Re: Granting security permissions not working
In Tomcat 4.0 the URL used for the codeBase for jar files located in /WEB-INF/lib starts with jar:file:..., your grant below starts with file: Those are two different codeBases! The SecurityManager is very picky about where code comes from when granting permissions, the URL must start with the exact same text. Regards, Glenn [EMAIL PROTECTED] wrote: I am not able to grant security permissions on individual jar files. Can someone tell me what I'm doing wrong? In my policy file (CATALINA_HOME/conf/catalina.policy) I have the following setting: grant codeBase file:${catalina.home}/- { permission java.security.AllPermission; }; I would think this would grant all permissions to all jar files, classes, etc under the catalina directory, including webapps' classes/jars. However, I keep getting the following (I set security debug output according to the following -- java.security.debug=access,failure): access: access denied (java.util.PropertyPermission log4j.defaultInitOverride read) java.lang.Exception: Stack trace at java.lang.Thread.dumpStack(Thread.java:1071) at java.security.AccessControlContext.checkPermission(AccessControlContext. java:259) at java.security.AccessController.checkPermission(AccessController.java:401 ) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1291) at java.lang.System.getProperty(System.java:611) at org.apache.log4j.helpers.OptionConverter.getSystemProperty(OptionConvert er.java:92) at org.apache.log4j.LogManager.clinit(LogManager.java:117) at org.apache.log4j.Logger.getLogger(Logger.java:85) at com.cssc.security.CognisecAuthFilter$1.run(CognisecAuthFilter.java:85) at java.security.AccessController.doPrivileged(Native Method) at com.cssc.security.CognisecAuthFilter.clinit(CognisecAuthFilter.java:83 ) ... access: domain that failed ProtectionDomain (jar:file:C:/tomcat/webapps/cssc/WEB-INF/lib/log4j-1.2.6.jar!/org/apache /log4j/helpers/OptionConverter.class no certificates) WebappClassLoader available: Extension[Struts Framework, implementationVendor=Apache Software Foundation, implementationVendorId=org.apache, implementationVersion=1.0.2, specificationVendor=Apache Software Foundation, specificationVersion=1.0] delegate: false repositories: /WEB-INF/classes/ required: -- Parent Classloader: + other stuff. What gives? I don't understand why this is not working. Please help! Running Tomcat 4.0.4, J2SDK 1.4.0, on a winxp box Thanks, John -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Granting security permissions not working
Hi: Is it possible that you're running into case-sensitivity or path-separator problems? The following is from a policy file included in a Sun product: * Note: ExecOptionPermission uses String.equals() for equality comparisons, * so the values of these permissions are case sensitive. For example, the * following two permissions are not equal: *com.sun.rmi.rmid.ExecOptionPermission * C:\jini1_2\lib\sharedvm.jar *com.sun.rmi.rmid.ExecOptionPermission * c:\jini1_2\lib\sharedvm.jar *[Note the case of the drive letters.] * This subtlety can occur, for example, when the com.sun.jini.jsk.home * property is set to c:\..., but the service starter * framework, which uses File.getCanonicalFile() to build its command * environment, ends up returning C:\... on certain platforms. * If you're on Windows, you might also need to use the backslash as the path separator. I'm not sure if Tomcat's class loader uses a the standard policy file reader or not, but with the standard security manager, you need to escape the backslashes (double-backslashes), as in: permission java.io.FilePermission d:\\windows\\temp\\-, read,write,execute,delete; Cheers, Greg Trasuk, President StratusCom Manufacturing Systems Inc. - We use information technology to solve business problems on your plant floor. http://stratuscom.ca -Original Message- From: John Pelly [mailto:[EMAIL PROTECTED]] Sent: November 18, 2002 22:19 To: 'Tomcat Users List'; 'David Wall' Subject: RE: Granting security permissions not working Thank you for your suggestions. See my comments below: First, ensure you are running with the -security option that turns on Tomcat with the security manager installed. Often you need to modify the I am definitely running with the -security option. I have double-checked that it's in my start.bat script in the bin/ directory and I see the statement Using Security Manager on the tomcat console. Plus, when running with -Djava.security.debug=access,failure, I see permissions checking etc. going on. Second, you are granting your permissions far too low on the file path. At the very least, consider something like grant codeBase file:${catalina.base}/webapps/yourappname/- { The grant that I described there was a last-ditch desparate attempt to cover everything with AllPermission. I had previously tried granting on the individual .jar files, on the webapps directory, on my specific webapps directory, etc. I've tried every conceivable known permutation. Regardless, I did as you suggested and put the grant back on the specific webapp directory (using the - at the end)... No luck. Third, are you actually running multiple instances in which your catalina.base is different than your catalina.home? If so, I'm only running one instance of tomcat. I'm not sure where/how catalina.base gets set, but I have a good feeling that the actual policy file is being read b/c if I remove that policy file then everything goes nuts. One interesting thing is that I can grant access in the general grant { ... } clause (no specific codeBase specified... Just the default for all webapps), and things will work fine. However, I don't want to grant access to all webapps, I only want to grant access to a particular webapp/jar file. Basically, it looks like grant entries on codebase's under the webapps directory are *completely ignored*. No matter what I grant on a particular webapp (using grant codeBase file:${catalina.base}/webapps/appname/- { perms }), nothing takes effect at all. I can verify this by looking at debug output (setting java.debug.security=policy,access,failure) -- when it prints the Protection Domain that failed the access call, I can clearly see that *no permissions* are granted to the jar files under that webapp/codebase besides the default jndi and file read permissions. If I want any permissions to apply, I have to grant them generally in the grant { ... } clause (no codeBase). Obviously, this is not desired behavior. It looks like there could be a bug in the Tomcat policy management? JP -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
On Win32, the forward slash works as well . For example, grant codebase file://drive name:/- { Pae - Original Message - From: Greg Trasuk [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Wednesday, November 20, 2002 5:05 AM Subject: RE: Granting security permissions not working Hi: Is it possible that you're running into case-sensitivity or path-separator problems? The following is from a policy file included in a Sun product: * Note: ExecOptionPermission uses String.equals() for equality comparisons, * so the values of these permissions are case sensitive. For example, the * following two permissions are not equal: *com.sun.rmi.rmid.ExecOptionPermission * C:\jini1_2\lib\sharedvm.jar *com.sun.rmi.rmid.ExecOptionPermission * c:\jini1_2\lib\sharedvm.jar *[Note the case of the drive letters.] * This subtlety can occur, for example, when the com.sun.jini.jsk.home * property is set to c:\..., but the service starter * framework, which uses File.getCanonicalFile() to build its command * environment, ends up returning C:\... on certain platforms. * If you're on Windows, you might also need to use the backslash as the path separator. I'm not sure if Tomcat's class loader uses a the standard policy file reader or not, but with the standard security manager, you need to escape the backslashes (double-backslashes), as in: permission java.io.FilePermission d:\\windows\\temp\\-, read,write,execute,delete; Cheers, Greg Trasuk, President StratusCom Manufacturing Systems Inc. - We use information technology to solve business problems on your plant floor. http://stratuscom.ca -Original Message- From: John Pelly [mailto:[EMAIL PROTECTED]] Sent: November 18, 2002 22:19 To: 'Tomcat Users List'; 'David Wall' Subject: RE: Granting security permissions not working Thank you for your suggestions. See my comments below: First, ensure you are running with the -security option that turns on Tomcat with the security manager installed. Often you need to modify the I am definitely running with the -security option. I have double-checked that it's in my start.bat script in the bin/ directory and I see the statement Using Security Manager on the tomcat console. Plus, when running with -Djava.security.debug=access,failure, I see permissions checking etc. going on. Second, you are granting your permissions far too low on the file path. At the very least, consider something like grant codeBase file:${catalina.base}/webapps/yourappname/- { The grant that I described there was a last-ditch desparate attempt to cover everything with AllPermission. I had previously tried granting on the individual .jar files, on the webapps directory, on my specific webapps directory, etc. I've tried every conceivable known permutation. Regardless, I did as you suggested and put the grant back on the specific webapp directory (using the - at the end)... No luck. Third, are you actually running multiple instances in which your catalina.base is different than your catalina.home? If so, I'm only running one instance of tomcat. I'm not sure where/how catalina.base gets set, but I have a good feeling that the actual policy file is being read b/c if I remove that policy file then everything goes nuts. One interesting thing is that I can grant access in the general grant { ... } clause (no specific codeBase specified... Just the default for all webapps), and things will work fine. However, I don't want to grant access to all webapps, I only want to grant access to a particular webapp/jar file. Basically, it looks like grant entries on codebase's under the webapps directory are *completely ignored*. No matter what I grant on a particular webapp (using grant codeBase file:${catalina.base}/webapps/appname/- { perms }), nothing takes effect at all. I can verify this by looking at debug output (setting java.debug.security=policy,access,failure) -- when it prints the Protection Domain that failed the access call, I can clearly see that *no permissions* are granted to the jar files under that webapp/codebase besides the default jndi and file read permissions. If I want any permissions to apply, I have to grant them generally in the grant { ... } clause (no codeBase). Obviously, this is not desired behavior. It looks like there could be a bug in the Tomcat policy management? JP -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Granting security permissions not working
Thank you for your suggestions. See my comments below: First, ensure you are running with the -security option that turns on Tomcat with the security manager installed. Often you need to modify the I am definitely running with the -security option. I have double-checked that it's in my start.bat script in the bin/ directory and I see the statement Using Security Manager on the tomcat console. Plus, when running with -Djava.security.debug=access,failure, I see permissions checking etc. going on. Second, you are granting your permissions far too low on the file path. At the very least, consider something like grant codeBase file:${catalina.base}/webapps/yourappname/- { The grant that I described there was a last-ditch desparate attempt to cover everything with AllPermission. I had previously tried granting on the individual .jar files, on the webapps directory, on my specific webapps directory, etc. I've tried every conceivable known permutation. Regardless, I did as you suggested and put the grant back on the specific webapp directory (using the - at the end)... No luck. Third, are you actually running multiple instances in which your catalina.base is different than your catalina.home? If so, I'm only running one instance of tomcat. I'm not sure where/how catalina.base gets set, but I have a good feeling that the actual policy file is being read b/c if I remove that policy file then everything goes nuts. One interesting thing is that I can grant access in the general grant { ... } clause (no specific codeBase specified... Just the default for all webapps), and things will work fine. However, I don't want to grant access to all webapps, I only want to grant access to a particular webapp/jar file. Basically, it looks like grant entries on codebase's under the webapps directory are *completely ignored*. No matter what I grant on a particular webapp (using grant codeBase file:${catalina.base}/webapps/appname/- { perms }), nothing takes effect at all. I can verify this by looking at debug output (setting java.debug.security=policy,access,failure) -- when it prints the Protection Domain that failed the access call, I can clearly see that *no permissions* are granted to the jar files under that webapp/codebase besides the default jndi and file read permissions. If I want any permissions to apply, I have to grant them generally in the grant { ... } clause (no codeBase). Obviously, this is not desired behavior. It looks like there could be a bug in the Tomcat policy management? JP -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Granting security permissions not working
I am not able to grant security permissions on individual jar files. Can someone tell me what I'm doing wrong? In my policy file (CATALINA_HOME/conf/catalina.policy) I have the following setting: grant codeBase file:${catalina.home}/- { permission java.security.AllPermission; }; I would think this would grant all permissions to all jar files, classes, etc under the catalina directory, including webapps' classes/jars. However, I keep getting the following (I set security debug output according to the following -- java.security.debug=access,failure): access: access denied (java.util.PropertyPermission log4j.defaultInitOverride read) java.lang.Exception: Stack trace at java.lang.Thread.dumpStack(Thread.java:1071) at java.security.AccessControlContext.checkPermission(AccessControlContext. java:259) at java.security.AccessController.checkPermission(AccessController.java:401 ) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1291) at java.lang.System.getProperty(System.java:611) at org.apache.log4j.helpers.OptionConverter.getSystemProperty(OptionConvert er.java:92) at org.apache.log4j.LogManager.clinit(LogManager.java:117) at org.apache.log4j.Logger.getLogger(Logger.java:85) at com.cssc.security.CognisecAuthFilter$1.run(CognisecAuthFilter.java:85) at java.security.AccessController.doPrivileged(Native Method) at com.cssc.security.CognisecAuthFilter.clinit(CognisecAuthFilter.java:83 ) ... access: domain that failed ProtectionDomain (jar:file:C:/tomcat/webapps/cssc/WEB-INF/lib/log4j-1.2.6.jar!/org/apache /log4j/helpers/OptionConverter.class no certificates) WebappClassLoader available: Extension[Struts Framework, implementationVendor=Apache Software Foundation, implementationVendorId=org.apache, implementationVersion=1.0.2, specificationVendor=Apache Software Foundation, specificationVersion=1.0] delegate: false repositories: /WEB-INF/classes/ required: -- Parent Classloader: + other stuff. What gives? I don't understand why this is not working. Please help! Running Tomcat 4.0.4, J2SDK 1.4.0, on a winxp box Thanks, John -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
I am not able to grant security permissions on individual jar files. Can someone tell me what I'm doing wrong? In my policy file (CATALINA_HOME/conf/catalina.policy) I have the following setting: grant codeBase file:${catalina.home}/- { permission java.security.AllPermission; }; I would think this would grant all permissions to all jar files, classes, etc under the catalina directory, including webapps' classes/jars. First, ensure you are running with the -security option that turns on Tomcat with the security manager installed. Often you need to modify the startup.sh script to include that options between 'start' and '$@'. In my TC 4.1.12 startup.sh, I have: exec $PRGDIR/$EXECUTABLE start -security $@ Second, you are granting your permissions far too low on the file path. At the very least, consider something like grant codeBase file:${catalina.base}/webapps/yourappname/- { Third, are you actually running multiple instances in which your catalina.base is different than your catalina.home? If so, make sure you are modifying the right catalina.policy file (you want the one that's under your catalina.base, not the one under catalina.home). If you are only running a single instance of TC, though, then this should not be an issue. Hope something here helps... David Wall www.yozons.com Electronic signatures with secure document delivery -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Granting security permissions not working
Thank you for your suggestions. See my comments below: First, ensure you are running with the -security option that turns on Tomcat with the security manager installed. Often you need to modify the I am definitely running with the -security option. I have double-checked that it's in my start.bat script in the bin/ directory and I see the statement Using Security Manager on the tomcat console. Plus, when running with -Djava.security.debug=access,failure, I see permissions checking etc. going on. Second, you are granting your permissions far too low on the file path. At the very least, consider something like grant codeBase file:${catalina.base}/webapps/yourappname/- { The grant that I described there was a last-ditch desparate attempt to cover everything with AllPermission. I had previously tried granting on the individual .jar files, on the webapps directory, on my specific webapps directory, etc. I've tried every conceivable known permutation. Regardless, I did as you suggested and put the grant back on the specific webapp directory (using the - at the end)... No luck. Third, are you actually running multiple instances in which your catalina.base is different than your catalina.home? If so, I'm only running one instance of tomcat. I'm not sure where/how catalina.base gets set, but I have a good feeling that the actual policy file is being read b/c if I remove that policy file then everything goes nuts. One interesting thing is that I can grant access in the general grant { ... } clause (no specific codeBase specified... Just the default for all webapps), and things will work fine. However, I don't want to grant access to all webapps, I only want to grant access to a particular webapp/jar file. Basically, it looks like grant entries on codebase's under the webapps directory are *completely ignored*. No matter what I grant on a particular webapp (using grant codeBase file:${catalina.base}/webapps/appname/- { perms }), nothing takes effect at all. I can verify this by looking at debug output (setting java.debug.security=policy,access,failure) -- when it prints the Protection Domain that failed the access call, I can clearly see that *no permissions* are granted to the jar files under that webapp/codebase besides the default jndi and file read permissions. If I want any permissions to apply, I have to grant them generally in the grant { ... } clause (no codeBase). Obviously, this is not desired behavior. It looks like there could be a bug in the Tomcat policy management? JP -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Granting security permissions not working
I know it's not going to help you much or at all. And I am not certain what's going on with your side, but just FYI. I have tested the TC v4.1.12 with -security. And it runs fine on the WinNT. It has many security permissions in the catalina.policy, inclduing own Web Apps, JAXM, AXIS, RMI stub downloading, blah, blah... Pae Thank you for your suggestions. See my comments below: First, ensure you are running with the -security option that turns on Tomcat with the security manager installed. Often you need to modify the I am definitely running with the -security option. I have double-checked that it's in my start.bat script in the bin/ directory and I see the statement Using Security Manager on the tomcat console. Plus, when running with -Djava.security.debug=access,failure, I see permissions checking etc. going on. Second, you are granting your permissions far too low on the file path. At the very least, consider something like grant codeBase file:${catalina.base}/webapps/yourappname/- { The grant that I described there was a last-ditch desparate attempt to cover everything with AllPermission. I had previously tried granting on the individual .jar files, on the webapps directory, on my specific webapps directory, etc. I've tried every conceivable known permutation. Regardless, I did as you suggested and put the grant back on the specific webapp directory (using the - at the end)... No luck. Third, are you actually running multiple instances in which your catalina.base is different than your catalina.home? If so, I'm only running one instance of tomcat. I'm not sure where/how catalina.base gets set, but I have a good feeling that the actual policy file is being read b/c if I remove that policy file then everything goes nuts. One interesting thing is that I can grant access in the general grant { ... } clause (no specific codeBase specified... Just the default for all webapps), and things will work fine. However, I don't want to grant access to all webapps, I only want to grant access to a particular webapp/jar file. Basically, it looks like grant entries on codebase's under the webapps directory are *completely ignored*. No matter what I grant on a particular webapp (using grant codeBase file:${catalina.base}/webapps/appname/- { perms }), nothing takes effect at all. I can verify this by looking at debug output (setting java.debug.security=policy,access,failure) -- when it prints the Protection Domain that failed the access call, I can clearly see that *no permissions* are granted to the jar files under that webapp/codebase besides the default jndi and file read permissions. If I want any permissions to apply, I have to grant them generally in the grant { ... } clause (no codeBase). Obviously, this is not desired behavior. It looks like there could be a bug in the Tomcat policy management? JP -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]