Re: Granting security permissions not working
In Tomcat 4.0 the URL used for the codeBase for jar files located in
/WEB-INF/lib starts with jar:file:..., your grant below starts
with file: Those are two different codeBases! The SecurityManager
is very picky about where code comes from when granting permissions,
the URL must start with the exact same text.
Regards,
Glenn
[EMAIL PROTECTED] wrote:
I am not able to grant security permissions on individual jar files. Can
someone tell me what I'm doing wrong?
In my policy file (CATALINA_HOME/conf/catalina.policy) I have the
following setting:
grant codeBase file:${catalina.home}/- {
permission java.security.AllPermission;
};
I would think this would grant all permissions to all jar files,
classes, etc under the catalina directory, including webapps'
classes/jars. However, I keep getting the following (I set security
debug output according to the following --
java.security.debug=access,failure):
access: access denied (java.util.PropertyPermission
log4j.defaultInitOverride read)
java.lang.Exception: Stack trace
at java.lang.Thread.dumpStack(Thread.java:1071)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.
java:259)
at
java.security.AccessController.checkPermission(AccessController.java:401
)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at
java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1291)
at java.lang.System.getProperty(System.java:611)
at
org.apache.log4j.helpers.OptionConverter.getSystemProperty(OptionConvert
er.java:92)
at org.apache.log4j.LogManager.clinit(LogManager.java:117)
at org.apache.log4j.Logger.getLogger(Logger.java:85)
at
com.cssc.security.CognisecAuthFilter$1.run(CognisecAuthFilter.java:85)
at java.security.AccessController.doPrivileged(Native Method)
at
com.cssc.security.CognisecAuthFilter.clinit(CognisecAuthFilter.java:83
)
...
access: domain that failed ProtectionDomain
(jar:file:C:/tomcat/webapps/cssc/WEB-INF/lib/log4j-1.2.6.jar!/org/apache
/log4j/helpers/OptionConverter.class no certificates)
WebappClassLoader
available:
Extension[Struts Framework, implementationVendor=Apache Software
Foundation, implementationVendorId=org.apache,
implementationVersion=1.0.2, specificationVendor=Apache Software
Foundation, specificationVersion=1.0]
delegate: false
repositories:
/WEB-INF/classes/
required:
-- Parent Classloader:
+ other stuff.
What gives? I don't understand why this is not working. Please help!
Running Tomcat 4.0.4, J2SDK 1.4.0, on a winxp box
Thanks,
John
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Granting security permissions not working
Hi:
Is it possible that you're running into case-sensitivity or path-separator
problems? The following is from a policy file included in a Sun product:
* Note: ExecOptionPermission uses String.equals() for equality comparisons,
* so the values of these permissions are case sensitive. For example, the
* following two permissions are not equal:
*com.sun.rmi.rmid.ExecOptionPermission
* C:\jini1_2\lib\sharedvm.jar
*com.sun.rmi.rmid.ExecOptionPermission
* c:\jini1_2\lib\sharedvm.jar
*[Note the case of the drive letters.]
* This subtlety can occur, for example, when the com.sun.jini.jsk.home
* property is set to c:\..., but the service starter
* framework, which uses File.getCanonicalFile() to build its command
* environment, ends up returning C:\... on certain platforms.
*
If you're on Windows, you might also need to use the backslash as the path
separator. I'm not sure if Tomcat's class loader uses a the standard policy
file reader or not, but with the standard security manager, you need to
escape the backslashes (double-backslashes), as in:
permission java.io.FilePermission d:\\windows\\temp\\-,
read,write,execute,delete;
Cheers,
Greg Trasuk, President
StratusCom Manufacturing Systems Inc. - We use information technology to
solve business problems on your plant floor.
http://stratuscom.ca
-Original Message-
From: John Pelly [mailto:[EMAIL PROTECTED]]
Sent: November 18, 2002 22:19
To: 'Tomcat Users List'; 'David Wall'
Subject: RE: Granting security permissions not working
Thank you for your suggestions. See my comments below:
First, ensure you are running with the -security option that
turns on Tomcat
with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have
double-checked
that it's in my start.bat script in the bin/ directory and I see the
statement Using Security Manager on the tomcat console. Plus, when
running with -Djava.security.debug=access,failure, I see permissions
checking etc. going on.
Second, you are granting your permissions far too low on the
file path. At
the very least, consider something like
grant codeBase file:${catalina.base}/webapps/yourappname/- {
The grant that I described there was a last-ditch desparate attempt to
cover everything with AllPermission. I had previously tried granting on
the individual .jar files, on the webapps directory, on my specific
webapps directory, etc. I've tried every conceivable known permutation.
Regardless, I did as you suggested and put the grant back on the
specific webapp directory (using the - at the end)... No luck.
Third, are you actually running multiple instances in which your
catalina.base is different than your catalina.home? If so,
I'm only running one instance of tomcat. I'm not sure where/how
catalina.base gets set, but I have a good feeling that the
actual policy
file is being read b/c if I remove that policy file then
everything goes
nuts.
One interesting thing is that I can grant access in the general grant {
... } clause (no specific codeBase specified... Just the
default for all
webapps), and things will work fine. However, I don't want to grant
access to all webapps, I only want to grant access to a particular
webapp/jar file.
Basically, it looks like grant entries on codebase's under the webapps
directory are *completely ignored*. No matter what I grant on a
particular webapp (using grant codeBase
file:${catalina.base}/webapps/appname/- { perms }), nothing takes
effect at all. I can verify this by looking at debug output (setting
java.debug.security=policy,access,failure) -- when it prints the
Protection Domain that failed the access call, I can clearly see that
*no permissions* are granted to the jar files under that
webapp/codebase
besides the default jndi and file read permissions. If I want any
permissions to apply, I have to grant them generally in the grant { ...
} clause (no codeBase).
Obviously, this is not desired behavior. It looks like there could be a
bug in the Tomcat policy management?
JP
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
On Win32, the forward slash works as well . For example,
grant codebase file://drive name:/- {
Pae
- Original Message -
From: Greg Trasuk [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Sent: Wednesday, November 20, 2002 5:05 AM
Subject: RE: Granting security permissions not working
Hi:
Is it possible that you're running into case-sensitivity or path-separator
problems? The following is from a policy file included in a Sun product:
* Note: ExecOptionPermission uses String.equals() for equality
comparisons,
* so the values of these permissions are case sensitive. For example, the
* following two permissions are not equal:
*com.sun.rmi.rmid.ExecOptionPermission
* C:\jini1_2\lib\sharedvm.jar
*com.sun.rmi.rmid.ExecOptionPermission
* c:\jini1_2\lib\sharedvm.jar
*[Note the case of the drive letters.]
* This subtlety can occur, for example, when the com.sun.jini.jsk.home
* property is set to c:\..., but the service starter
* framework, which uses File.getCanonicalFile() to build its command
* environment, ends up returning C:\... on certain platforms.
*
If you're on Windows, you might also need to use the backslash as the path
separator. I'm not sure if Tomcat's class loader uses a the standard
policy
file reader or not, but with the standard security manager, you need to
escape the backslashes (double-backslashes), as in:
permission java.io.FilePermission d:\\windows\\temp\\-,
read,write,execute,delete;
Cheers,
Greg Trasuk, President
StratusCom Manufacturing Systems Inc. - We use information technology to
solve business problems on your plant floor.
http://stratuscom.ca
-Original Message-
From: John Pelly [mailto:[EMAIL PROTECTED]]
Sent: November 18, 2002 22:19
To: 'Tomcat Users List'; 'David Wall'
Subject: RE: Granting security permissions not working
Thank you for your suggestions. See my comments below:
First, ensure you are running with the -security option that
turns on Tomcat
with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have
double-checked
that it's in my start.bat script in the bin/ directory and I see the
statement Using Security Manager on the tomcat console. Plus, when
running with -Djava.security.debug=access,failure, I see permissions
checking etc. going on.
Second, you are granting your permissions far too low on the
file path. At
the very least, consider something like
grant codeBase file:${catalina.base}/webapps/yourappname/- {
The grant that I described there was a last-ditch desparate attempt to
cover everything with AllPermission. I had previously tried granting on
the individual .jar files, on the webapps directory, on my specific
webapps directory, etc. I've tried every conceivable known permutation.
Regardless, I did as you suggested and put the grant back on the
specific webapp directory (using the - at the end)... No luck.
Third, are you actually running multiple instances in which your
catalina.base is different than your catalina.home? If so,
I'm only running one instance of tomcat. I'm not sure where/how
catalina.base gets set, but I have a good feeling that the
actual policy
file is being read b/c if I remove that policy file then
everything goes
nuts.
One interesting thing is that I can grant access in the general grant {
... } clause (no specific codeBase specified... Just the
default for all
webapps), and things will work fine. However, I don't want to grant
access to all webapps, I only want to grant access to a particular
webapp/jar file.
Basically, it looks like grant entries on codebase's under the webapps
directory are *completely ignored*. No matter what I grant on a
particular webapp (using grant codeBase
file:${catalina.base}/webapps/appname/- { perms }), nothing takes
effect at all. I can verify this by looking at debug output (setting
java.debug.security=policy,access,failure) -- when it prints the
Protection Domain that failed the access call, I can clearly see that
*no permissions* are granted to the jar files under that
webapp/codebase
besides the default jndi and file read permissions. If I want any
permissions to apply, I have to grant them generally in the grant { ...
} clause (no codeBase).
Obviously, this is not desired behavior. It looks like there could be a
bug in the Tomcat policy management?
JP
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Granting security permissions not working
Thank you for your suggestions. See my comments below:
First, ensure you are running with the -security option that
turns on Tomcat
with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have double-checked
that it's in my start.bat script in the bin/ directory and I see the
statement Using Security Manager on the tomcat console. Plus, when
running with -Djava.security.debug=access,failure, I see permissions
checking etc. going on.
Second, you are granting your permissions far too low on the
file path. At
the very least, consider something like
grant codeBase file:${catalina.base}/webapps/yourappname/- {
The grant that I described there was a last-ditch desparate attempt to
cover everything with AllPermission. I had previously tried granting on
the individual .jar files, on the webapps directory, on my specific
webapps directory, etc. I've tried every conceivable known permutation.
Regardless, I did as you suggested and put the grant back on the
specific webapp directory (using the - at the end)... No luck.
Third, are you actually running multiple instances in which your
catalina.base is different than your catalina.home? If so,
I'm only running one instance of tomcat. I'm not sure where/how
catalina.base gets set, but I have a good feeling that the actual policy
file is being read b/c if I remove that policy file then everything goes
nuts.
One interesting thing is that I can grant access in the general grant {
... } clause (no specific codeBase specified... Just the default for all
webapps), and things will work fine. However, I don't want to grant
access to all webapps, I only want to grant access to a particular
webapp/jar file.
Basically, it looks like grant entries on codebase's under the webapps
directory are *completely ignored*. No matter what I grant on a
particular webapp (using grant codeBase
file:${catalina.base}/webapps/appname/- { perms }), nothing takes
effect at all. I can verify this by looking at debug output (setting
java.debug.security=policy,access,failure) -- when it prints the
Protection Domain that failed the access call, I can clearly see that
*no permissions* are granted to the jar files under that webapp/codebase
besides the default jndi and file read permissions. If I want any
permissions to apply, I have to grant them generally in the grant { ...
} clause (no codeBase).
Obviously, this is not desired behavior. It looks like there could be a
bug in the Tomcat policy management?
JP
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Granting security permissions not working
I am not able to grant security permissions on individual jar files. Can
someone tell me what I'm doing wrong?
In my policy file (CATALINA_HOME/conf/catalina.policy) I have the
following setting:
grant codeBase file:${catalina.home}/- {
permission java.security.AllPermission;
};
I would think this would grant all permissions to all jar files,
classes, etc under the catalina directory, including webapps'
classes/jars. However, I keep getting the following (I set security
debug output according to the following --
java.security.debug=access,failure):
access: access denied (java.util.PropertyPermission
log4j.defaultInitOverride read)
java.lang.Exception: Stack trace
at java.lang.Thread.dumpStack(Thread.java:1071)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.
java:259)
at
java.security.AccessController.checkPermission(AccessController.java:401
)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at
java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1291)
at java.lang.System.getProperty(System.java:611)
at
org.apache.log4j.helpers.OptionConverter.getSystemProperty(OptionConvert
er.java:92)
at org.apache.log4j.LogManager.clinit(LogManager.java:117)
at org.apache.log4j.Logger.getLogger(Logger.java:85)
at
com.cssc.security.CognisecAuthFilter$1.run(CognisecAuthFilter.java:85)
at java.security.AccessController.doPrivileged(Native Method)
at
com.cssc.security.CognisecAuthFilter.clinit(CognisecAuthFilter.java:83
)
...
access: domain that failed ProtectionDomain
(jar:file:C:/tomcat/webapps/cssc/WEB-INF/lib/log4j-1.2.6.jar!/org/apache
/log4j/helpers/OptionConverter.class no certificates)
WebappClassLoader
available:
Extension[Struts Framework, implementationVendor=Apache Software
Foundation, implementationVendorId=org.apache,
implementationVersion=1.0.2, specificationVendor=Apache Software
Foundation, specificationVersion=1.0]
delegate: false
repositories:
/WEB-INF/classes/
required:
-- Parent Classloader:
+ other stuff.
What gives? I don't understand why this is not working. Please help!
Running Tomcat 4.0.4, J2SDK 1.4.0, on a winxp box
Thanks,
John
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
I am not able to grant security permissions on individual jar files. Can
someone tell me what I'm doing wrong?
In my policy file (CATALINA_HOME/conf/catalina.policy) I have the
following setting:
grant codeBase file:${catalina.home}/- {
permission java.security.AllPermission;
};
I would think this would grant all permissions to all jar files,
classes, etc under the catalina directory, including webapps'
classes/jars.
First, ensure you are running with the -security option that turns on Tomcat
with the security manager installed. Often you need to modify the
startup.sh script to include that options between 'start' and '$@'. In my
TC 4.1.12 startup.sh, I have:
exec $PRGDIR/$EXECUTABLE start -security $@
Second, you are granting your permissions far too low on the file path. At
the very least, consider something like
grant codeBase file:${catalina.base}/webapps/yourappname/- {
Third, are you actually running multiple instances in which your
catalina.base is different than your catalina.home? If so, make sure you
are modifying the right catalina.policy file (you want the one that's under
your catalina.base, not the one under catalina.home). If you are only
running a single instance of TC, though, then this should not be an issue.
Hope something here helps...
David Wall
www.yozons.com Electronic signatures with secure document delivery
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Granting security permissions not working
Thank you for your suggestions. See my comments below:
First, ensure you are running with the -security option that
turns on Tomcat
with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have double-checked
that it's in my start.bat script in the bin/ directory and I see the
statement Using Security Manager on the tomcat console. Plus, when
running with -Djava.security.debug=access,failure, I see permissions
checking etc. going on.
Second, you are granting your permissions far too low on the
file path. At
the very least, consider something like
grant codeBase file:${catalina.base}/webapps/yourappname/- {
The grant that I described there was a last-ditch desparate attempt to
cover everything with AllPermission. I had previously tried granting on
the individual .jar files, on the webapps directory, on my specific
webapps directory, etc. I've tried every conceivable known permutation.
Regardless, I did as you suggested and put the grant back on the
specific webapp directory (using the - at the end)... No luck.
Third, are you actually running multiple instances in which your
catalina.base is different than your catalina.home? If so,
I'm only running one instance of tomcat. I'm not sure where/how
catalina.base gets set, but I have a good feeling that the actual policy
file is being read b/c if I remove that policy file then everything goes
nuts.
One interesting thing is that I can grant access in the general grant {
... } clause (no specific codeBase specified... Just the default for all
webapps), and things will work fine. However, I don't want to grant
access to all webapps, I only want to grant access to a particular
webapp/jar file.
Basically, it looks like grant entries on codebase's under the webapps
directory are *completely ignored*. No matter what I grant on a
particular webapp (using grant codeBase
file:${catalina.base}/webapps/appname/- { perms }), nothing takes
effect at all. I can verify this by looking at debug output (setting
java.debug.security=policy,access,failure) -- when it prints the
Protection Domain that failed the access call, I can clearly see that
*no permissions* are granted to the jar files under that webapp/codebase
besides the default jndi and file read permissions. If I want any
permissions to apply, I have to grant them generally in the grant { ...
} clause (no codeBase).
Obviously, this is not desired behavior. It looks like there could be a
bug in the Tomcat policy management?
JP
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
I know it's not going to help you much or at all. And I am not
certain what's going on with your side, but just FYI. I have
tested the TC v4.1.12 with -security. And it runs fine on
the WinNT.
It has many security permissions in the catalina.policy, inclduing
own Web Apps, JAXM, AXIS, RMI stub downloading, blah, blah...
Pae
Thank you for your suggestions. See my comments below:
First, ensure you are running with the -security option that
turns on Tomcat
with the security manager installed. Often you need to modify the
I am definitely running with the -security option. I have double-checked
that it's in my start.bat script in the bin/ directory and I see the
statement Using Security Manager on the tomcat console. Plus, when
running with -Djava.security.debug=access,failure, I see permissions
checking etc. going on.
Second, you are granting your permissions far too low on the
file path. At
the very least, consider something like
grant codeBase file:${catalina.base}/webapps/yourappname/- {
The grant that I described there was a last-ditch desparate attempt to
cover everything with AllPermission. I had previously tried granting on
the individual .jar files, on the webapps directory, on my specific
webapps directory, etc. I've tried every conceivable known permutation.
Regardless, I did as you suggested and put the grant back on the
specific webapp directory (using the - at the end)... No luck.
Third, are you actually running multiple instances in which your
catalina.base is different than your catalina.home? If so,
I'm only running one instance of tomcat. I'm not sure where/how
catalina.base gets set, but I have a good feeling that the actual policy
file is being read b/c if I remove that policy file then everything goes
nuts.
One interesting thing is that I can grant access in the general grant {
... } clause (no specific codeBase specified... Just the default for all
webapps), and things will work fine. However, I don't want to grant
access to all webapps, I only want to grant access to a particular
webapp/jar file.
Basically, it looks like grant entries on codebase's under the webapps
directory are *completely ignored*. No matter what I grant on a
particular webapp (using grant codeBase
file:${catalina.base}/webapps/appname/- { perms }), nothing takes
effect at all. I can verify this by looking at debug output (setting
java.debug.security=policy,access,failure) -- when it prints the
Protection Domain that failed the access call, I can clearly see that
*no permissions* are granted to the jar files under that webapp/codebase
besides the default jndi and file read permissions. If I want any
permissions to apply, I have to grant them generally in the grant { ...
} clause (no codeBase).
Obviously, this is not desired behavior. It looks like there could be a
bug in the Tomcat policy management?
JP
--
To unsubscribe, e-mail:
mailto:[EMAIL PROTECTED]
For additional commands, e-mail:
mailto:[EMAIL PROTECTED]
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]
