SupportCentral/conf/Catalina/localhost/host-manager.xml 27-Jun-2019 06:01:58.060 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. 27-Jun-2019 06:01:58.167 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of configuration descriptor /apps/supp/server/tomcat/apache-t omcat-8.0.17-SupportCentral/conf/Catalina/localhost/host-manager.xml has finished in 521 ms 27-Jun-2019 06:01:58.167 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDescriptor Deploying configuration descriptor /apps/supp/server/tomcat/apache-tomca t-8.0.17-SupportCentral/conf/Catalina/localhost/manager.xml 27-Jun-2019 06:01:58.233 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. 27-Jun-2019 06:01:58.238 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDescriptor Deployment of configuration descriptor /apps/supp/server/tomcat/apache-t omcat-8.0.17-SupportCentral/conf/Catalina/localhost/manager.xml has finished in 71 ms 27-Jun-2019 06:01:58.243 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive /apps/supp/server/tomcat/apache-tomcat-8.0.17 -SupportCentral/webapps/supportcentral.war 27-Jun-2019 06:02:07.797 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal Error listenerStart 27-Jun-2019 06:02:07.833 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal Context [/supportcentral] startup failed due to previous errors 27-Jun-2019 06:02:07.854 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive /apps/supp/server/tomcat/apache-tomcat-8. 0.17-SupportCentral/webapps/supportcentral.war has finished in 9,611 ms Further down in the logs I see: 27-Jun-2019 06:07:00.125 INFO [AD Thread Pool-Global0] org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading Illegal access: this web application instance has be en stopped already. Could not load [org.slf4j.Marker]. The following stack trace is thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access. java.lang.IllegalStateException: Illegal access: this web application instance has been stopped already. Could not load [org.slf4j.Marker]. The following stack trace is thrown for debu gging purposes as well as to attempt to terminate the thread which caused the illegal access. at org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading(WebappClassLoaderBase.java:1327) at org.apache.catalina.loader.WebappClassLoaderBase.checkStateForClassLoading(WebappClassLoaderBase.java:1313) at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1196) at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1157) at java.lang.Class.getDeclaredMethods0(Native Method) at java.lang.Class.privateGetDeclaredMethods(Class.java:2701) at java.lang.Class.getDeclaredMethods(Class.java:1975) at com.singularity.ee.agent.appagent.services.o.a(o.java:445) at com.singularity.ee.agent.appagent.services.o.a(o.java:94) at com.singularity.ee.agent.appagent.services.F.a(F.java:847) at com.singularity.ee.agent.appagent.services.F.run(F.java:736) at com.singularity.ee.util.javaspecific.scheduler.n.run(n.java:122) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at com.singularity.ee.util.javaspecific.scheduler.z.e(z.java:335) at com.singularity.ee.util.javaspecific.scheduler.a.b(a.java:152) at com.singularity.ee.util.javaspecific.scheduler.b.a(b.java:119) at com.singularity.ee.util.javaspecific.scheduler.b.b(b.java:206) at com.singularity.ee.util.javaspecific.scheduler.
Re: Tomcat 9.0 with security manager reports access denied
Am 25.01.2019 um 21:58 schrieb Mark Thomas: > On 25/01/2019 20:34, Mark Thomas wrote: >> On 25/01/2019 11:12, Mark Thomas wrote: >>> On 24/01/2019 12:19, Kai Hofmann wrote: >>>> Hello, >>>> >>>> I try to activate the security manager for my own Application within >>>> Tomcat 9.0.x. The problem ist that I got 2 different access denied's >>>> that should (from my point of view) not happen. So this might be a bug - >>>> but I am not 100% sure. >>>> >>>> To make a long story short I have put all information into a >>>> stackoverflow question: >>>> >>>> https://stackoverflow.com/questions/54254003/tomcat-9-0-with-security-manager-reports-access-denied >>>> >>>> Maybe someone could help me with this problem? >>> >>> Strange. >>> >>> The failures might be related to running as a Windows service but I >>> don't immediately see how. I wonder if there is a configuration issue. >>> >>> I ran a similar test locally on Linux and I don't see those failures. I >>> did see a couple of other minor issues that I am in the process of fixing. >>> >>> Once I've finished fixing the issues I can see on Linux, I'll install >>> the latest 9.0.x code as a Windows service and see if I can reproduce >>> any of those failures. >> >> I see some additional instances of "denied" but not the ones you saw, >> >> I did notice that the security policy file was not configured correctly. >> "==" is required when setting catalina.policy >> >> I'll look into getting the additional failures I've observed fixed but >> it would help if you could provide the steps to reproduce the failures >> you see from a clean Tomcat install. > > The additional failures are expected. java.beans.Introspector is trying > to load classes that don't exist and they fail. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > Dear Mark, thanks for the hint with the '==' for the catalina.policy definition. This fixed one of my exceptions. The seconds exception could then be fixed with adding permission java.util.PropertyPermission "org.apache.juli.logging.UserDataHelper.CONFIG", "read"; to the policies. So every thing works here on windows as service ;-) Greetings PowerStat - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9.0 with security manager reports access denied
On 25/01/2019 20:34, Mark Thomas wrote: > On 25/01/2019 11:12, Mark Thomas wrote: >> On 24/01/2019 12:19, Kai Hofmann wrote: >>> Hello, >>> >>> I try to activate the security manager for my own Application within >>> Tomcat 9.0.x. The problem ist that I got 2 different access denied's >>> that should (from my point of view) not happen. So this might be a bug - >>> but I am not 100% sure. >>> >>> To make a long story short I have put all information into a >>> stackoverflow question: >>> >>> https://stackoverflow.com/questions/54254003/tomcat-9-0-with-security-manager-reports-access-denied >>> >>> Maybe someone could help me with this problem? >> >> Strange. >> >> The failures might be related to running as a Windows service but I >> don't immediately see how. I wonder if there is a configuration issue. >> >> I ran a similar test locally on Linux and I don't see those failures. I >> did see a couple of other minor issues that I am in the process of fixing. >> >> Once I've finished fixing the issues I can see on Linux, I'll install >> the latest 9.0.x code as a Windows service and see if I can reproduce >> any of those failures. > > I see some additional instances of "denied" but not the ones you saw, > > I did notice that the security policy file was not configured correctly. > "==" is required when setting catalina.policy > > I'll look into getting the additional failures I've observed fixed but > it would help if you could provide the steps to reproduce the failures > you see from a clean Tomcat install. The additional failures are expected. java.beans.Introspector is trying to load classes that don't exist and they fail. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9.0 with security manager reports access denied
On 25/01/2019 11:12, Mark Thomas wrote: > On 24/01/2019 12:19, Kai Hofmann wrote: >> Hello, >> >> I try to activate the security manager for my own Application within >> Tomcat 9.0.x. The problem ist that I got 2 different access denied's >> that should (from my point of view) not happen. So this might be a bug - >> but I am not 100% sure. >> >> To make a long story short I have put all information into a >> stackoverflow question: >> >> https://stackoverflow.com/questions/54254003/tomcat-9-0-with-security-manager-reports-access-denied >> >> Maybe someone could help me with this problem? > > Strange. > > The failures might be related to running as a Windows service but I > don't immediately see how. I wonder if there is a configuration issue. > > I ran a similar test locally on Linux and I don't see those failures. I > did see a couple of other minor issues that I am in the process of fixing. > > Once I've finished fixing the issues I can see on Linux, I'll install > the latest 9.0.x code as a Windows service and see if I can reproduce > any of those failures. I see some additional instances of "denied" but not the ones you saw, I did notice that the security policy file was not configured correctly. "==" is required when setting catalina.policy I'll look into getting the additional failures I've observed fixed but it would help if you could provide the steps to reproduce the failures you see from a clean Tomcat install. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 9.0 with security manager reports access denied
On 24/01/2019 12:19, Kai Hofmann wrote: > Hello, > > I try to activate the security manager for my own Application within > Tomcat 9.0.x. The problem ist that I got 2 different access denied's > that should (from my point of view) not happen. So this might be a bug - > but I am not 100% sure. > > To make a long story short I have put all information into a > stackoverflow question: > > https://stackoverflow.com/questions/54254003/tomcat-9-0-with-security-manager-reports-access-denied > > Maybe someone could help me with this problem? Strange. The failures might be related to running as a Windows service but I don't immediately see how. I wonder if there is a configuration issue. I ran a similar test locally on Linux and I don't see those failures. I did see a couple of other minor issues that I am in the process of fixing. Once I've finished fixing the issues I can see on Linux, I'll install the latest 9.0.x code as a Windows service and see if I can reproduce any of those failures. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 9.0 with security manager reports access denied
Hello, I try to activate the security manager for my own Application within Tomcat 9.0.x. The problem ist that I got 2 different access denied's that should (from my point of view) not happen. So this might be a bug - but I am not 100% sure. To make a long story short I have put all information into a stackoverflow question: https://stackoverflow.com/questions/54254003/tomcat-9-0-with-security-manager-reports-access-denied Maybe someone could help me with this problem? Thanks in advance Kai - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2016-6796 Apache Tomcat Security Manager Bypass
CVE-2016-6796 Apache Tomcat Security Manager Bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M9 Apache Tomcat 8.5.0 to 8.5.4 Apache Tomcat 8.0.0.RC1 to 8.0.36 Apache Tomcat 7.0.0 to 7.0.70 Apache Tomcat 6.0.0 to 6.0.45 Earlier, unsupported versions may also be affected. Description A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. Mitigation Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 9.0.0.M10 or later - Upgrade to Apache Tomcat 8.5.5 or later - Upgrade to Apache Tomcat 8.0.37 or later - Upgrade to Apache Tomcat 7.0.72 or later (Apache Tomcat 7.0.71 has the fix but was not released) - Upgrade to Apache Tomcat 6.0.47 or later (Apache Tomcat 6.0.46 has the fix but was not released) Credit: This issue was discovered by the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2016-5018 Apache Tomcat Security Manager Bypass
CVE-2016-5018 Apache Tomcat Security Manager Bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M9 Apache Tomcat 8.5.0 to 8.5.4 Apache Tomcat 8.0.0.RC1 to 8.0.36 Apache Tomcat 7.0.0 to 7.0.70 Apache Tomcat 6.0.0 to 6.0.45 Earlier, unsupported versions may also be affected. Description A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. Mitigation Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 9.0.0.M10 or later - Upgrade to Apache Tomcat 8.5.5 or later - Upgrade to Apache Tomcat 8.0.37 or later - Upgrade to Apache Tomcat 7.0.72 or later (Apache Tomcat 7.0.71 has the fix but was not released) - Upgrade to Apache Tomcat 6.0.47 or later (Apache Tomcat 6.0.46 has the fix but was not released) Credit: This issue was discovered by Alvaro Munoz of the HP Enterprise Security Team and reported responsibly to the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2016-0763 Apache Tomcat Security Manager Bypass
El 22/02/2016 a las 06:23 a.m., Mark Thomas escribió: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0763 Apache Tomcat Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 to 9.0.0.M2 Description: ResourceLinkFactory.setGlobalContext() is a public method and was accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+yAAoJEBDAHFovYFnnPIgP/j9nli2IrsZEyhDyJ6XqAcg9 AisYAv7iSQ63zLe27CERDdOS9BBFI9j+MwkabF0FzmTGxugLyRwpKLt8Y3BV/723 Jwgds8phJcOm5oouzblUBfx/HdFDRI8+J6q7CNoSh61yXatuKRe5upc51W9G8/Vd YS6b5XNqavBgvkQZudITIsr4N9vqxb+QVS9iMJfrACikgeq6QR6rwkJWAEcUYHrn RESKuCTPzw8yf1Q1C8Ar9BUdSx8MRFDHfV8stKmjQWslud0EOP5bObWXBsv9vrQ7 XNKVKA69Hp1Kk++ORHUPnv6B2bCRsD5mZmBwqcvi6jVMuVMKaiLgCqJqfXcJEb4+ D86kjsBCQchGWSsFEwzmoQI++wW60Mn5QRlibF90LHAJLfZLo+cCsOUZABqgv3+j xwA6HpR5ToMepO5CNcL76wDoBJDEPRXjIuVY6RhWnS7UXi4kuqp/qxtWBifn07X/ Ncbm5TWhf4ESnS5YOPMNefA5aDQJKRclymyXB37VxMwHdJ/zkY8uV48SeG9ACHNt KBaXiS7FiNKLWqbzZijsXM2a40benXn6ocxStyApF7h15k/8/pyyq4DC55TBMitK /L+RHHp9RAS+wP98xyYpFnuVI8/LkHSJwnLvTURDQlr1Fi/AJ5YIB+Y9GPE2sigA 90lXXPnmrbSsQR10jD/j =5LII -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2016-0706 Apache Tomcat Security Manager bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0706 Apache Tomcat Security Manager bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 - - Earlier, unsupported Tomcat versions may be affected Description: The StatusManagerServlet could be loaded by a web application when a security manager was configured. This servlet would then provide the web application with a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. This could have exposed sensitive information from other web applications such as session IDs to the web application. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu9qAAoJEBDAHFovYFnny/0P/0VtkiCt56FeS3I42BlvjAne w/oqurmk/XoF/gof+VYxYuNOXMIwvgyGMjj21kZf+n2DjINXLHp9VFZ/APeSJ8kL XcnTL1EBK1JBdxsieIhGAfLMeDO04wO3uuorJHwJIBbl4ymh7N4A2fgciKgCmNyB y22TPT5Hz7iFCU8Ij6xsYJERpveUrenenAqbgjdcpILydbBoTqmZtZtWmPOFki90 cZo/2D0Av4H4SKh1PuCkzjk2DFXfyXcq+tDaX8dizPinQMQsbAX63BoYy5LrfWrJ epgY9Q0QziOyp7b5Z72AjQ3RJR7yZS/iT3wb37jceI3Dq/mpkWFggqEGkSpFdGX7 AhoqVXjFw9eakjst0k5LZ29+dD8Fqz+2umXlRwelsxInLNgDk67Z2XehqkWWb85b 64PFh3ZYj/8CxxV6ErGq0bBhpCsNHZffEzOT/Ebldjn/afHajne3Yd9SZEbbZO3U ejCSG2UziJ4t4mygnGyWaRCgKtjCrejzDZYicOICJEDE8enaPbNs0Ka8lR8fh21y U3avzYIu7MosqvqoEAleMkjXySWSufqGF0ugbtsZx1lisl9Zax0LfXbq5sLmdNMS fXhxu/1RfHfPS7NUP9YYs5OdWxCxecD/kiaxc3ArVVPdgAMSwlEyI59gSD/y7XPd fitNMHbOMz6qG/uxVfH0 =6KO+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2016-0714 Apache Tomcat Security Manager Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0714 Apache Tomcat Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 - - Earlier, unsupported Tomcat versions may be affected Description: Tomcat provides several session persistence mechanisms. The StandardManager persists session over a restart. The PersistentManager is able to persist sessions to files, a database or a custom Store. The Cluster implementation persists sessions to one or more additional nodes in the cluster. All of these mechanisms could be exploited to bypass a security manager. Session persistence is performed by Tomcat code with the permissions assigned to Tomcat internal code. By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu9PAAoJEBDAHFovYFnnllEQAMj38sm4FeeXJ2XOK/ODpj2J SLK0VMib2gjRmMfuH15OPyYBIHPaWVD4E3ONiLz/2F9oqVAYfvswQnLfNrJ9k8oF K+ETBoWfyODb8QddYQOd3JpDslrOLPscve6dgnkx/R8hZSPOvsmo8IIG4Bwh5VQM rkAct8EFGpVuQ9ou59F8xSx7fhRMHhNKt8XwsuBIj43MwFv5P8rHhNJDbgC8hSP7 w8yKwrQ7alfeuzwQPegf11YEcauPog4TnD3JAuufcuPQefvDHRAIoKNRCwyvFbRC rVHdsV5AehWaKKHj9Yu2IJB88s+0wXWlH01hG+wYl1jSVxs3CHhhP0FS55vwItWP Igl26iz33esPlzQaVyWf5jOUOYfF0tZel4bDFcQrIQASJKS2vxCuOBgUhr+bReMD I8W1A78EdGXm5IGqmPqHNXn+qAQKfs352eVFiS4vM+5n6wdVThxRzTIt/Op0iz8k rOIm05kkZQedh7utUy4iW59MKHr9xGRQRI1r4/sdKHDIRSlzsfzJVrATqqLPxukg QhG3LL0fO+kKLb526GZOlTaAcT7hM2wdYkLytiUItpMUR8ZfozqIS/nRUPmCfDgW 8QFRZEYIgETUYELbnj9chx0NJOkSH9OICV1U7EergsKsdpXN8uCDRy609ufSPn+W M6wXyzp1l4aE2hnn22gZ =OQbe -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2016-0763 Apache Tomcat Security Manager Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0763 Apache Tomcat Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 to 9.0.0.M2 Description: ResourceLinkFactory.setGlobalContext() is a public method and was accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+yAAoJEBDAHFovYFnnPIgP/j9nli2IrsZEyhDyJ6XqAcg9 AisYAv7iSQ63zLe27CERDdOS9BBFI9j+MwkabF0FzmTGxugLyRwpKLt8Y3BV/723 Jwgds8phJcOm5oouzblUBfx/HdFDRI8+J6q7CNoSh61yXatuKRe5upc51W9G8/Vd YS6b5XNqavBgvkQZudITIsr4N9vqxb+QVS9iMJfrACikgeq6QR6rwkJWAEcUYHrn RESKuCTPzw8yf1Q1C8Ar9BUdSx8MRFDHfV8stKmjQWslud0EOP5bObWXBsv9vrQ7 XNKVKA69Hp1Kk++ORHUPnv6B2bCRsD5mZmBwqcvi6jVMuVMKaiLgCqJqfXcJEb4+ D86kjsBCQchGWSsFEwzmoQI++wW60Mn5QRlibF90LHAJLfZLo+cCsOUZABqgv3+j xwA6HpR5ToMepO5CNcL76wDoBJDEPRXjIuVY6RhWnS7UXi4kuqp/qxtWBifn07X/ Ncbm5TWhf4ESnS5YOPMNefA5aDQJKRclymyXB37VxMwHdJ/zkY8uV48SeG9ACHNt KBaXiS7FiNKLWqbzZijsXM2a40benXn6ocxStyApF7h15k/8/pyyq4DC55TBMitK /L+RHHp9RAS+wP98xyYpFnuVI8/LkHSJwnLvTURDQlr1Fi/AJ5YIB+Y9GPE2sigA 90lXXPnmrbSsQR10jD/j =5LII -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Startup issue with security manager enabled on Tomcat 7.0.65 or later
2015-12-23 23:55 GMT+03:00 David Gietka - NOAA Federal : > Hello Chris, > Thanks for your response. There was nothing else in the log (see below), > but with the latest version of tomcat 7 (7.0.67), I was able to start the > downloaded version of tomcat with -security enabled. I will review my > deployment procedures to try and narrow down the problem further. It may > be one of my war files that is causing the issue. I greatly appreciate > your help. It looks like your bin/bootstrap.jar file has not been updated and still runs 7.0.64 code. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Startup issue with security manager enabled on Tomcat 7.0.65 or later
On 23/12/2015 20:55, David Gietka - NOAA Federal wrote: > Hello Chris, > Thanks for your response. There was nothing else in the log (see below), > but with the latest version of tomcat 7 (7.0.67), I was able to start the > downloaded version of tomcat with -security enabled. I will review my > deployment procedures to try and narrow down the problem further. It may > be one of my war files that is causing the issue. I greatly appreciate > your help. Hint: org.apache.catalina.loader.WebappClassLoader$PrivilegedFindResourceByName has been renamed to: org.apache.catalina.loader.WebappClassLoaderBase$PrivilegedFindResourceByName I've checked the Tomcat code that preloads this class and it looks to be using the correct (new) name. Mark > > Best Regards, > David > > On Wed, Dec 23, 2015 at 3:31 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> David, >> >> On 12/23/15 2:33 PM, David Gietka - NOAA Federal wrote: >>> Hello Tomcat list users, >>> I am hoping someone on this list may have insight into a problem we are >>> having running the latest version of tomcat 7. >>> >>> Our site currently runs Tomcat 7.0.64. We start Tomcat with the security >>> manager enabled ($CATALINA_HOME/bin/startup.sh -security ). We are >> running >>> Java version 1.8.0_66. When we have tried to upgrade Tomcat (to >>> 7.0.65-7.0.67) we get the error below. Removing the -security allows >>> Tomcat to start correctly. Due to our IT security constraints, we need >> to >>> enable security manager. Has anyone come across this issue before? Any >>> help would be greatly appreciated. Please let me know if I should >> provide >>> further details. >>> >>> >>> java.lang.ClassNotFoundException: >>> org.apache.catalina.loader.WebappClassLoader$PrivilegedFindResourceByName >>> at java.net.URLClassLoader.findClass(URLClassLoader.java:381) >>> at java.lang.ClassLoader.loadClass(ClassLoader.java:424) >>> at java.lang.ClassLoader.loadClass(ClassLoader.java:357) >>> at >>> >> org.apache.catalina.security.SecurityClassLoad.loadLoaderPackage(SecurityClassLoad.java:106) >>> at >>> >> org.apache.catalina.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:40) >>> at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:230) >>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) >> >> It looks like you may have broken your Tomcat installation -- this isn't >> a SecurityManager-related error: it's a missing class error. Was there >> anything else in the log file? >> >> -chris >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Startup issue with security manager enabled on Tomcat 7.0.65 or later
Hello Chris, Thanks for your response. There was nothing else in the log (see below), but with the latest version of tomcat 7 (7.0.67), I was able to start the downloaded version of tomcat with -security enabled. I will review my deployment procedures to try and narrow down the problem further. It may be one of my war files that is causing the issue. I greatly appreciate your help. Best Regards, David On Wed, Dec 23, 2015 at 3:31 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > David, > > On 12/23/15 2:33 PM, David Gietka - NOAA Federal wrote: > > Hello Tomcat list users, > > I am hoping someone on this list may have insight into a problem we are > > having running the latest version of tomcat 7. > > > > Our site currently runs Tomcat 7.0.64. We start Tomcat with the security > > manager enabled ($CATALINA_HOME/bin/startup.sh -security ). We are > running > > Java version 1.8.0_66. When we have tried to upgrade Tomcat (to > > 7.0.65-7.0.67) we get the error below. Removing the -security allows > > Tomcat to start correctly. Due to our IT security constraints, we need > to > > enable security manager. Has anyone come across this issue before? Any > > help would be greatly appreciated. Please let me know if I should > provide > > further details. > > > > > > java.lang.ClassNotFoundException: > > org.apache.catalina.loader.WebappClassLoader$PrivilegedFindResourceByName > > at java.net.URLClassLoader.findClass(URLClassLoader.java:381) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:424) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:357) > > at > > > org.apache.catalina.security.SecurityClassLoad.loadLoaderPackage(SecurityClassLoad.java:106) > > at > > > org.apache.catalina.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:40) > > at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:230) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) > > It looks like you may have broken your Tomcat installation -- this isn't > a SecurityManager-related error: it's a missing class error. Was there > anything else in the log file? > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Startup issue with security manager enabled on Tomcat 7.0.65 or later
David, On 12/23/15 2:33 PM, David Gietka - NOAA Federal wrote: > Hello Tomcat list users, > I am hoping someone on this list may have insight into a problem we are > having running the latest version of tomcat 7. > > Our site currently runs Tomcat 7.0.64. We start Tomcat with the security > manager enabled ($CATALINA_HOME/bin/startup.sh -security ). We are running > Java version 1.8.0_66. When we have tried to upgrade Tomcat (to > 7.0.65-7.0.67) we get the error below. Removing the -security allows > Tomcat to start correctly. Due to our IT security constraints, we need to > enable security manager. Has anyone come across this issue before? Any > help would be greatly appreciated. Please let me know if I should provide > further details. > > > java.lang.ClassNotFoundException: > org.apache.catalina.loader.WebappClassLoader$PrivilegedFindResourceByName > at java.net.URLClassLoader.findClass(URLClassLoader.java:381) > at java.lang.ClassLoader.loadClass(ClassLoader.java:424) > at java.lang.ClassLoader.loadClass(ClassLoader.java:357) > at > org.apache.catalina.security.SecurityClassLoad.loadLoaderPackage(SecurityClassLoad.java:106) > at > org.apache.catalina.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:40) > at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:230) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) It looks like you may have broken your Tomcat installation -- this isn't a SecurityManager-related error: it's a missing class error. Was there anything else in the log file? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Startup issue with security manager enabled on Tomcat 7.0.65 or later
Hello Tomcat list users, I am hoping someone on this list may have insight into a problem we are having running the latest version of tomcat 7. Our site currently runs Tomcat 7.0.64. We start Tomcat with the security manager enabled ($CATALINA_HOME/bin/startup.sh -security ). We are running Java version 1.8.0_66. When we have tried to upgrade Tomcat (to 7.0.65-7.0.67) we get the error below. Removing the -security allows Tomcat to start correctly. Due to our IT security constraints, we need to enable security manager. Has anyone come across this issue before? Any help would be greatly appreciated. Please let me know if I should provide further details. java.lang.ClassNotFoundException: org.apache.catalina.loader.WebappClassLoader$PrivilegedFindResourceByName at java.net.URLClassLoader.findClass(URLClassLoader.java:381) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at org.apache.catalina.security.SecurityClassLoad.loadLoaderPackage(SecurityClassLoad.java:106) at org.apache.catalina.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:40) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:230) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425) Best Regards, David
[SECURITY] CVE-2014-7810: Apache Tomcat Security Manager Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2014-7810 Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.15 - - Apache Tomcat 7.0.0 to 7.0.57 - - Apache Tomcat 6.0.0 to 6.0.43 Description: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. This issue only affects installations that run web applications from untrusted sources. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.17 or later (8.0.16 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.59 or later (7.0.58 has the fix but was not released) - - Upgrade to Apache Tomcat 6.0.44 or later Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVVKsbAAoJEBDAHFovYFnnTkYQAMos6+1kaJ+d+h0oGeiG7CDV PxcQ/AS0LdqXZuC92dXYNv+eQTB+pD0N9ePIyIMwsyEzeS2KGyOw5R8Klsro6lcq eYKH8Tv7egIzKO9dRCqhyWTytl73KPf0h6z4nnVHr/rTJ2/7pJX6x+7fjey5jcO+ G7kCQErj6bnNzgeMM/mLLVlM7YYrbA5hbQgplCdgRO5NpxaL+3raaJ19/gFZKjP3 Mqgwg/6uopkgxTFRh8Fprj6tdoPBXZ6Vxy3qJmcuOCt0yktaypqFPLTH+JM6pnme 6/Mdk4u6PhKyGPPlmvrub0priFl32tEyJNBkghHJd2QkYkZrM6t3wcOsgUawPJxZ hJrq+nJ7CJ3FUzcj9o05M4Q/TJ7seOurhPXF8YMIPn7ibrSb1Eq2Y0yZe/NGij/k dOZX5m3I62HeS1zjCIcIhKx9i6ZFTvfoe8/bF6/LPgAqfy2AB8+HBrRGVfqUh/QB w3AdDX7BxDWJKVgz9YknJG9keuR0tLV+MOI0M0LS9LHj9wAiunmq/+x03ZUX+coc btTrKnSuZq5sjmX5Xj7rilrSlq1GftGMnQyxOHiIzjCR9b59yS/BX/OkprrFXIAM Nd42B7vxWubKuOhXlyMlDt4QpnM3RsAFaD3irNc3LAQ3kpdtvsinExr3VaCvIcJ1 IETAzUe85oPF2HojrJDu =2DTj -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running Manager App with Security Manager turned on - Tomcat 8.0.15
On 20/11/2014 12:00, Luka Pavlič wrote: > Hi, > > I am running tomcat 8.0.15, win64 ZIP, on Windows 2008R2, Oracle JRE 8.0.20. > > Running with "catalina start", /manager app works perfectly. > > Running "catalina start -security" will result in not deployed manager app. > > I would *definitely need* both: running Tomcat with Security Manager turned > on, and manager application. (I would like to enable "non-trusted" people > to deploy their applications to my server via manager app) > > Any idea what to do? Read the error message in the logs. > An appropriate descriptor should be created > at > [C:\Deployments\SOA\apache-tomcat-8.0.15\conf\Catalina\localhost\manager.xml] > to deploy this application. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running Manager App with Security Manager turned on - Tomcat 8.0.15
Luka Pavlič wrote: Hi, I am running tomcat 8.0.15, win64 ZIP, on Windows 2008R2, Oracle JRE 8.0.20. Running with "catalina start", /manager app works perfectly. Running "catalina start -security" will result in not deployed manager app. I would *definitely need* both: running Tomcat with Security Manager turned on, and manager application. (I would like to enable "non-trusted" people to deploy their applications to my server via manager app) Any idea what to do? Thank you in advance! Error log: 20-Nov-2014 11:28:46.242 SEVERE [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory The web application with context path [/manager] was not deployed because it contained a deployment descriptor [C:\Deployments\SOA\apache-tomcat-8.0.15\webapps\manager\META-INF\context.xml] which may include configuration necessary for the secure deployment of the application but processing of deployment descriptors is prevented by the deployXML setting of this host. An appropriate descriptor should be created at [C:\Deployments\SOA\apache-tomcat-8.0.15\conf\Catalina\localhost\manager.xml] to deploy this application. Good idea to copy the error log. It seems that it does provide some clues as to what is happening, which can be examined in the online documentation, here : http://tomcat.apache.org/tomcat-8.0-doc/config/host.html#Standard_Implementation See "deployXML". I'm not sure that I fully understand myself what it says there, but maybe you do. I think that the appropriate way to understand that very dense (but probably very precise and accurate) paragraph may be to draw a little logical flowchart of it. In any case, the last phrase seems to say that : - if you start without "-security", then the default is "true" - and if you start with "-security", then the default is "false" Which then matches the thing that the last line of the log above is telling you. It's really nice, when the documentation and the logs match perfectly. And even more when the logs tell you exactly what to do to correct the problem. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running Manager App with Security Manager turned on - Tomcat 8.0.15
2014-11-20 14:00 GMT+03:00 Luka Pavlič : > Hi, > > I am running tomcat 8.0.15, win64 ZIP, on Windows 2008R2, Oracle JRE 8.0.20. > > Running with "catalina start", /manager app works perfectly. > > Running "catalina start -security" will result in not deployed manager app. > > I would *definitely need* both: running Tomcat with Security Manager turned > on, and manager application. (I would like to enable "non-trusted" people > to deploy their applications to my server via manager app) > > Any idea what to do? > > Thank you in advance! > > Error log: > What words in the below message you do not understand? Have you searched the mailing list archive for previous answers? > 20-Nov-2014 11:28:46.242 SEVERE [localhost-startStop-1] > org.apache.catalina.startup.HostConfig.deployDirectory The web application > with context path [/manager] was not deployed because it contained a > deployment descriptor > [C:\Deployments\SOA\apache-tomcat-8.0.15\webapps\manager\META-INF\context.xml] > which may include configuration necessary for the secure deployment of the > application but processing of deployment descriptors is prevented by the > deployXML setting of this host. An appropriate descriptor should be created > at > [C:\Deployments\SOA\apache-tomcat-8.0.15\conf\Catalina\localhost\manager.xml] > to deploy this application. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Running Manager App with Security Manager turned on - Tomcat 8.0.15
Hi, I am running tomcat 8.0.15, win64 ZIP, on Windows 2008R2, Oracle JRE 8.0.20. Running with "catalina start", /manager app works perfectly. Running "catalina start -security" will result in not deployed manager app. I would *definitely need* both: running Tomcat with Security Manager turned on, and manager application. (I would like to enable "non-trusted" people to deploy their applications to my server via manager app) Any idea what to do? Thank you in advance! Error log: 20-Nov-2014 11:28:46.242 SEVERE [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory The web application with context path [/manager] was not deployed because it contained a deployment descriptor [C:\Deployments\SOA\apache-tomcat-8.0.15\webapps\manager\META-INF\context.xml] which may include configuration necessary for the secure deployment of the application but processing of deployment descriptors is prevented by the deployXML setting of this host. An appropriate descriptor should be created at [C:\Deployments\SOA\apache-tomcat-8.0.15\conf\Catalina\localhost\manager.xml] to deploy this application. 20-Nov-2014 11:28:46.258 SEVERE [localhost-startStop-1] org.apache.catalina.core.ContainerBase.addChildInternal ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [/manager] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1069) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1719) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: org.apache.catalina.LifecycleException: Failed to process either the global, per-host or context-specific context.xml file therefore the [/manager] Context cannot be started. at org.apache.catalina.startup.FailedContext.startInternal(FailedContext.java:199) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ... 14 more Bests, Luka.
Re: record security manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Wim, On 9/10/14 9:36 AM, Wim Bertels wrote: > as i tested setup debian + tomcat7 following the documentation, i > was refered to > http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html > > for enabling the security manager, > as it seems in debian stable (with tomcat + examples + admin > debian packages installed): - enabling the security manager: tomcat > does not start What do the logs say? You probably have SecurityExceptions logged somewhere. > -- the logs are not clear to me Can you paste a segment, or better yet, the whole thing after a clean start? > This is not a tomcat problem, but debian it seems to me. Tomcat itself should start properly under a security manager. Your web application might not have the proper configuration to run under a security manager, but your web application failing to start should not cause Tomcat to fail to start. It's important to get the logs. Can you find them? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUEMj3AAoJEBzwKT+lPKRYKg8P/1a2FfL/DsttO6TVZv6ocFhM +7JQ5jRrSDuJLu8AIklmhi/L5POty0LMU4R4vQj2opmfU6PA7I/+ERh6pcrBvGMr skIq+DZiaSi+fHRX1jIOYUaqcG28li+8t8UsdBmgxw6LWLgSmhK9CA7XcXfqzFJ+ W4inN0ImTPSps9EgM8GgPtzbbVn7ZKFDoi5Xc9cp1ublBxnpcm1eoZLcyIPojiIQ jLTKTc603TxC8UflrwRJNPsR7WxOsLrCETt/pVsHN8qYLEwjDqc42k5V5Y/HXSLj gajmoOeRV9FczcELWxJvrOFiXX+uS9ASIQQZcag+SMZTLwJPl78I+eHIMdOMZjte Te6wDhHRNJXunAa9JadYfMOmb91s0HLy452ZbZ+Ah4pqImcJVPcRf5ZSYC3PsA2u wMhe2zZkyGlGaIMVEqZaYQxFM1/0/hIIGbrmOGkkX1tE2CLojdxaugMcaqmfmDZ8 GOLgCefwFy8PtxTOdtwyq/gh1xprRyCgMonumWKyjf6m4x/qi02iyk4hQc5TkB1H 3x7pRv1EDbhqUPGCJ/70S1dAsfnQaYuATHiLgGrlS0p71tEdf7F6IlQ6GDt98mwG smhE4Uqnh3ZiV5FQDlHZAxG5kN9gnfAO0d7Lql6pkKOTnzpwpR8GmbAqOmhX/W21 NuXefYCTjvHjNCtnRhVo =ERmX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: record security manager
Wim Bertels wrote: Hallo, as i tested setup debian + tomcat7 there are many versions of Tomcat 7.x. Which version precisely ? (There is a "version.sh" script somewhere, which will tell you) following the documentation, i was refered to http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html for enabling the security manager, As I recall, under Debian, there is a setting in /etc/default/tomcatx, like SECURITY=YES/NO which takes care of that for you. as it seems in debian stable (with tomcat + examples + admin debian packages installed): - enabling the security manager: tomcat does not start -- the logs are not clear to me But maybe they would be clear to someone here. What do they say ? This is not a tomcat problem, but debian it seems to me. Also note, if it is not clear : the "security manager" is not a specific Tomcat thing, it is a Java JVM thing. It is the JVM which runs Tomcat which enforces some security restrictions upon Java programs which run under it. That includes Tomcat java code, and the java code of the applications which run under Tomcat. So i looked further, and came across http://www.jchains.org/ but it is quiet old (2009); if correct: - it basically runs the application without security manager and records the permissions needed. - then u use that recording as a policy for your security manager - now run the application with security manager. So my question is: are there recent alternatives to this, or other good practices? mvg, Wim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
record security manager
Hallo, as i tested setup debian + tomcat7 following the documentation, i was refered to http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html for enabling the security manager, as it seems in debian stable (with tomcat + examples + admin debian packages installed): - enabling the security manager: tomcat does not start -- the logs are not clear to me This is not a tomcat problem, but debian it seems to me. So i looked further, and came across http://www.jchains.org/ but it is quiet old (2009); if correct: - it basically runs the application without security manager and records the permissions needed. - then u use that recording as a policy for your security manager - now run the application with security manager. So my question is: are there recent alternatives to this, or other good practices? mvg, Wim - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: How can we configure deployXML=true in security manager ?
On Thu, Aug 14, 2014 at 6:39 AM, Utkarsh Dave wrote: > We upgraded from Tomcat 7.0.41 to tomcat 7.0.53. > We are starting the Tomcat as "-security" so as to enable security manager. > I also see the changelog of 7.0.48 mentioning about this change > "When running under a security manager, change the default value of the > Host's deployXML attribute to false. > add If a Host is configured with a value of false for deployXML, a web > application has an embedded descriptor at META-INF/context.xml and no > explicit descriptor has been defined for this application, do not allow the > application to start. The reason for this is that the embedded descriptor > may contain configuration necessary for secure operation such as a > RemoteAddrValve. > " > > As a result many of the applications are not starting in my project. > How can we fix this? > Don't rely on the contents of your application's META-INF/context.xml files. As the note you quoted mentions, when you set "-security" it is going to set "deployXML" to "false". This is explained a bit more in the docs for "deployXML". "Set to false if you want to disable parsing the context XML descriptor embedded inside the application (located at /META-INF/context.xml). Security conscious environments should set this to false to prevent applications from interacting with the container's configuration. The administrator will then be responsible for providing an external context configuration file, and putting it in the location defined by the xmlBase attribute. If this flag is false, a descriptor is located at /META-INF/context.xml and no descriptor is present in xmlBase then the context will fail to start in case the descriptor contains necessary configuration for secure deployment (such as a RemoteAddrValve) which should not be ignored. The flag's value defaults to true unless a security manager is enabled when the default is false." To work around this just move all the necessary configuration that was in /META-INF/context.xml into "conf/Catalina/localhost/.xml" (i.e. conf///.xml). Dan > > -Thanks > Utkarsh >
How can we configure deployXML=true in security manager ?
We upgraded from Tomcat 7.0.41 to tomcat 7.0.53. We are starting the Tomcat as "-security" so as to enable security manager. I also see the changelog of 7.0.48 mentioning about this change "When running under a security manager, change the default value of the Host's deployXML attribute to false. add If a Host is configured with a value of false for deployXML, a web application has an embedded descriptor at META-INF/context.xml and no explicit descriptor has been defined for this application, do not allow the application to start. The reason for this is that the embedded descriptor may contain configuration necessary for secure operation such as a RemoteAddrValve. " As a result many of the applications are not starting in my project. How can we fix this? -Thanks Utkarsh
Re: Security Manager Exception
2014-07-22 20:04 GMT+04:00 George Sexton : > I'm using Tomcat 7.0.54 with the security manager. I'm getting an exception > I don't understand: > > 2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR > org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]- > Servlet.service() for servlet [jsp] in context with path [] threw exception > [java.security.AccessControlException: access denied > ("java.lang.RuntimePermission" "getClassLoader")] with root cause > java.security.AccessControlException: access denied > ("java.lang.RuntimePermission" "getClassLoader") > at java.security.AccessControlContext.checkPermission(Unknown > Source) > at java.security.AccessController.checkPermission(Unknown Source) > at java.lang.SecurityManager.checkPermission(Unknown Source) > at java.lang.ClassLoader.checkClassLoaderPermission(Unknown Source) > at java.lang.ClassLoader.getParent(Unknown Source) > at > org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295) > at > org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266) > at > org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144) > at java.util.logging.LogManager.demandLogger(Unknown Source) > at java.util.logging.Logger.demandLogger(Unknown Source) > at java.util.logging.Logger.getLogger(Unknown Source) > at com.sun.mail.util.MailLogger.(MailLogger.java:115) > at javax.mail.Session.initLogger(Session.java:226) > at javax.mail.Session.(Session.java:210) > at javax.mail.Session.getInstance(Session.java:247) > at com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470) > > > Line 144 of ClassLoaderLogManager is the addLogger method trying to read the > .level property for the logger being created. > > The catalina.policy is pretty much the stock one. I'm confused because the > catalina.policy has: > > grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { > permission java.lang.RuntimePermission "getClassLoader"; > > The page in question that's erroring out is a JSP that's calling a > per-context jar. The hierarchy looks something like: > > JSP -> > context/WEB-INF/lib/jar Class File -> > $CATALINA_BASE/lib/ MH Software.jar -> > $CATALINA_BASE javax.mail.jar -> > $CATALINA_HOME/bin/tomcat-juli.jar > > $CATALINA_BASE/lib, has the grant for java.security.AllPermission; > > I don't know if this makes a difference, but I'm using log4j, and following > the instructions here: > > http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j > > I've made $CATALINA_BASE/conf/logging.properties an empty file. > > Finally, it SEEMS to only be happening in JSP files. calls directly from > classes in the context jar file don't seem to be failing. > > If anyone could point me in the right direction, I would really appreciate > it. I filed an issue for this into bugzilla: https://issues.apache.org/bugzilla/show_bug.cgi?id=56776 > per-context jar. The hierarchy looks something like: > > JSP -> > context/WEB-INF/lib/jar Class File -> > $CATALINA_BASE/lib/ MH Software.jar -> > $CATALINA_BASE javax.mail.jar -> > $CATALINA_HOME/bin/tomcat-juli.jar > > $CATALINA_BASE/lib, has the grant for java.security.AllPermission; > Unless all classes in the call chain have the necessary permission ("java.lang.RuntimePermission" "getClassLoader") the call won't be allowed. A workaround is to grant that permission to web applications, but I would not really recommend that as a long-term solution, as it makes the system less secure. It should be possible to fix this at Tomcat side, thus I filed the issue. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Security Manager Exception
On 7/22/2014 11:04 AM, George Sexton wrote: I'm using Tomcat 7.0.54 with the security manager. I'm getting an exception I don't understand: 2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]- Servlet.service() for servlet [jsp] in context with path [] threw exception [java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")] with root cause java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader") at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.ClassLoader.checkClassLoaderPermission(Unknown Source) at java.lang.ClassLoader.getParent(Unknown Source) at org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295) at org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266) at org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144) at java.util.logging.LogManager.demandLogger(Unknown Source) at java.util.logging.Logger.demandLogger(Unknown Source) at java.util.logging.Logger.getLogger(Unknown Source) at com.sun.mail.util.MailLogger.(MailLogger.java:115) at javax.mail.Session.initLogger(Session.java:226) at javax.mail.Session.(Session.java:210) at javax.mail.Session.getInstance(Session.java:247) at com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470) Line 144 of ClassLoaderLogManager is the addLogger method trying to read the .level property for the logger being created. The catalina.policy is pretty much the stock one. I'm confused because the catalina.policy has: grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.lang.RuntimePermission "getClassLoader"; The page in question that's erroring out is a JSP that's calling a per-context jar. The hierarchy looks something like: JSP -> context/WEB-INF/lib/jar Class File -> $CATALINA_BASE/lib/ MH Software.jar -> $CATALINA_BASE javax.mail.jar -> $CATALINA_HOME/bin/tomcat-juli.jar $CATALINA_BASE/lib, has the grant for java.security.AllPermission; I don't know if this makes a difference, but I'm using log4j, and following the instructions here: http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j I've made $CATALINA_BASE/conf/logging.properties an empty file. Finally, it SEEMS to only be happening in JSP files. calls directly from classes in the context jar file don't seem to be failing. If anyone could point me in the right direction, I would really appreciate it. Have you granted permissions to the classes in WEB-INF? -Terence Bandoian - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Security Manager Exception
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 7/22/2014 9:04 AM, George Sexton wrote: > I'm using Tomcat 7.0.54 with the security manager. I'm getting an > exception I don't understand: > > 2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR > org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]- > > Servlet.service() for servlet [jsp] in context with path [] threw > exception [java.security.AccessControlException: access denied > ("java.lang.RuntimePermission" "getClassLoader")] with root cause > java.security.AccessControlException: access denied > ("java.lang.RuntimePermission" "getClassLoader") at > java.security.AccessControlContext.checkPermission(Unknown Source) > at java.security.AccessController.checkPermission(Unknown Source) > at java.lang.SecurityManager.checkPermission(Unknown Source) at > java.lang.ClassLoader.checkClassLoaderPermission(Unknown Source) at > java.lang.ClassLoader.getParent(Unknown Source) at > org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295) > > at > org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266) > > at > org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144) > > at java.util.logging.LogManager.demandLogger(Unknown Source) at > java.util.logging.Logger.demandLogger(Unknown Source) at > java.util.logging.Logger.getLogger(Unknown Source) at > com.sun.mail.util.MailLogger.(MailLogger.java:115) at > javax.mail.Session.initLogger(Session.java:226) at > javax.mail.Session.(Session.java:210) at > javax.mail.Session.getInstance(Session.java:247) at > com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470) > > > Line 144 of ClassLoaderLogManager is the addLogger method trying to > read the .level property for the logger being created. > > The catalina.policy is pretty much the stock one. I'm confused > because the catalina.policy has: > > grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { > permission java.lang.RuntimePermission "getClassLoader"; > > The page in question that's erroring out is a JSP that's calling a > per-context jar. The hierarchy looks something like: > > JSP -> context/WEB-INF/lib/jar Class File -> $CATALINA_BASE/lib/ MH > Software.jar -> $CATALINA_BASE javax.mail.jar -> > $CATALINA_HOME/bin/tomcat-juli.jar > > $CATALINA_BASE/lib, has the grant for java.security.AllPermission; > > I don't know if this makes a difference, but I'm using log4j, and > following the instructions here: > > http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j > > I've made $CATALINA_BASE/conf/logging.properties an empty file. > > Finally, it SEEMS to only be happening in JSP files. calls directly > from classes in the context jar file don't seem to be failing. > > If anyone could point me in the right direction, I would really > appreciate it. > > See if this helps: http://www.oracle.com/technetwork/java/faq-135477.html#securityManager . . . just my two cents /mde/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTzpRyAAoJEEFGbsYNeTwtx0IH/1cc385fyYb5vYfjXyt0NJHk W+QG5KTGmBN2fU59J8wjdQ3vzYc4Ysa2rJO98fx90a682P2XrpxesdcHJeE1Za6+ E48WksP+uPQ9KnmEUOv+XMeCrY8gKknZgL/XrjKHkJhlsr2pP0VUdcgzdJph4hZm UDoKAnFkPTJ6Pj3gWcTJMNo/Hs5/Jdt4LD4SKVRlI/9lmpiL6RdqL4n3voRHlo6m KTinVBBDSjY2mZuuOML3B3JbnZOBUuUsj8/jH1L7DBWdIfgKKF2il9858ckDNLZc p4TAlCbGpNZBD1E/bS3BWwmGAcGtebpbgiFG+c9dgA5FI4OhLc84y8HflwdTgb0= =Q8u+ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Security Manager Exception
I'm using Tomcat 7.0.54 with the security manager. I'm getting an exception I don't understand: 2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]- Servlet.service() for servlet [jsp] in context with path [] threw exception [java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader")] with root cause java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getClassLoader") at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.ClassLoader.checkClassLoaderPermission(Unknown Source) at java.lang.ClassLoader.getParent(Unknown Source) at org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295) at org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266) at org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144) at java.util.logging.LogManager.demandLogger(Unknown Source) at java.util.logging.Logger.demandLogger(Unknown Source) at java.util.logging.Logger.getLogger(Unknown Source) at com.sun.mail.util.MailLogger.(MailLogger.java:115) at javax.mail.Session.initLogger(Session.java:226) at javax.mail.Session.(Session.java:210) at javax.mail.Session.getInstance(Session.java:247) at com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470) Line 144 of ClassLoaderLogManager is the addLogger method trying to read the .level property for the logger being created. The catalina.policy is pretty much the stock one. I'm confused because the catalina.policy has: grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.lang.RuntimePermission "getClassLoader"; The page in question that's erroring out is a JSP that's calling a per-context jar. The hierarchy looks something like: JSP -> context/WEB-INF/lib/jar Class File -> $CATALINA_BASE/lib/ MH Software.jar -> $CATALINA_BASE javax.mail.jar -> $CATALINA_HOME/bin/tomcat-juli.jar $CATALINA_BASE/lib, has the grant for java.security.AllPermission; I don't know if this makes a difference, but I'm using log4j, and following the instructions here: http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j I've made $CATALINA_BASE/conf/logging.properties an empty file. Finally, it SEEMS to only be happening in JSP files. calls directly from classes in the context jar file don't seem to be failing. If anyone could point me in the right direction, I would really appreciate it. -- George Sexton *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: Some help with Security Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Alejandro, On 5/4/13 8:23 PM, Alejandro Garcia wrote: > I’m using Tomcat with JSF, ICEFaces, Spring and JPA. The > configuracion and the app work very well when I deploy it with the > security managed disabled. On the face of it, this appears to be a problem with JavaFaces: > The problem is when I enable the security manager, I can’t deploy > the app. In the I can see the next trace: > > INFO: Desplieque del descriptor de configuración > C:\Users\Alejandro\AppData\Roaming\NetBeans\7.2.1\apache-tomcat-7.0.27.0_base\conf\Catalina\localhost\web-root.xml > > may 04, 2013 1:57:06 PM org.apache.catalina.core.ContainerBase addChildInternal > SEVERE: ContainerBase.addChild: start: > org.apache.catalina.LifecycleException: Failed to start component > [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/web-root]] > > at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) > at > org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:895) > > at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:130) > at > org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) > > at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:142) > at java.security.AccessController.doPrivileged(Native Method) at > org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:869) > > at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:615) > at > org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:649) > > at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1585) > at > java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) > > at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) > at java.util.concurrent.FutureTask.run(FutureTask.java:166) at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at java.lang.Thread.run(Thread.java:722) Caused by: > java.lang.NullPointerException at > com.sun.faces.config.InitFacesContext.cleanupInitMaps(InitFacesContext.java:278) > > at com.sun.faces.config.InitFacesContext.(InitFacesContext.java:102) > at > com.sun.faces.config.FacesInitializer.onStartup(FacesInitializer.java:114) > > at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5262) > at > org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) > > ... 15 more Is that everything you can find in catalina.out? If so, there's not a lot we can comment on without replicating your environment, etc. You might want to check on a JavaFaces-specific list for what might be causing this error. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRiB0vAAoJEBzwKT+lPKRY+H4P/jLNoZX5E4SIOSSjpb4Wmxab iPXREfG86d0GW0MmWT6sAo089QfvnDTGvB+Is+2gAQZ9/gRFI8qcdImYETFdpsFp AEbBDKn7zzlH7dkMU3aH5VBy2fwjNCOcy4gZQYEvw8Kg5xoB24Wu2Omdl12yoc63 b98rvih1KRcczLiBA+L+4BKEm78vqMsSuI0QCISP07uVVv6yw8+dAfUGqTWzO75c ZnCQorYGYFe28w7IHp+B3nessFaUJ3+dGwEXS9zzQSZMUSRHy2oa7Lv5E1tQQV7H QzUTLHYyjkXnSTOox9CfNFyxXiwtGZE0dy97rtSTM/Wp4hvzB95x573z36E1bJHy AyAcArP5i55u/FKPwqTG6vEl2WZ1Ef7pzR5QTNISzM8+Q98aJ+Xg3QL+PD3YWf71 bkT2+ceoP7mAyVfd6OJDhGaAIEpBk/snihByFZr8MJnc6bahQrENNxkSdt4z6gfd omvwshxfWuLIhg6JrEk0srV5nQh5O0ogOtsls9OaxI9CIyZi1jFpF2WK9MaYNorJ Th734NxuH8x/GlK7QTTe36DviynA9g8wRlUZyZMnaKyNbvhx/9N39wXTwqizMwsu kbrfctvGGJKVnj4jL1yOpWCAStIECuTvYZgX6235c5jIuC88bBT6gOymoTeLmLdC dTglImbfCkaByuTSaKIq =UUfX -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Some help with Security Manager
Hi, I’m using Tomcat with JSF, ICEFaces, Spring and JPA. The configuracion and the app work very well when I deploy it with the security managed disabled. The problem is when I enable the security manager, I can’t deploy the app. In the I can see the next trace: INFO: Desplieque del descriptor de configuración C:\Users\Alejandro\AppData\Roaming\NetBeans\7.2.1\apache-tomcat-7.0.27.0_base\conf\Catalina\localhost\web-root.xml may 04, 2013 1:57:06 PM org.apache.catalina.core.ContainerBase addChildInternal SEVERE: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/web-root]] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:895) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:130) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:142) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:869) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:615) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:649) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1585) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) at java.util.concurrent.FutureTask.run(FutureTask.java:166) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:722) Caused by: java.lang.NullPointerException at com.sun.faces.config.InitFacesContext.cleanupInitMaps(InitFacesContext.java:278) at com.sun.faces.config.InitFacesContext.(InitFacesContext.java:102) at com.sun.faces.config.FacesInitializer.onStartup(FacesInitializer.java:114) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5262) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ... 15 more may 04, 2013 1:57:06 PM org.apache.catalina.startup.HostConfig deployDescriptor SEVERE: Error durante el despliegue del descriptor de configuración C:\Users\Alejandro\AppData\Roaming\NetBeans\7.2.1\apache-tomcat-7.0.27.0_base\conf\Catalina\localhost\web-root.xml java.lang.IllegalStateException: ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/web-root]] at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:898) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:130) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:142) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:869) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:615) at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:649) at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1585) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) at java.util.concurrent.FutureTask.run(FutureTask.java:166) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:722) may 04, 2013 1:57:06 PM org.apache.coyote.AbstractProtocol start INFO: Starting ProtocolHandler ["http-bio-8084"] I try to find a reason in Internet but I can’t find the correct answer for this problem. Some help, I appreciate it. Regards
Re: Problem running my webapp with Tomcat 7.0.22.0 Security Manager enabled (Windows Vista)
On Tue, 2012-01-10 at 22:06 +, ja...@mobilewebexpert.co.uk wrote: > Basically, I've created a webapp which runs fine on my development machine, > but our actual hosting is shared (and uses a Security Manager) and some new > libraries we're using throws up loads of exceptions which we need to > replicate locally, hence the need for me to activate the Security Manager. > > If it makes things any simpler, the webapp runs as the root context. Any > chance you could help me out with the code I need for catalina.policy? > Sounds like your host provider is prescribing the security constraints and you want to replicate that to see what adjustments need to be made to the app and/or the policy file. Why not grab the policy file on your target host and start with that? > - Original Message - > From: "Pid" > To: "Tomcat Users List" > Sent: Tuesday, January 10, 2012 7:47 PM > Subject: Re: Problem running my webapp with Tomcat 7.0.22.0 Security Manager > enabled (Windows Vista) > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > signature.asc Description: This is a digitally signed message part
Re: Problem running my webapp with Tomcat 7.0.22.0 Security Manager enabled (Windows Vista)
ja...@mobilewebexpert.co.uk wrote: Basically, I've created a webapp which runs fine on my development machine, but our actual hosting is shared (and uses a Security Manager) and some new libraries we're using throws up loads of exceptions which we need to replicate locally, hence the need for me to activate the Security Manager. If it makes things any simpler, the webapp runs as the root context. Any chance you could help me out with the code I need for catalina.policy? This is a long and tedious process, if you want to do it right. And it would require an in-depth knowledge of the application, which nobody else but you has. Basically, the Security Manager provides a kind of "sandbox" around the applications, German-like : everything which is not specifically allowed, is forbidden. So you have to know what all the various permissions are, and then know what your application requires specifically. There are examples at the end of the standard catalina.policy file, and I'm sure that by googling a bit on the names which you see there, you'll find what you need. Of course, a shortcut would be : grant codeBase "file:${catalina.home}/webapps//-" { (*) permission java.security.AllPermission; }; but then one could wonder why bothering to use a Security Manager at all.. (*) here being ROOT - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem running my webapp with Tomcat 7.0.22.0 Security Manager enabled (Windows Vista)
Basically, I've created a webapp which runs fine on my development machine, but our actual hosting is shared (and uses a Security Manager) and some new libraries we're using throws up loads of exceptions which we need to replicate locally, hence the need for me to activate the Security Manager. If it makes things any simpler, the webapp runs as the root context. Any chance you could help me out with the code I need for catalina.policy? - Original Message - From: "Pid" To: "Tomcat Users List" Sent: Tuesday, January 10, 2012 7:47 PM Subject: Re: Problem running my webapp with Tomcat 7.0.22.0 Security Manager enabled (Windows Vista) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem running my webapp with Tomcat 7.0.22.0 Security Manager enabled (Windows Vista)
On 10/01/2012 15:51, ja...@mobilewebexpert.co.uk wrote: > Thanks for the reply. > > Afraid I'm very new to Tomcat - please could you explain to me what > changes I need to make to catalina.policy? It's can be tricky and it's application specific. You'll need to add specific policy rules that permit the application to do whatever it needs to do. E.g. access to network, file system, jars etc. Is there a particular reason you want to enable the Security Manager? Are you hosting untrusted 3rd party applications for example? p > Thanks, > James > > - Original Message - From: "Pid" > To: "Tomcat Users List" > Sent: Tuesday, January 10, 2012 9:19 AM > Subject: Re: Problem running my webapp with Tomcat 7.0.22.0 Security > Manager enabled (Windows Vista) > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Problem running my webapp with Tomcat 7.0.22.0 Security Manager enabled (Windows Vista)
Thanks for the reply. Afraid I'm very new to Tomcat - please could you explain to me what changes I need to make to catalina.policy? Thanks, James - Original Message - From: "Pid" To: "Tomcat Users List" Sent: Tuesday, January 10, 2012 9:19 AM Subject: Re: Problem running my webapp with Tomcat 7.0.22.0 Security Manager enabled (Windows Vista) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problem running my webapp with Tomcat 7.0.22.0 Security Manager enabled (Windows Vista)
On 09/01/2012 19:22, ja...@mobilewebexpert.co.uk wrote: > Hiya, > > I've just turned on Tomcat's Security Manager and (not surprisingly) I'm now > having a problem running my webapp. I know I probably need to specify some > security privileges somewhere, but not sure where - possibly catalina.policy? > Can anyone help?? Yes, in catalina.policy. Have fun. p > Here's the error from the log file: > > 09-Jan-2012 17:33:34 org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Servlet.service() for servlet [Manager] in context with path > [/manager] threw exception [Could not initialize class > org.netbeans.modules.schema2beans.DDLogFlags] with root cause > java.lang.NoClassDefFoundError: Could not initialize class > org.netbeans.modules.schema2beans.DDLogFlags > at org.netbeans.modules.schema2beans.DOMBinding.register(DOMBinding.java:166) > at > org.netbeans.modules.schema2beans.BeanProp.registerDomNode(BeanProp.java:1809) > at > org.netbeans.modules.schema2beans.GraphManager.createRootBinding(GraphManager.java:232) > at org.netbeans.modules.schema2beans.BaseBean.createRoot(BaseBean.java:288) > at > org.netbeans.modules.web.monitor.data.MonitorData.(MonitorData.java:98) > at > org.netbeans.modules.web.monitor.data.MonitorData.(MonitorData.java:75) > at > org.netbeans.modules.web.monitor.data.MonitorData.(MonitorData.java:71) > at > org.netbeans.modules.web.monitor.server.MonitorFilter.setupDataRecord(MonitorFilter.java:484) > at > org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:331) > at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:270) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:305) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:245) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) > at > org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108) > at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273) > at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:270) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) > at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:305) > at > org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:245) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) > at > org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193) > at > org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) > at java.security.AccessController.doPrivileged(Native Method) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:581) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929) > at > org.apache.catalina.core.StandardEngineValve.invoke
Re: Problem running my webapp with Tomcat 7.0.22.0 Security Manager enabled (Windows Vista)
2012/1/9 : > Hiya, > > I've just turned on Tomcat's Security Manager and (not surprisingly) I'm now > having a problem running my webapp. I know I probably need to specify some > security privileges somewhere, Have you read the docs? > but not sure where - possibly catalina.policy? That file is not used by Tomcat but by Java runtime. So whether it is used depends on what command was used to launch the JVM. The catalina.bat/catalina.sh files use conf/catalina.policy by default. If you use something else then you are on your own to configure it properly. > Can anyone help?? > > Here's the error from the log file: > > 09-Jan-2012 17:33:34 org.apache.catalina.core.StandardWrapperValve invoke > SEVERE: Servlet.service() for servlet [Manager] in context with path > [/manager] threw exception [Could not initialize class > org.netbeans.modules.schema2beans.DDLogFlags] with root cause > java.lang.NoClassDefFoundError: Could not initialize class > org.netbeans.modules.schema2beans.DDLogFlags (...) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Problem running my webapp with Tomcat 7.0.22.0 Security Manager enabled (Windows Vista)
Hiya, I've just turned on Tomcat's Security Manager and (not surprisingly) I'm now having a problem running my webapp. I know I probably need to specify some security privileges somewhere, but not sure where - possibly catalina.policy? Can anyone help?? Here's the error from the log file: 09-Jan-2012 17:33:34 org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [Manager] in context with path [/manager] threw exception [Could not initialize class org.netbeans.modules.schema2beans.DDLogFlags] with root cause java.lang.NoClassDefFoundError: Could not initialize class org.netbeans.modules.schema2beans.DDLogFlags at org.netbeans.modules.schema2beans.DOMBinding.register(DOMBinding.java:166) at org.netbeans.modules.schema2beans.BeanProp.registerDomNode(BeanProp.java:1809) at org.netbeans.modules.schema2beans.GraphManager.createRootBinding(GraphManager.java:232) at org.netbeans.modules.schema2beans.BaseBean.createRoot(BaseBean.java:288) at org.netbeans.modules.web.monitor.data.MonitorData.(MonitorData.java:98) at org.netbeans.modules.web.monitor.data.MonitorData.(MonitorData.java:75) at org.netbeans.modules.web.monitor.data.MonitorData.(MonitorData.java:71) at org.netbeans.modules.web.monitor.server.MonitorFilter.setupDataRecord(MonitorFilter.java:484) at org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:331) at sun.reflect.GeneratedMethodAccessor31.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:270) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:305) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:245) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108) at sun.reflect.GeneratedMethodAccessor32.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:273) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:270) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:305) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:245) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:57) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:581) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolE
Re: Tomcat 6: what are the risks of not using Security Manager
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jan-Willem, On 12/14/11 4:05 AM, jwklomp wrote: > I'm migrating existing applications to Tomcat and setting Tomcat up > as described in the 'Security Configuration Benchmark for Apache > Tomcat 5.5/6.0' of the Center of Internet Security. > > The benchmark recommends enabling the Security Manager. However, > I'm experiencing that none of the apps run 'out of the box' with > the Security Manager enabled. I'm contemplating not activating it, > but find it hard estimate the risk. I'll weigh-in, too, without having read Mark's and Chuck's replies, yet. First, running Tomcat itself under a SecurityManager should work without any problems at all, provided you launch it with the "-security" argument when calling catalina.sh (or whatever method is appropriate for your environment) because the catalina.policy file that ships with Tomcat will allow Tomcat to perform all necessary operations. On the other hand, most non-trivial web app applications need to be able to do a handful of things such as * Connect to a JDBC database * Write log files * Request files from a remote site (think XML DTDs or XSDs) You will be responsible for modifying the catalina.policy file to allow your web application to perform such operations. You may find that configuration is such a headache (there are many permissions, and they tend to pile-up on each other) that the result is a SecurityManager policy that essentially allows all permissions to all code. Such a configuration is no better than having no SecurityManager running at all. In fact, it's worse for two reasons: 1. Performance takes a hit for all the permissions checking that must occur and 2. You are "running a SecurityManager and therefore secure" but you really aren't secure > Our Security department is worried that without the Security > Manager enabled, hackers can gain access to restricted packages, > take control over Tomcat and 'hop' to other applications and > machines (so basically this would imply activating the Security > Manager for all applications). So, it's true that if you restrict your web application to only being able to perform certain operations (such as connecting to a *specific* port on a *specific* server for JDBC connections, and maybe writing to a *specific* directory on your server for logging purposes) you will, in fact, reduce the area of your vulnerable surface that attackers can use to gain access. On the other hand, pretty much everything you can do with a SecurityManager (except maybe resource limits, like preventing new Threads) can be done with other configuration as well (at least, on any relatively decent OS). For example, if you don't want to allow arbitrary outgoing TCP connections, simply configure your firewall that way. If you don't want your webapp to be able to write to anywhere on the filesystem, change your filesystem permissions or run in a chroot jail (or both!). Sure, security should always be considered in layers and it never hurts to have redundant checks just in case you have one layer misconfigured or there is some kind of bug or security vulnerability in a particular layer. But, don't think that you "aren't secure" if you aren't running under a SecurityManager als, likewise, don't think that you "are secure" just because you are running one. Frankly, the most vulnerable part of your web application is likely to be the application itself. SANS' top 25 software errors (should really be "vulnerabilities" IMO) lists mostly things that a SecurityManager won't protect you against (http://www.sans.org/top25-software-errors/). For instance, SQL injection repeatedly tops this list because programmers are sloppy with their parametric SQL statements. SecurityManager can't stop that. OS command injection? If you even allow your webapp to call the OS (Runtime.exec), then SecurityManager can't sanitize the parameters for you. XSS? File Upload? Open Redirect? CSRF? Those are all the fault of the webapp's programmers and cannot be protected against by running a SecurityManager. > My question is: how secure is Tomcat without the Security Manager > enabled (assuming other points from the CIS benchmark have been > implemented). Is the Security Manager the guard against 'hopping' > to other applications, or does Tomcat without the Security Manager > already prevent this? IMO, running a SecurityManager is a nice layer to have, but not strictly necessary. If you are running code that you have written in-house, and you trust your developers not to intentionally introduce nasty code, then you should be relatively safe. If, on the other hand, you are running code that you don't necessary trust, or are allowing untrusted people to
Re: Tomcat 6: what are the risks of not using Security Manager
jwklomp wrote: > >Hello, > >I'm migrating existing applications to Tomcat and setting Tomcat up as >described in the 'Security Configuration Benchmark for Apache Tomcat >5.5/6.0' of the Center of Internet Security. > >The benchmark recommends enabling the Security Manager. However, I'm >experiencing that none of the apps run 'out of the box' with the >Security >Manager enabled. I'm contemplating not activating it, but find it hard >estimate the risk. > >Our Security department is worried that without the Security Manager >enabled, hackers can gain access to restricted packages, take control >over >Tomcat and 'hop' to other applications and machines (so basically this >would >imply activating the Security Manager for all applications). > >My question is: how secure is Tomcat without the Security Manager >enabled >(assuming other points from the CIS benchmark have been implemented). >Is the >Security Manager the guard against 'hopping' to other applications, or >does >Tomcat without the Security Manager already prevent this? > >Regards, Jan-Willem >-- >View this message in context: >http://old.nabble.com/Tomcat-6%3A-what-are-the-risks-of-not-using-Security-Manager-tp32973301p32973301.html >Sent from the Tomcat - User mailing list archive at Nabble.com. > > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org It may have improved but the last time I looked at the CIS recommendations my immediate impression was that it was written by folks with zero to little understanding of Tomcat. Without the security manager, if an application has a serious security vulnerability then an attacker can potentially do anything the user running the Tomcat process can do. This is why you should never run Tomcat as root. With the security manager, the web application runs in a sandbox that further limits what it can do. The problem with the security manager is that if an app is not written to run under a security manager - so it uses doPrivileged() - then you often end up having grant so many permissions that there is no point using the security manager. The other risk is that you miss a necessary permission and break the app. My own view is that unless the app has been written to use a security manager from the beginning the availability risk using one creates is greater than any confidentiality risk that using one mitigates. However, each situation is different. YMMV. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6: what are the risks of not using Security Manager
jwklomp wrote: > >Hello, > >I'm migrating existing applications to Tomcat and setting Tomcat up as >described in the 'Security Configuration Benchmark for Apache Tomcat >5.5/6.0' of the Center of Internet Security. > >The benchmark recommends enabling the Security Manager. However, I'm >experiencing that none of the apps run 'out of the box' with the >Security >Manager enabled. I'm contemplating not activating it, but find it hard >estimate the risk. > >Our Security department is worried that without the Security Manager >enabled, hackers can gain access to restricted packages, take control >over >Tomcat and 'hop' to other applications and machines (so basically this >would >imply activating the Security Manager for all applications). > >My question is: how secure is Tomcat without the Security Manager >enabled >(assuming other points from the CIS benchmark have been implemented). >Is the >Security Manager the guard against 'hopping' to other applications, or >does >Tomcat without the Security Manager already prevent this? > >Regards, Jan-Willem >-- >View this message in context: >http://old.nabble.com/Tomcat-6%3A-what-are-the-risks-of-not-using-Security-Manager-tp32973301p32973301.html >Sent from the Tomcat - User mailing list archive at Nabble.com. > > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org It may have improved but the last time I looked at the CIS recommendations my immediate impression was that it was written by folks with zero to little understanding of Tomcat. Without the security manager, if an application has a serious security vulnerability then an attacker can potentially do anything the user running the Tomcat process can do. This is why you should never run Tomcat as root. With the security manager, the web application runs in a sandbox that further limits what it can do. The problem with the security manager is that if an app is not written to run under a security manager - so it uses doPrivileged() - then you often end up having grant so many permissions that there is no point using the security manager. The other risk is that you miss a necessary permission and break the app. My own view is that unless the app has been written to use a security manager from the beginning the availability risk using one creates is greater than any confidentiality risk that using one mitigates. However, each situation is different. YMMV. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6: what are the risks of not using Security Manager
> From: jwklomp [mailto:janwillem.kl...@gmail.com] > Subject: Tomcat 6: what are the risks of not using Security Manager > My question is: how secure is Tomcat without the Security Manager enabled Tomcat itself is secure; it's your webapps you have to think about. Can they be tricked into doing things like writing to arbitrary locations in the server file system? Only you can determine that. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 6: what are the risks of not using Security Manager
Hello, I'm migrating existing applications to Tomcat and setting Tomcat up as described in the 'Security Configuration Benchmark for Apache Tomcat 5.5/6.0' of the Center of Internet Security. The benchmark recommends enabling the Security Manager. However, I'm experiencing that none of the apps run 'out of the box' with the Security Manager enabled. I'm contemplating not activating it, but find it hard estimate the risk. Our Security department is worried that without the Security Manager enabled, hackers can gain access to restricted packages, take control over Tomcat and 'hop' to other applications and machines (so basically this would imply activating the Security Manager for all applications). My question is: how secure is Tomcat without the Security Manager enabled (assuming other points from the CIS benchmark have been implemented). Is the Security Manager the guard against 'hopping' to other applications, or does Tomcat without the Security Manager already prevent this? Regards, Jan-Willem -- View this message in context: http://old.nabble.com/Tomcat-6%3A-what-are-the-risks-of-not-using-Security-Manager-tp32973301p32973301.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Enable Security Manager in Tomcat 5
After a days google, trial and error, I finally realised that the person who migrated the website from linux to Windows did not change the paths in catalina.policy. I got a fresh copy of catalina.policy from Tomcat 5 installation and re-add my bits of security settings and it is working now. Conway From: Conway Liu To: users@tomcat.apache.org Sent: Thu, 12 May, 2011 11:37:17 AM Subject: Enable Security Manager in Tomcat 5 Good day! For testing purposes I have setup a website to run in Tomcat 5, Tomcat 6, and Tomcat 7. The site runs on Windows Server 2008 R2, and I used the service.bat to install the windows service so that I can start and stop the site. When it came to enable the security manager, I read from the web somewhere that suggested to add the following code into service.bat: "%EXECUTABLE%" //US//%SERVICE_NAME% ++JvmOptions "-Djava..security.manager" "%EXECUTABLE%" //US//%SERVICE_NAME% ++JvmOptions "-Djava.security.policy==c:\mywebapp\conf\catalina.policy" I did accordingly for all three versions of Tomcat. This worked for my website in Tomcat 6 and 7. However, when starting the Tomcat 5 service, the service could not start. Reviewing the stderr log file I see this information: java.security.AccessControlException: access denied (java.util...PropertyPermission catalina.home read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285) at java.lang.System.getProperty(System.java:650) at org.apache.catalina.startup.Bootstrap.setCatalinaHome(Bootstrap.java:478) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:210) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:410) I then tried to put the following into catalina.policy but it didn't help. grant { permission java.util.PropertyPermission "catalina.home", "read"; }; I have tried to google further, but so far haven't found the solution. If anyone knows what I should do, it will be very much appreciated for pointing me to the right direction. Thanks in advance Conway
Enable Security Manager in Tomcat 5
Good day! For testing purposes I have setup a website to run in Tomcat 5, Tomcat 6, and Tomcat 7. The site runs on Windows Server 2008 R2, and I used the service.bat to install the windows service so that I can start and stop the site. When it came to enable the security manager, I read from the web somewhere that suggested to add the following code into service.bat: "%EXECUTABLE%" //US//%SERVICE_NAME% ++JvmOptions "-Djava.security.manager" "%EXECUTABLE%" //US//%SERVICE_NAME% ++JvmOptions "-Djava.security.policy==c:\mywebapp\conf\catalina.policy" I did accordingly for all three versions of Tomcat. This worked for my website in Tomcat 6 and 7. However, when starting the Tomcat 5 service, the service could not start. Reviewing the stderr log file I see this information: java.security.AccessControlException: access denied (java.util..PropertyPermission catalina.home read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285) at java.lang.System.getProperty(System.java:650) at org.apache.catalina.startup.Bootstrap.setCatalinaHome(Bootstrap.java:478) at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:210) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:410) I then tried to put the following into catalina.policy but it didn't help. grant { permission java.util.PropertyPermission "catalina.home", "read"; }; I have tried to google further, but so far haven't found the solution. If anyone knows what I should do, it will be very much appreciated for pointing me to the right direction. Thanks in advance Conway
Re: JDBC Leak Prevention and Security Manager
On 08/10/2010 21:20, George Sexton wrote: > Could any give me a hint as to what I need to add to the catalina.policy > file to make this work? > > Should I file this as a bug? https://issues.apache.org/bugzilla/show_bug.cgi?id=49209 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JDBC Leak Prevention and Security Manager
I'm running Tomcat 6.0.29 with the security manager enabled. I'm getting these entries in my log: 2010-10-07 12:09:01,710 WARN http-80-76 org.apache.catalina.loader.WebappClassLoader - JDBC driver de-registration failed for web application [] java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 ) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl .java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.loader.WebappClassLoader.clearReferencesJdbc(WebappClass Loader.java:1960) at org.apache.catalina.loader.WebappClassLoader.clearReferences(WebappClassLoad er.java:1880) . Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.Class.getClassLoader(Class.java:594) at org.apache.catalina.loader.JdbcLeakPrevention.clearJdbcDriverRegistrations(J dbcLeakPrevention.java:49) ... 44 more Could any give me a hint as to what I need to add to the catalina.policy file to make this work? Should I file this as a bug? George Sexton MH Software, Inc. 303 438-9585 www.mhsoftware.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running tomcat/6.0.26 with security manager generates ORACLE jdbc error
hi Christopher The problem was that there was attempt to access \c:\{$catalina.base}\lib\ojdbc6.jar rather than c:\{$catalina.base}\lib\ojdbc6.jar. when I added new rule the error went away. -suresh Christopher Schultz-2 wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Suresh, > > On 4/22/2010 8:33 PM, suresht wrote: >> I see a char array being set to a number. >> charstring1[charstring1-1] = 0; > > That's obviously not actual code. Can you decompile or otherwise browse > the source of the method where the exception occurs? > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkvRzTEACgkQ9CaO5/Lv0PAthQCdFUlvrW4VgDC5M3qc8Lpklc+9 > sC4Anjmgu+jgXzjwgYFDsK+t8g3/ggEh > =ByKq > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/Running-tomcat-6.0.26-with-security-manager-generates-ORACLE-jdbc-error-tp28333480p28343802.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running tomcat/6.0.26 with security manager generates ORACLE jdbc error
The problem was with oracle jar in {catalina.base}\lib dir was getting called with \ at the start. When I added the AllProperty policy rule for that \file:{catalina.base}\lib\- . this error went away. suresht wrote: > > hi Christopher, > I see a char array being set to a number. > charstring1[charstring1-1] = 0; > > > > Christopher Schultz-2 wrote: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Suresh, >> >> On 4/22/2010 4:51 PM, suresht wrote: >>> i have attached a copy of the policy file. >> >> It was stripped by the list. >> >>> yes that is true but the command line application includes the security >>> manager with equivalent policy >> >> Ok. >> >>> The web application works fine without the security manager. >> >> Since the error occurs in the JDBC driver, I would imagine that the >> problem is there: the driver is not properly checking array bounds when >> accessing a String. >> >> Now, more than likely it's some String that is no longer available due >> to the presence of the SecurityManager, but we'll never know what the >> "real" problem is until we can get a report of what String the driver >> can't read properly. >> >> Do you have the source code of the JDBC driver? Can you decompile it to >> find out what is blowing up? >> >> - -chris >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v1.4.10 (MingW32) >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >> >> iEYEARECAAYFAkvQvccACgkQ9CaO5/Lv0PDqXQCfT5BcPuXT2qaKp4ZCChMsBrKy >> Ex4AnikHuVhogRnOM8HW0y3cx9TjqRWu >> =4vR2 >> -END PGP SIGNATURE- >> >> --------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> > > -- View this message in context: http://old.nabble.com/Running-tomcat-6.0.26-with-security-manager-generates-ORACLE-jdbc-error-tp28333480p28343771.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running tomcat/6.0.26 with security manager generates ORACLE jdbc error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Suresh, On 4/22/2010 8:33 PM, suresht wrote: > I see a char array being set to a number. > charstring1[charstring1-1] = 0; That's obviously not actual code. Can you decompile or otherwise browse the source of the method where the exception occurs? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvRzTEACgkQ9CaO5/Lv0PAthQCdFUlvrW4VgDC5M3qc8Lpklc+9 sC4Anjmgu+jgXzjwgYFDsK+t8g3/ggEh =ByKq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running tomcat/6.0.26 with security manager generates ORACLE jdbc error
hi Christopher, I see a char array being set to a number. charstring1[charstring1-1] = 0; Christopher Schultz-2 wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Suresh, > > On 4/22/2010 4:51 PM, suresht wrote: >> i have attached a copy of the policy file. > > It was stripped by the list. > >> yes that is true but the command line application includes the security >> manager with equivalent policy > > Ok. > >> The web application works fine without the security manager. > > Since the error occurs in the JDBC driver, I would imagine that the > problem is there: the driver is not properly checking array bounds when > accessing a String. > > Now, more than likely it's some String that is no longer available due > to the presence of the SecurityManager, but we'll never know what the > "real" problem is until we can get a report of what String the driver > can't read properly. > > Do you have the source code of the JDBC driver? Can you decompile it to > find out what is blowing up? > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkvQvccACgkQ9CaO5/Lv0PDqXQCfT5BcPuXT2qaKp4ZCChMsBrKy > Ex4AnikHuVhogRnOM8HW0y3cx9TjqRWu > =4vR2 > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/Running-tomcat-6.0.26-with-security-manager-generates-ORACLE-jdbc-error-tp28333480p28336163.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running tomcat/6.0.26 with security manager generates ORACLE jdbc error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Suresh, On 4/22/2010 4:51 PM, suresht wrote: > i have attached a copy of the policy file. It was stripped by the list. > yes that is true but the command line application includes the security > manager with equivalent policy Ok. > The web application works fine without the security manager. Since the error occurs in the JDBC driver, I would imagine that the problem is there: the driver is not properly checking array bounds when accessing a String. Now, more than likely it's some String that is no longer available due to the presence of the SecurityManager, but we'll never know what the "real" problem is until we can get a report of what String the driver can't read properly. Do you have the source code of the JDBC driver? Can you decompile it to find out what is blowing up? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvQvccACgkQ9CaO5/Lv0PDqXQCfT5BcPuXT2qaKp4ZCChMsBrKy Ex4AnikHuVhogRnOM8HW0y3cx9TjqRWu =4vR2 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running tomcat/6.0.26 with security manager generates ORACLE jdbc error
hi Christopher i have attached a copy of the policy file. yes that is true but the command line application includes the security manager with equivalent policy, Tomcat + your webapp + Oracle JDBC Driver + SecurityManager = Exception Some other app + Oracle JDBC Driver = no exception I am running oracle jdbc thin driver ConnectionPool http://old.nabble.com/file/p28334465/catalina.policy.2 catalina.policy.2 "11.1.0.7.0-Produ" The web application works fine without the security manager. Christopher Schultz-2 wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Suresh, > > On 4/22/2010 3:19 PM, suresht wrote: >> when I run TOMCAT using -security option on Java 1.6 jdk, I get following >> error. I added policy definitions for all properities, oraclejars and >> JNDIpermission for the context. > > Care to share those policy definitions? > >> java.lang.ArrayIndexOutOfBoundsException: -1 >> >> oracle.jdbc.driver.T4CTTIoauthenticate.setSessionFields(T4CTTIoauthenticate.java:942) > > Are you running the latest version of Oracle's JDBC driver? > >> when I run the similar program outside tomcat with -security it runs >> fine. any thoughts > > Tomcat + your webapp + Oracle JDBC Driver + SecurityManager = Exception > Some other app + Oracle JDBC Driver = no exception > > There are very few common terms in those two equations. Are you sure > they have any relation to one another? > > For instance, are you running your "similar program" with the same > policy file? Are you running through the same code that your webapp does? > > You never said whether your webapp works properly without the > SecurityManager installed. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkvQtFcACgkQ9CaO5/Lv0PDm2QCbBZChSL7huRcZS18GvFBFCTza > 1BUAn1WGlfBSYbboiHeZNbC/GqxcNzDP > =zOZB > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://old.nabble.com/Running-tomcat-6.0.26-with-security-manager-generates-ORACLE-jdbc-error-tp28333480p28334465.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Running tomcat/6.0.26 with security manager generates ORACLE jdbc error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Suresh, On 4/22/2010 3:19 PM, suresht wrote: > when I run TOMCAT using -security option on Java 1.6 jdk, I get following > error. I added policy definitions for all properities, oraclejars and > JNDIpermission for the context. Care to share those policy definitions? > java.lang.ArrayIndexOutOfBoundsException: -1 > > oracle.jdbc.driver.T4CTTIoauthenticate.setSessionFields(T4CTTIoauthenticate.java:942) Are you running the latest version of Oracle's JDBC driver? > when I run the similar program outside tomcat with -security it runs > fine. any thoughts Tomcat + your webapp + Oracle JDBC Driver + SecurityManager = Exception Some other app + Oracle JDBC Driver = no exception There are very few common terms in those two equations. Are you sure they have any relation to one another? For instance, are you running your "similar program" with the same policy file? Are you running through the same code that your webapp does? You never said whether your webapp works properly without the SecurityManager installed. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvQtFcACgkQ9CaO5/Lv0PDm2QCbBZChSL7huRcZS18GvFBFCTza 1BUAn1WGlfBSYbboiHeZNbC/GqxcNzDP =zOZB -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Running tomcat/6.0.26 with security manager generates ORACLE jdbc error
hi Users, when I run TOMCAT using -security option on Java 1.6 jdk, I get following error. I added policy definitions for all properities, oraclejars and JNDIpermission for the context. org.apache.jasper.JasperException: java.lang.ArrayIndexOutOfBoundsException: -1 org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:491) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:419) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260) javax.servlet.http.HttpServlet.service(HttpServlet.java:717) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:597) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:269) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:517) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:301) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162) root cause java.lang.ArrayIndexOutOfBoundsException: -1 oracle.jdbc.driver.T4CTTIoauthenticate.setSessionFields(T4CTTIoauthenticate.java:942) oracle.jdbc.driver.T4CTTIoauthenticate.(T4CTTIoauthenticate.java:221) oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:358) oracle.jdbc.driver.PhysicalConnection.(PhysicalConnection.java:508) oracle.jdbc.driver.T4CConnection.(T4CConnection.java:203) oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:33) oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:510) oracle.jdbc.pool.OracleDataSource.getPhysicalConnection(OracleDataSource.java:275) oracle.jdbc.pool.OracleDataSource.getConnection(OracleDataSource.java:206) xxx.yyy.CPC.data.DAOUtil.getConnection(Unknown Source) xxx.yyy.CPC.logging.LogDAO.createLog(Unknown Source) xxx.yyy.CPC.logging.DBLogger.db(Unknown Source) org.apache.jsp.CPC.Default_jsp._jspService(Default_jsp.java:90) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) javax.servlet.http.HttpServlet.service(HttpServlet.java:717) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260) javax.servlet.http.HttpServlet.service(HttpServlet.java:717) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:597) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:269) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:517) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:301) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162) when I run the similar program outside tomcat with -security it runs fine. any thoughts -suresh -- View this message in context: http://old.nabble.com/Running-tomcat-6.0.26-with-security-manager-generates-ORACLE-jdbc-error-tp28333480p28333480.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ubuntu 9.10 tomcat6 security manager blocks access to system.properties
2009/12/23 Mike Power : > This is not useful information I have read this. > > It does not answer my specific question. > Is it or is it no wrong for a read request via > java.lang.System.getProperties to trigger an access request for both read > and write permissions? > > > Konstantin Kolinko wrote: >> >> 2009/12/23 Mike Power : >> >>> >>> I am not sure if I am reading the stack trace right. I have a war that >>> is trying to read its configuration from the system.properties. >>> >>> It seems that tomcat6 is apply read write checks on calls to >>> java.lang.System.getProperties. Am I observing the details correctly? >>> That seems to be the wrong permission check to make as a result the >>> application can not initialized. >>> >>> Caused by: java.security.AccessControlException: access denied >>> (java.util.PropertyPermission * read,write) >>> at >>> >>> java.security.AccessControlContext.checkPermission(AccessControlContext.java:342) >>> at >>> java.security.AccessController.checkPermission(AccessController.java:553) >>> at >>> java.lang.SecurityManager.checkPermission(SecurityManager.java:549) >>> at >>> >>> java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1269) >>> at java.lang.System.getProperties(System.java:599) >>> at >>> >>> org.sonatype.nexus.web.PlexusContainerConfigurationUtils.buildContext(PlexusContainerConfigurationUtils.java:93) >>> >>> >> >> Start reading here: >> http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html >> >> Also >> http://java.sun.com/javase/technologies/security/index.jsp >> >> http://java.sun.com/javase/6/docs/technotes/guides/security/PolicyFiles.html >> >> Best regards, >> Konstantin Kolinko >> 1. Do not top-post 2. You are asking whether "java.lang.System.getProperties" should check for write + read ? That is not our code, so this it is off-topic here. 3. My personal opinion, though, is that code that is supposed to run under SecurityManager, should use System.getProperty(), not System.getProperties(). Asking for read access to all properties is certainly too much for common usage. Also I suppose that the map returned by getProperties() allows both reading and writing, though I never tried the latter. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ubuntu 9.10 tomcat6 security manager blocks access to system.properties
This is not useful information I have read this. It does not answer my specific question. Is it or is it no wrong for a read request via java.lang.System.getProperties to trigger an access request for both read and write permissions? Konstantin Kolinko wrote: 2009/12/23 Mike Power : I am not sure if I am reading the stack trace right. I have a war that is trying to read its configuration from the system.properties. It seems that tomcat6 is apply read write checks on calls to java.lang.System.getProperties. Am I observing the details correctly? That seems to be the wrong permission check to make as a result the application can not initialized. Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:342) at java.security.AccessController.checkPermission(AccessController.java:553) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1269) at java.lang.System.getProperties(System.java:599) at org.sonatype.nexus.web.PlexusContainerConfigurationUtils.buildContext(PlexusContainerConfigurationUtils.java:93) Start reading here: http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html Also http://java.sun.com/javase/technologies/security/index.jsp http://java.sun.com/javase/6/docs/technotes/guides/security/PolicyFiles.html Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ubuntu 9.10 tomcat6 security manager blocks access to system.properties
2009/12/23 Mike Power : > I am not sure if I am reading the stack trace right. I have a war that > is trying to read its configuration from the system.properties. > > It seems that tomcat6 is apply read write checks on calls to > java.lang.System.getProperties. Am I observing the details correctly? > That seems to be the wrong permission check to make as a result the > application can not initialized. > > Caused by: java.security.AccessControlException: access denied > (java.util.PropertyPermission * read,write) > at > java.security.AccessControlContext.checkPermission(AccessControlContext.java:342) > at > java.security.AccessController.checkPermission(AccessController.java:553) > at > java.lang.SecurityManager.checkPermission(SecurityManager.java:549) > at > java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1269) > at java.lang.System.getProperties(System.java:599) > at > org.sonatype.nexus.web.PlexusContainerConfigurationUtils.buildContext(PlexusContainerConfigurationUtils.java:93) > Start reading here: http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html Also http://java.sun.com/javase/technologies/security/index.jsp http://java.sun.com/javase/6/docs/technotes/guides/security/PolicyFiles.html Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
ubuntu 9.10 tomcat6 security manager blocks access to system.properties
I am not sure if I am reading the stack trace right. I have a war that is trying to read its configuration from the system.properties. It seems that tomcat6 is apply read write checks on calls to java.lang.System.getProperties. Am I observing the details correctly? That seems to be the wrong permission check to make as a result the application can not initialized. Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:342) at java.security.AccessController.checkPermission(AccessController.java:553) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1269) at java.lang.System.getProperties(System.java:599) at org.sonatype.nexus.web.PlexusContainerConfigurationUtils.buildContext(PlexusContainerConfigurationUtils.java:93) Mike Power - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
my webapps and security manager
Hi there, I installed tomcat5 via Fink on Snow Leopard 10.6.1 kernel 64 bits: amadeus[2249]:/sw/var/log/tomcat5% $CATALINA_HOME/bin/catalina.sh version Using CATALINA_BASE: /sw/var/tomcat5 Using CATALINA_HOME: /sw/var/tomcat5 Using CATALINA_TMPDIR: /sw/var/tomcat5/temp Using JRE_HOME: /Library/Java/Home Server version: Apache Tomcat/5.5.26 Server built: Jan 28 2008 01:35:23 Server number: 5.5.26.0 OS Name: Mac OS X OS Version: 10.6.1 Architecture: x86_64 JVM Version: 1.6.0_15-b03-219 JVM Vendor: Apple Inc. Tomcat's webapps examples works fine now with security manager after some tweaks in catalina.policy. (added lines shown below) grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.lang.RuntimePermission "setContextClassLoader"; [snip] permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}jsp-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}servlets-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; And tomcat webapps examples now works fine with tomcat 5.5.26 and Sun Java 1.6.0_15-b03-219. However, what I want is MY application working with security manager. After some reading and lots (and lots) of try and error (catalina.out log helps, but it could helps more...) I came to this set of policies for my application: grant { //PiMS permission java.util.PropertyPermission "*", "read,write"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper"; permission javax.management.MBeanPermission "*", "*"; permission javax.management.MBeanTrustPermission "register"; //permission java.util.PropertyPermission "cglib.debugLocation", "read"; permission java.net.SocketPermission "127.0.0.1:5432", "connect,resolve"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks",""; permission javax.management.MBeanServerPermission "createMBeanServer"; //permission java.util.PropertyPermission "net.sf.ehcache.*", "read"; //permission java.util.PropertyPermission "java.io.tmpdir", "read"; permission java.io.FilePermission "./conf/pims_log4j.properties", "read"; permission java.io.FilePermission "./conf/Hibernate.log.txt", "read, write"; permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}pims${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; It works now, but the problem is the line: permission java.util.PropertyPermission "*", "read,write"; If I comment this line and uncomment the others, I got that in catalina.out: [snip] INFO: XML validation disabled Read of system Properties blocked -- ignoring any configuration via System properties, and using Empty Properties! (But any configuration via a resource properties files is still okay!) java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) [snip] at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433) Read of system Properties blocked -- ignoring any configuration via System properties, and using Empty Properties! (But any configuration via a resource properties files is still okay!) java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) [snip] at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433) 16:00:40,027 INFO:MLog -MLog clients using log4j logging. 16:00:40,200 INFO:C3P0Registry -jdk1.5 management interfaces unavailable... JMX support disabled. java.security.AccessControlException: access denied (javax.management.MBeanServerPermission createMBeanServer) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) [snip] at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433) 16:00:40,223 WARN:PoolConfig -Read of system Properties blocked -- ignoring any c3p0 configuration via System properties! (But any configuration via a c3p0.properties file is still okay!) java.security.AccessControlException: access denied (java.util.PropertyPermission
Re: webapps examples and security manager
On 24/09/2009 15:19, Alan wrote: Well, I'll try to make it clearer: Situation: Ubuntu 9.04 with SUN Java 1.6 and tomcat 5.5.26 with security mode (default in Debian/Ubuntu). Testing tomcat-webapps examples. A clean install and everything seems to work, except that nothing is written in /var/log/tomcat5.5 To solve this issue, I had to add: permission java.lang.RuntimePermission "setContextClassLoader"; in /etc/tomcat5.5/policy.d/03catalina.policy. If using openJDK instead of Sun Java, this is not necessary. The patch I sent before is for those using tomcat5.5.26 in Mac OSX and Fink use this distribution. Did it help? You seemed to be suggesting that there were multiple problems, or was that a figure of speech? Faint alarm bells were ringing... p Alan On Thu, Sep 24, 2009 at 14:57, Pid wrote: On 24/09/2009 14:11, Alan wrote: Hallelujah! I finally figured out what's going on with tomcat 5.5.26 when running webapps in security mode. In Ubuntu 9.04, with just the addition of 'permission java.lang.RuntimePermission "setContextClassLoader";' in catalina.policy solved the problem. This is happen because ubuntu has its own way of starting the deamon and apparently they fixed some problems that in tomcat 5.5.26 official distribution is not. Really? Could you let us know what? p Since Fink also use the official distribution, I found out that I need to tweak catalina.policy a bit further there. See the patch: --- catalina.policy 2009-09-24 13:51:41.0 +0100 +++ /Users/alan/SCRIPTS/catalina.policy 2009-09-24 13:50:24.0 +0100 @@ -66,7 +66,7 @@ }; // These permissions apply to the commons-logging API -grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" { +grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" { permission java.security.AllPermission; }; @@ -82,6 +82,7 @@ // These permissions apply to JULI grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { +permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; permission java.lang.RuntimePermission "shutdownHooks"; @@ -95,6 +96,8 @@ // Be sure that the logging configuration is secure before enabling such access // eg for the examples web application: // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; +permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}jsp-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; +permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}servlets-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; // These permissions apply to the servlet API classes This basic solved my problems. Alan On Wed, Sep 23, 2009 at 22:58, Alanwrote: Many thanks dear Mark. It's late here too but I finally, with your diligent and precious help, I could figure out what's going on here and even manage to have tomcat with security working for tomcat6.0.20 and tomcat5.5.28 (but not for tomcat5.5.26, last version available for Mac via Fink). Thank you very much. Alan On Wed, Sep 23, 2009 at 21:42, Mark Thomaswrote: Mark Thomas wrote: Mark Thomas wrote: Alan wrote: Thanks Mark, let's deal by parts: OK. I've reproduced it. It is happening with 1.6.0_14 and 1.6.0_16 JVMs but not a 1.6.0_00 JVM. The latest 1.5 JVM seems OK too. Time to check the release notes. I'll hopefully have a workaround (other than using Java 1.5) shortly. Still not clear why it is required for later JVM versions It is late and I have been in front my PC for too long today. This has already been fixed (by me!) in trunk and proposed for 6.0.x and 5.5.x. It looks the implementation of LogManager (ClassLoaderLogManager extends LogManager) has changed - hence the need for the new permission. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users
Re: webapps examples and security manager
Well, I'll try to make it clearer: Situation: Ubuntu 9.04 with SUN Java 1.6 and tomcat 5.5.26 with security mode (default in Debian/Ubuntu). Testing tomcat-webapps examples. A clean install and everything seems to work, except that nothing is written in /var/log/tomcat5.5 To solve this issue, I had to add: permission java.lang.RuntimePermission "setContextClassLoader"; in /etc/tomcat5.5/policy.d/03catalina.policy. If using openJDK instead of Sun Java, this is not necessary. The patch I sent before is for those using tomcat5.5.26 in Mac OSX and Fink use this distribution. Did it help? Alan On Thu, Sep 24, 2009 at 14:57, Pid wrote: > On 24/09/2009 14:11, Alan wrote: >> >> Hallelujah! >> >> I finally figured out what's going on with tomcat 5.5.26 when running >> webapps in security mode. >> >> In Ubuntu 9.04, with just the addition of 'permission >> java.lang.RuntimePermission "setContextClassLoader";' in >> catalina.policy solved the problem. This is happen because ubuntu has >> its own way of starting the deamon and apparently they fixed some >> problems that in tomcat 5.5.26 official distribution is not. > > Really? Could you let us know what? > > p > > >> Since Fink also use the official distribution, I found out that I need >> to tweak catalina.policy a bit further there. See the patch: >> >> --- catalina.policy 2009-09-24 13:51:41.0 +0100 >> +++ /Users/alan/SCRIPTS/catalina.policy 2009-09-24 13:50:24.0 >> +0100 >> @@ -66,7 +66,7 @@ >> }; >> >> // These permissions apply to the commons-logging API >> -grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" { >> +grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" >> { >> permission java.security.AllPermission; >> }; >> >> @@ -82,6 +82,7 @@ >> >> // These permissions apply to JULI >> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { >> + permission java.lang.RuntimePermission "setContextClassLoader"; >> permission java.util.PropertyPermission >> "java.util.logging.config.class", "read"; >> permission java.util.PropertyPermission >> "java.util.logging.config.file", "read"; >> permission java.lang.RuntimePermission "shutdownHooks"; >> @@ -95,6 +96,8 @@ >> // Be sure that the logging configuration is secure before >> enabling such access >> // eg for the examples web application: >> // permission java.io.FilePermission >> >> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", >> "read"; >> + permission java.io.FilePermission >> >> "${catalina.base}${file.separator}webapps${file.separator}jsp-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", >> "read"; >> + permission java.io.FilePermission >> >> "${catalina.base}${file.separator}webapps${file.separator}servlets-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", >> "read"; >> }; >> >> // These permissions apply to the servlet API classes >> >> >> This basic solved my problems. >> >> Alan >> >> On Wed, Sep 23, 2009 at 22:58, Alan wrote: >>> >>> Many thanks dear Mark. >>> >>> It's late here too but I finally, with your diligent and precious >>> help, I could figure out what's going on here and even manage to have >>> tomcat with security working for tomcat6.0.20 and tomcat5.5.28 (but >>> not for tomcat5.5.26, last version available for Mac via Fink). >>> >>> Thank you very much. >>> >>> Alan >>> >>> On Wed, Sep 23, 2009 at 21:42, Mark Thomas wrote: Mark Thomas wrote: > > Mark Thomas wrote: >> >> Alan wrote: >>> >>> Thanks Mark, let's deal by parts: >> >> OK. I've reproduced it. It is happening with 1.6.0_14 and 1.6.0_16 >> JVMs >> but not a 1.6.0_00 JVM. >> >> The latest 1.5 JVM seems OK too. >> >> Time to check the release notes. I'll hopefully have a workaround >> (other >> than using Java 1.5) shortly. > > Still not clear why it is required for later JVM versions It is late and I have been in front my PC for too long today. This has already been fixed (by me!) in trunk and proposed for 6.0.x and 5.5.x. It looks the implementation of LogManager (ClassLoaderLogManager extends LogManager) has changed - hence the need for the new permission. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > ---
Re: webapps examples and security manager
On 24/09/2009 14:11, Alan wrote: Hallelujah! I finally figured out what's going on with tomcat 5.5.26 when running webapps in security mode. In Ubuntu 9.04, with just the addition of 'permission java.lang.RuntimePermission "setContextClassLoader";' in catalina.policy solved the problem. This is happen because ubuntu has its own way of starting the deamon and apparently they fixed some problems that in tomcat 5.5.26 official distribution is not. Really? Could you let us know what? p Since Fink also use the official distribution, I found out that I need to tweak catalina.policy a bit further there. See the patch: --- catalina.policy 2009-09-24 13:51:41.0 +0100 +++ /Users/alan/SCRIPTS/catalina.policy 2009-09-24 13:50:24.0 +0100 @@ -66,7 +66,7 @@ }; // These permissions apply to the commons-logging API -grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" { +grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" { permission java.security.AllPermission; }; @@ -82,6 +82,7 @@ // These permissions apply to JULI grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { +permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; permission java.lang.RuntimePermission "shutdownHooks"; @@ -95,6 +96,8 @@ // Be sure that the logging configuration is secure before enabling such access // eg for the examples web application: // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; +permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}jsp-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; +permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}servlets-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; // These permissions apply to the servlet API classes This basic solved my problems. Alan On Wed, Sep 23, 2009 at 22:58, Alan wrote: Many thanks dear Mark. It's late here too but I finally, with your diligent and precious help, I could figure out what's going on here and even manage to have tomcat with security working for tomcat6.0.20 and tomcat5.5.28 (but not for tomcat5.5.26, last version available for Mac via Fink). Thank you very much. Alan On Wed, Sep 23, 2009 at 21:42, Mark Thomas wrote: Mark Thomas wrote: Mark Thomas wrote: Alan wrote: Thanks Mark, let's deal by parts: OK. I've reproduced it. It is happening with 1.6.0_14 and 1.6.0_16 JVMs but not a 1.6.0_00 JVM. The latest 1.5 JVM seems OK too. Time to check the release notes. I'll hopefully have a workaround (other than using Java 1.5) shortly. Still not clear why it is required for later JVM versions It is late and I have been in front my PC for too long today. This has already been fixed (by me!) in trunk and proposed for 6.0.x and 5.5.x. It looks the implementation of LogManager (ClassLoaderLogManager extends LogManager) has changed - hence the need for the new permission. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: webapps examples and security manager
Hallelujah! I finally figured out what's going on with tomcat 5.5.26 when running webapps in security mode. In Ubuntu 9.04, with just the addition of 'permission java.lang.RuntimePermission "setContextClassLoader";' in catalina.policy solved the problem. This is happen because ubuntu has its own way of starting the deamon and apparently they fixed some problems that in tomcat 5.5.26 official distribution is not. Since Fink also use the official distribution, I found out that I need to tweak catalina.policy a bit further there. See the patch: --- catalina.policy 2009-09-24 13:51:41.0 +0100 +++ /Users/alan/SCRIPTS/catalina.policy 2009-09-24 13:50:24.0 +0100 @@ -66,7 +66,7 @@ }; // These permissions apply to the commons-logging API -grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" { +grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" { permission java.security.AllPermission; }; @@ -82,6 +82,7 @@ // These permissions apply to JULI grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { +permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; permission java.lang.RuntimePermission "shutdownHooks"; @@ -95,6 +96,8 @@ // Be sure that the logging configuration is secure before enabling such access // eg for the examples web application: // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; +permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}jsp-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; +permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}servlets-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; // These permissions apply to the servlet API classes This basic solved my problems. Alan On Wed, Sep 23, 2009 at 22:58, Alan wrote: > Many thanks dear Mark. > > It's late here too but I finally, with your diligent and precious > help, I could figure out what's going on here and even manage to have > tomcat with security working for tomcat6.0.20 and tomcat5.5.28 (but > not for tomcat5.5.26, last version available for Mac via Fink). > > Thank you very much. > > Alan > > On Wed, Sep 23, 2009 at 21:42, Mark Thomas wrote: >> Mark Thomas wrote: >>> Mark Thomas wrote: Alan wrote: > Thanks Mark, let's deal by parts: OK. I've reproduced it. It is happening with 1.6.0_14 and 1.6.0_16 JVMs but not a 1.6.0_00 JVM. The latest 1.5 JVM seems OK too. Time to check the release notes. I'll hopefully have a workaround (other than using Java 1.5) shortly. >>> >>> Still not clear why it is required for later JVM versions >> >> >> >> It is late and I have been in front my PC for too long today. This has >> already been fixed (by me!) in trunk and proposed for 6.0.x and 5.5.x. >> It looks the implementation of LogManager (ClassLoaderLogManager extends >> LogManager) has changed - hence the need for the new permission. >> >> Mark >> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: webapps examples and security manager
Many thanks dear Mark. It's late here too but I finally, with your diligent and precious help, I could figure out what's going on here and even manage to have tomcat with security working for tomcat6.0.20 and tomcat5.5.28 (but not for tomcat5.5.26, last version available for Mac via Fink). Thank you very much. Alan On Wed, Sep 23, 2009 at 21:42, Mark Thomas wrote: > Mark Thomas wrote: >> Mark Thomas wrote: >>> Alan wrote: Thanks Mark, let's deal by parts: >>> OK. I've reproduced it. It is happening with 1.6.0_14 and 1.6.0_16 JVMs >>> but not a 1.6.0_00 JVM. >>> >>> The latest 1.5 JVM seems OK too. >>> >>> Time to check the release notes. I'll hopefully have a workaround (other >>> than using Java 1.5) shortly. >> >> Still not clear why it is required for later JVM versions > > > > It is late and I have been in front my PC for too long today. This has > already been fixed (by me!) in trunk and proposed for 6.0.x and 5.5.x. > It looks the implementation of LogManager (ClassLoaderLogManager extends > LogManager) has changed - hence the need for the new permission. > > Mark > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: webapps examples and security manager
Mark Thomas wrote: > Mark Thomas wrote: >> Alan wrote: >>> Thanks Mark, let's deal by parts: >> OK. I've reproduced it. It is happening with 1.6.0_14 and 1.6.0_16 JVMs >> but not a 1.6.0_00 JVM. >> >> The latest 1.5 JVM seems OK too. >> >> Time to check the release notes. I'll hopefully have a workaround (other >> than using Java 1.5) shortly. > > Still not clear why it is required for later JVM versions It is late and I have been in front my PC for too long today. This has already been fixed (by me!) in trunk and proposed for 6.0.x and 5.5.x. It looks the implementation of LogManager (ClassLoaderLogManager extends LogManager) has changed - hence the need for the new permission. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: webapps examples and security manager
Mark Thomas wrote: > Alan wrote: >> Thanks Mark, let's deal by parts: > > OK. I've reproduced it. It is happening with 1.6.0_14 and 1.6.0_16 JVMs > but not a 1.6.0_00 JVM. > > The latest 1.5 JVM seems OK too. > > Time to check the release notes. I'll hopefully have a workaround (other > than using Java 1.5) shortly. Still not clear why it is required for later JVM versions but adding the the following permission to tomcat-juli.jar fixes it for me. permission java.lang.RuntimePermission "setContextClassLoader"; I'll get this into trunk and proposed for 6.0.x and 5.5.x Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: webapps examples and security manager
Alan wrote: > Thanks Mark, let's deal by parts: OK. I've reproduced it. It is happening with 1.6.0_14 and 1.6.0_16 JVMs but not a 1.6.0_00 JVM. The latest 1.5 JVM seems OK too. Time to check the release notes. I'll hopefully have a workaround (other than using Java 1.5) shortly. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: webapps examples and security manager
Thanks Mark, let's deal by parts: On Wed, Sep 23, 2009 at 16:33, Mark Thomas wrote: > Alan wrote: >> Ok, I downloaded the latest and did: >> >> wget -c >> http://mirror.ox.ac.uk/sites/rsync.apache.org/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz >> tar xvfz apache-tomcat-5.5.28.tar.gz # gnu tar > > What is going on here? Which version of Tomcat are you using? amadeus[2195]:~/Programmes% $CATALINA_HOME/bin/catalina.sh version Using CATALINA_BASE: /Users/alan/Programmes/apache-tomcat-6.0.20 Using CATALINA_HOME: /Users/alan/Programmes/apache-tomcat-6.0.20 Using CATALINA_TMPDIR: /Users/alan/Programmes/apache-tomcat-6.0.20/temp Using JRE_HOME: /System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home Server version: Apache Tomcat/6.0.20 Server built: May 14 2009 01:13:50 Server number: 6.0.20.0 OS Name:Mac OS X OS Version: 10.6.1 Architecture: x86_64 JVM Version:1.6.0_15-b03-219 JVM Vendor: Apple Inc. >> cd ~/Programmes/apache-tomcat-6.0.20 >> export CATALINA_HOME=$PWD >> amadeus[2161]:~/Programmes/apache-tomcat-6.0.20% >> $CATALINA_HOME/bin/catalina.sh run -securityUsing CATALINA_BASE: >> /Users/alan/Programmes/apache-tomcat-6.0.20 >> Using CATALINA_HOME: /Users/alan/Programmes/apache-tomcat-6.0.20 >> Using CATALINA_TMPDIR: /Users/alan/Programmes/apache-tomcat-6.0.20/temp >> Using JRE_HOME: >> /System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home > > Which JVM is this? What does: > java -version > return? amadeus[2197]:~/Programmes% java -version java version "1.6.0_15" Java(TM) SE Runtime Environment (build 1.6.0_15-b03-219) Java HotSpot(TM) 64-Bit Server VM (build 14.1-b02-90, mixed mode) >> Using Security Manager >> Please use CMSClassUnloadingEnabled in place of >> CMSPermGenSweepingEnabled in the future > > Hmm. You shouldn't see that with a default Tomcat install so it looks > like you aren't running what you think you are running. Indeed, testing on Ubuntu, I don't get this message. More below. >> Could not load Logmanager "org.apache.juli.ClassLoaderLogManager" >> java.security.AccessControlException: access denied >> (java.lang.RuntimePermission setContextClassLoader) >> at >> java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) >> [snip] > > This works out of the for me on Leopard. I don't have access to a > machine with Snow Leopard although it is unlikely that is the issue. > >> So, how do I do to make at least the webapps examples that come with >> tomcat to run smoothly with security manager? How to tweak >> catalina.policy in order to not see all this issues in log? > > Indications are you aren't running a vanilla Tomcat 6.0.20 install. A > clean install works for me in Windows, OSX and linux. > > Mark I frankly don't understand what's going on, so I will put in a sort of script-like what I did. First I got tomcat from http://tomcat.apache.org/download-60.cgi (Binary distr. -> Core). Should I get the source code and compile myself? #-- # commands cd # get binary core package from a mirror wget -c http://mirror.lividpenguin.com/pub/apache/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz # uncompress with gnu tar tar xvfz apache-tomcat-6.0.20.tar.gz cd apache-tomcat-6.0.20 export CATALINA_HOME=$PWD $CATALINA_HOME/bin/catalina.sh version $CATALINA_HOME/bin/catalina.sh run -security #-- I did the same commands in a clean install of Ubuntu Linux 9.04 64 bits and got the same problem. I would love to see what you get doing the commands above, or please tell me what should I change if they are not OK. >From Ubuntu: a...@ubuntu:~/apache-tomcat-6.0.20/logs$ $CATALINA_HOME/bin/catalina.sh version Using CATALINA_BASE: /home/alan/apache-tomcat-6.0.20 Using CATALINA_HOME: /home/alan/apache-tomcat-6.0.20 Using CATALINA_TMPDIR: /home/alan/apache-tomcat-6.0.20/temp Using JRE_HOME: /usr Server version: Apache Tomcat/6.0.20 Server built: May 14 2009 01:13:50 Server number: 6.0.20.0 OS Name:Linux OS Version: 2.6.28-15-generic Architecture: amd64 JVM Version:1.6.0_16-b01 JVM Vendor: Sun Microsystems Inc. a...@ubuntu:~/apache-tomcat-6.0.20/logs$ $CATALINA_HOME/bin/catalina.sh run -security Using CATALINA_BASE: /home/alan/apache-tomcat-6.0.20 Using CATALINA_HOME: /home/alan/apache-tomcat-6.0.20 Using CATALINA_TMPDIR: /home/alan/apache-tomcat-6.0.20/temp Using JRE_HOME: /usr Using Security Manager Could not load Logmanager "org.apache.juli.ClassLoaderLogManager" java.security.AccessControlException: access denied (java.lang.RuntimePermission setContextCla
Re: webapps examples and security manager
Alan wrote: > Ok, I downloaded the latest and did: > > wget -c > http://mirror.ox.ac.uk/sites/rsync.apache.org/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz > tar xvfz apache-tomcat-5.5.28.tar.gz # gnu tar What is going on here? Which version of Tomcat are you using? > cd ~/Programmes/apache-tomcat-6.0.20 > export CATALINA_HOME=$PWD > amadeus[2161]:~/Programmes/apache-tomcat-6.0.20% > $CATALINA_HOME/bin/catalina.sh run -securityUsing CATALINA_BASE: > /Users/alan/Programmes/apache-tomcat-6.0.20 > Using CATALINA_HOME: /Users/alan/Programmes/apache-tomcat-6.0.20 > Using CATALINA_TMPDIR: /Users/alan/Programmes/apache-tomcat-6.0.20/temp > Using JRE_HOME: > /System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home Which JVM is this? What does: java -version return? > Using Security Manager > Please use CMSClassUnloadingEnabled in place of > CMSPermGenSweepingEnabled in the future Hmm. You shouldn't see that with a default Tomcat install so it looks like you aren't running what you think you are running. > Could not load Logmanager "org.apache.juli.ClassLoaderLogManager" > java.security.AccessControlException: access denied > (java.lang.RuntimePermission setContextClassLoader) > at > java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) > [snip] This works out of the for me on Leopard. I don't have access to a machine with Snow Leopard although it is unlikely that is the issue. > So, how do I do to make at least the webapps examples that come with > tomcat to run smoothly with security manager? How to tweak > catalina.policy in order to not see all this issues in log? Indications are you aren't running a vanilla Tomcat 6.0.20 install. A clean install works for me in Windows, OSX and linux. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: webapps examples and security manager
Ok, I downloaded the latest and did: wget -c http://mirror.ox.ac.uk/sites/rsync.apache.org/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz tar xvfz apache-tomcat-5.5.28.tar.gz # gnu tar cd ~/Programmes/apache-tomcat-6.0.20 export CATALINA_HOME=$PWD amadeus[2161]:~/Programmes/apache-tomcat-6.0.20% $CATALINA_HOME/bin/catalina.sh run -securityUsing CATALINA_BASE: /Users/alan/Programmes/apache-tomcat-6.0.20 Using CATALINA_HOME: /Users/alan/Programmes/apache-tomcat-6.0.20 Using CATALINA_TMPDIR: /Users/alan/Programmes/apache-tomcat-6.0.20/temp Using JRE_HOME: /System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home Using Security Manager Please use CMSClassUnloadingEnabled in place of CMSPermGenSweepingEnabled in the future Could not load Logmanager "org.apache.juli.ClassLoaderLogManager" java.security.AccessControlException: access denied (java.lang.RuntimePermission setContextClassLoader) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) [snip] I got basically the same thing as in tomcat 5.5. So, how do I do to make at least the webapps examples that come with tomcat to run smoothly with security manager? How to tweak catalina.policy in order to not see all this issues in log? Many thanks in advance, Alan On Tue, Sep 22, 2009 at 18:49, Caldarale, Charles R wrote: >> From: Alan [mailto:alanwil...@gmail.com] >> Subject: Re: webapps examples and security manager >> >> Not yet, which one would suggest me please? > > The latest, always (6.0.20). > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: webapps examples and security manager
> From: Alan [mailto:alanwil...@gmail.com] > Subject: Re: webapps examples and security manager > > Not yet, which one would suggest me please? The latest, always (6.0.20). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: webapps examples and security manager
Thanks for your reply. Not yet, which one would suggest me please? Alan On Tue, Sep 22, 2009 at 17:27, Mark Thomas wrote: > Alan wrote: > >> Any help would be more than appreciated. > > And when you try with a more recent version? > > Mark > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: webapps examples and security manager
Alan wrote: > Any help would be more than appreciated. And when you try with a more recent version? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
webapps examples and security manager
Hi there, I installed tomcat5 via Fink on Snow Leopard 10.6.1 kernel 64 bits: amadeus[2249]:/sw/var/log/tomcat5% $CATALINA_HOME/bin/catalina.sh version Using CATALINA_BASE: /sw/var/tomcat5 Using CATALINA_HOME: /sw/var/tomcat5 Using CATALINA_TMPDIR: /sw/var/tomcat5/temp Using JRE_HOME: /Library/Java/Home Server version: Apache Tomcat/5.5.26 Server built: Jan 28 2008 01:35:23 Server number: 5.5.26.0 OS Name:Mac OS X OS Version: 10.6.1 Architecture: x86_64 JVM Version:1.6.0_15-b03-219 JVM Vendor: Apple Inc. Tomcat's webapps examples works fine, but then I wanted to use security manager. I put that: export CATALINA_OPTS="-DTOMCAT5LAUNCH=true -Djava.security.manager -Djava.security.policy=$CATALINA_HOME/conf/catalina.policy" then it still works but I don't like what I see in log catalina.out: 2009-09-22 16:34:41.010 java[24510:1603] CFPreferences: user home directory at file://localhost/sw/var/empty/ is unavailable. User domains will be volatile. Could not load Logmanager "org.apache.juli.ClassLoaderLogManager" java.security.AccessControlException: access denied (java.lang.RuntimePermission setContextClassLoader) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) [snip] at org.apache.catalina.startup.Bootstrap.(Bootstrap.java:54) Can't load log handler "1catalina.org.apache.juli.FileHandler" java.lang.ClassNotFoundException: 1catalina.org.apache.juli.FileHandler java.lang.ClassNotFoundException: 1catalina.org.apache.juli.FileHandler at java.net.URLClassLoader$1.run(URLClassLoader.java:200) [snip] My catalina.policy is this (didn't touch it yet): // These permissions apply to javac grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase "file:${java.home}/jre/lib/ext/-" { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // == CATALINA CODE PERMISSIONS === // These permissions apply to the launcher code grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" { permission java.security.AllPermission; }; // These permissions apply to the daemon code grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { permission java.security.AllPermission; }; // These permissions apply to the commons-logging API grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" { permission java.security.AllPermission; }; // These permissions apply to the server startup code grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; // These permissions apply to the JMX server grant codeBase "file:${catalina.home}/bin/jmx.jar" { permission java.security.AllPermission; }; // These permissions apply to JULI grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; permission java.util.PropertyPermission "catalina.base", "read"; permission java.util.logging.LoggingPermission "control"; permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write"; permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; permission java.lang.RuntimePermission "getClassLoader"; // To enable per context logging configuration, permit read access to the appropriate file. // Be sure that the logging configuration is secure before enabling such access // eg for the examples web application: // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; // These permiss
stripes framework and Tomcat with security manager
Hi, i'm trying to write a web page with the Stripes framework. Everything works fine when the Tomcat is running without the security manager. But when I turn on the security manager, my application throws an error: HTTP Status 404 - type Status report message description The requested resource () is not available. Apache Tomcat/6.0.18 I know I need to grant some permissions but I don't know which one. Please help me. I'm novice as the Tomcat user. Thanks a lot. My catalina.policy file and Tomcat log: grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase "file:${java.home}/jre/lib/ext/-" { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // These permissions apply to the daemon code grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { permission java.security.AllPermission; }; // These permissions apply to the logging API grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; permission java.util.PropertyPermission "catalina.base", "read"; permission java.util.logging.LoggingPermission "control"; permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write"; permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; permission java.lang.RuntimePermission "getClassLoader";${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; // These permissions apply to the server startup code grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "java.naming.*", "read"; permission java.util.PropertyPermission "javax.sql.*", "read"; // OS Specific properties to allow read access permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; // JVM properties to allow read access permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permissi
security manager
Hello all, First of all, my setup: * Tomcat 5.5.26 on a Debian GNU/Linux 5.0 system. * java version "1.6.0_12" I have deployed a webapp under /usr/share/tomcat5.5/webapps/servlet.war I have configured my Tomcat not to unpack .war files. Within my servlet.war file, I have a WEB-INF/lib/mysql-connector-java-5.1.7-bin.jar file that I use to connect to a remote MySQL database. If I'm turning off the security manager by setting TOMCAT5_SECURITY=no in /etc/init.d/tomcat5.5 then I can make the connection to the database. If i turn it on however, I can't connect. I know I can set permissions in the /etc/tomcat5.5/policy.d/50user.policy file, but I'm not sure about the syntax if I'm working with a .war file. Suppose I write the following: grant codeBase "file:/usr/share/tomcat5.5/webapps/servlet.war" { permission java.net.SocketPermission "*.databasehost.be:3306", "connect"; } Then my two questions are: * Is the grant codeBase line the correct way to specify permissions for my servlet.war web application (deployed as a .war file, not unpacked) * Will the above be enough to allow connections to the database server, or do i have to specify extra lines for the WEB-INF/lib/mysql-connector-java-5.1.7-bin.jar file that is within the servlet.war file? Does every .jar file that is within servlet.war inherit the permissions that i give to servlet.war? Thanks, Bart - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.20, JDK1.6.0_14 and security manager
> From: andreas [mailto:anpa0...@telia.com] > Subject: Re: Tomcat 6.0.20, JDK1.6.0_14 and security manager > > But I wonder what this means in terms of security? Konstantin's suggestion should not be a problem. Note that code in Tomcat's lib directory is given all permissions (by default), but only bootstrap.jar and commons-daemon.jar from Tomcat's bin directory also enjoy the same privilege. Here's the new code in 6u14: private Cleaner() { /* Set context class loader to null in order to avoid * keeping a strong reference to an application classloader. */ this.setContextClassLoader(null); } The reason the AccessControlException is thrown is because of the following in http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html "whenever a resource access is attempted, all code traversed by the execution thread up to that point must have permission for that resource access" Despite the fact that code from rt.jar is given all permissions, code that calls methods in rt.jar is not unless explicitly granted by the security policy. The setContextClassLoader(null) call has to be in the constructor rather than the Cleaner's run() method since this subclass of Thread doesn't actually execute until the JVM is shut down; wiping out the reference to any existing classloader copied from the caller's current Thread must occur early to allow GC to clean out webapps that have been undeployed. Looks like Sun simply forgot to document this security incompatibility introduced in 6u14. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.20, JDK1.6.0_14 and security manager
> From: Martin Gainty [mailto:mgai...@hotmail.com] > Subject: RE: Tomcat 6.0.20, JDK1.6.0_14 and security manager > > if you can show whats the problem with your policy > check $TOMCAT_HOME/logs/%HOSTNAME%.-MM-DD.log > for details Since the logging mechanism can't be initialized, there are no log files generated. (They're created, but not written to.) The OP already posted all the information available, and Konstantin posted the fix. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.20, JDK1.6.0_14 and security manager
if you can show whats the problem with your policy check $TOMCAT_HOME/logs/%HOSTNAME%.-MM-DD.log for details Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > Date: Sat, 6 Jun 2009 21:07:38 +0200 > From: anpa0...@telia.com > To: users@tomcat.apache.org > Subject: Re: Tomcat 6.0.20, JDK1.6.0_14 and security manager > > Indeed it does. > > But I wonder what this means in terms of security? > I admit that my knowledge of the policy files and security-permissions is > very weak, and granting permissions to something that I do not understand > scares me a bit. > > Maybe I should file a bug about this and let it get investigated by someone > who knows. > > Caldarale, Charles R wrote: > > > > I just verified that does correct the problem. > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > _ Windows Live™: Keep your life in sync. http://windowslive.com/explore?ocid=TXT_TAGLM_WL_BR_life_in_synch_062009
Re: Tomcat 6.0.20, JDK1.6.0_14 and security manager
Indeed it does. But I wonder what this means in terms of security? I admit that my knowledge of the policy files and security-permissions is very weak, and granting permissions to something that I do not understand scares me a bit. Maybe I should file a bug about this and let it get investigated by someone who knows. Caldarale, Charles R wrote: > > I just verified that does correct the problem. > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.20, JDK1.6.0_14 and security manager
> From: Konstantin Kolinko [mailto:knst.koli...@gmail.com] > Subject: Re: Tomcat 6.0.20, JDK1.6.0_14 and security manager > > You may try adding > permission java.lang.RuntimePermission "setContextClassLoader"; > for the "file:${catalina.home}/bin/tomcat-juli.jar" I just verified that does correct the problem. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org