Solved: Tomcat and security manager: unexpected java.security.AccessControlException on sun linux cobalt

2002-12-03 Thread your mom 
Hi all.

We solved the problem with tomcat ignoring all grants for individual user
sites. It was a pure RTFM.
For every user site, a unique context is created on startup (as seen in
tomcat.log on debug level)

There is a outcommented line in the server.xml which has to be activated:



After activating the line it should look like this:



After that, tomcat actually assigns the permissions granted in the
tomcat.policy to the individual user sites.

thanx for your all your help on this group,

J.P.Jarolim

P.S.: Keywords for other googlers like me:

tomcat ignoring ignore tomcat.policy grant java server.xml security manager
FilePermission java.security.AccessControlException secure security sun
cobalt



--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: Tomcat and security manager: unexpected java.security.AccessControlException on sun linux cobalt

2002-12-03 Thread J.P.Jarolim 
Hi - thanks for the answer;

I found the following line in the description for java.io.FilePermission
indicating that i could have a serious problem in understanding english
(nosarkasm):

>A pathname that ends with "/-" indicates (recursively) all files and
subdirectories contained in that directory. A pathname consisting of the
special token ">" matches any file.

Is there a difference between "all files and subdirectories" and "any file"?
Nevertheless i'll try every posted solution until tomcat stops ignoring my
settings ;-)

thanks,

J.P.Jarolim

> >...
> >grant codeBase "file:/home/.sites/143/site40/web/-" {
> >  permission SocketPermission "localhost:1024-",
"listen,connect,resolve";
> >  permission java.util.PropertyPermission "*", "read,write";
> >  permission java.io.FilePermission "/home/.sites/143/site40/-",
> >"read,write,delete";
> >
> This is the problem. You need to put the file name, not the path. If
> need to put <> if you want to grant access to all file under
> your context, or test.txt if you only want to be able to read that file.
>
> -- Jeanfrancois



--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: Tomcat and security manager: unexpected java.security.AccessControlException on sun linux cobalt

2002-12-03 Thread Rasputin 
* J.P.Jarolim <[EMAIL PROTECTED]> [1217 11:17]:

> java.security.AccessControlException: access denied (java.io.FilePermission
> /home/.sites/143/site40/web/test.txt read)
 
> We looked into the tomcat docs how to setup the security manager correctly
> and looked into the tomcat.policy file
> in the {tomcat.home}/conf dir just to see that everything was set correctly
> (for us) from the site management utility:
 
> ...
> grant codeBase "file:/home/.sites/143/site40/web/-" {
>   permission SocketPermission "localhost:1024-", "listen,connect,resolve";
>   permission java.util.PropertyPermission "*", "read,write";
>   permission java.io.FilePermission "/home/.sites/143/site40/-",
> "read,write,delete";
>   permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
> };

Does the class trying to read that directory live in :
'/home/.sites/143/site40/web/-' ?  I doubt it. 

I'm no expert, but that sounds wrong to me, unless the class files live
there. The codebase parameter lists where the Java classes were
loaded from. Writing to a direcotry you load code from is a bad idea
unless you really need to.


>  
>   
>   
> 

> grant codeBase "file:/home/.sites/143/site40/web/-" {
> permission java.security.AllPermission;
> };

I think your codeBase is wrong - try allowing all code to read it, just to
check.

Also, if you want security, you might want to think twice about running
tomcat as root - it doesn't need to be IMO.

-- 
Rasputin :: Jack of All Trades - Master of Nuns

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Tomcat and security manager: unexpected java.security.AccessControlException on sun linux cobalt

2002-12-03 Thread J.P.Jarolim 
Hi!

I've been working on this since beginnig last week together with a friend
and can't find a clue:

My friend owns a sun cobalt with linux, apache and tomcat.
The system seems to be ready to use for providers - there is a config
utility
to add new user sites with a lot of options (like: user gets mysql, pop3,
tomcat, or whatever)

After creating a site with jsp, we deployed a jsp-testsuite which tests the
given infrastructure:
reading files, instancing classes, trying a db-query on mysql and so on
(Which works fine on
our local system). But every time we try to execute the testsuite we get one
of these SecurityExceptions:

java.security.AccessControlException: access denied (java.io.FilePermission
/home/.sites/143/site40/web/test.txt read)
(Test.txt is the file we want to read in the first part of our testsuite:
File permissions 777)

We looked into the tomcat docs how to setup the security manager correctly
and looked into the tomcat.policy file
in the {tomcat.home}/conf dir just to see that everything was set correctly
(for us) from the site management utility:

...
grant codeBase "file:/home/.sites/143/site40/web/-" {
  permission SocketPermission "localhost:1024-", "listen,connect,resolve";
  permission java.util.PropertyPermission "*", "read,write";
  permission java.io.FilePermission "/home/.sites/143/site40/-",
"read,write,delete";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
};
...

Tomcat seems to run secure with the right file (as seen under ps -Af) but
seems to ignore all grants for the user sites:

...
java -Djava.security.manager -Djava.security.policy==/usr/java/jakarta-tomca
t/conf/tomcat.policy -Dtomcat.home=/usr/java/jakarta-tomcat
org.apache.tomcat.startup.Tomcat

Some users on groups.google mentioned, that the codeBase should be the same
as the docBase in the server.xml:
...
 
  
  

...

but this looks correct to me too. We even tried to give my site all
permissions:

grant codeBase "file:/home/.sites/143/site40/web/-" {
permission java.security.AllPermission;
};

But that is ignored too. The testsuite is neither able to open a file nor
just to read the length.
We have the same problems when instancing a class which tries to dynamically
instance another class. Like:

myDriver = (Driver)Class.forName(DriverName).newInstance();  // This is a
part of opening a connection to the mysql-db

To get that straight: Everything runs fine without security manager - But
who wants to run a root-tomcat without a security manager ;-)
Could anyone give me a clue where we could look at? After one week of
googling we're somehow out of ideas...

thanks in advance,

mfG,

J.P.Jarolim, ADWERBA
-
ADWERBA, Gesellschaft für Verkaufsförderung und Werbung
A-5020 Salzburg - Schallmooser Hauptstraße 85 A
Telefon: +43(0)662 643125, 643126 - Telefax: +43(0)662 643128
ISDN: +43(0)662 648058 - Email: [EMAIL PROTECTED] - ICQ 44284507
-



--
To unsubscribe, e-mail:   
For additional commands, e-mail: