Re: Security Manager Exception

2014-07-28 Thread Konstantin Kolinko 
2014-07-22 20:04 GMT+04:00 George Sexton geor...@mhsoftware.com:
 I'm using Tomcat 7.0.54 with the security manager. I'm getting an exception
 I don't understand:

 2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR
 org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]-
 Servlet.service() for servlet [jsp] in context with path [] threw exception
 [java.security.AccessControlException: access denied
 (java.lang.RuntimePermission getClassLoader)] with root cause
 java.security.AccessControlException: access denied
 (java.lang.RuntimePermission getClassLoader)
 at java.security.AccessControlContext.checkPermission(Unknown
 Source)
 at java.security.AccessController.checkPermission(Unknown Source)
 at java.lang.SecurityManager.checkPermission(Unknown Source)
 at java.lang.ClassLoader.checkClassLoaderPermission(Unknown Source)
 at java.lang.ClassLoader.getParent(Unknown Source)
 at
 org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295)
 at
 org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266)
 at
 org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144)
 at java.util.logging.LogManager.demandLogger(Unknown Source)
 at java.util.logging.Logger.demandLogger(Unknown Source)
 at java.util.logging.Logger.getLogger(Unknown Source)
 at com.sun.mail.util.MailLogger.init(MailLogger.java:115)
 at javax.mail.Session.initLogger(Session.java:226)
 at javax.mail.Session.init(Session.java:210)
 at javax.mail.Session.getInstance(Session.java:247)
 at com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470)


 Line 144 of ClassLoaderLogManager is the addLogger method trying to read the
 .level property for the logger being created.

 The catalina.policy is pretty much the stock one. I'm confused because the
 catalina.policy has:

 grant codeBase file:${catalina.home}/bin/tomcat-juli.jar {
 permission java.lang.RuntimePermission getClassLoader;

 The page in question that's erroring out is a JSP that's calling a
 per-context jar. The hierarchy looks something like:

 JSP -
 context/WEB-INF/lib/jar Class File -
 $CATALINA_BASE/lib/ MH Software.jar -
 $CATALINA_BASE javax.mail.jar -
 $CATALINA_HOME/bin/tomcat-juli.jar

 $CATALINA_BASE/lib, has the grant for java.security.AllPermission;

 I don't know if this makes a difference, but I'm using log4j, and following
 the instructions here:

 http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j

 I've made $CATALINA_BASE/conf/logging.properties an empty file.

 Finally, it SEEMS to only be happening in JSP files. calls directly from
 classes in the context jar file don't seem to be failing.

 If anyone could point me in the right direction, I would really appreciate
 it.


I filed an issue for this into bugzilla:
https://issues.apache.org/bugzilla/show_bug.cgi?id=56776

 per-context jar. The hierarchy looks something like:

 JSP -
 context/WEB-INF/lib/jar Class File -
 $CATALINA_BASE/lib/ MH Software.jar -
 $CATALINA_BASE javax.mail.jar -
 $CATALINA_HOME/bin/tomcat-juli.jar

 $CATALINA_BASE/lib, has the grant for java.security.AllPermission;


Unless all classes in the call chain have the necessary permission
(java.lang.RuntimePermission getClassLoader) the call won't be
allowed.

A workaround is to grant that permission to web applications, but I
would not really recommend that as a long-term solution, as it makes
the system less secure.  It should be possible to fix this at Tomcat
side, thus I filed the issue.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TC7 and SSL Questions

2014-07-28 Thread John Smith 
On Thu, Jul 24, 2014 at 6:24 PM, Ognjen Blagojevic 
ognjen.d.blagoje...@gmail.com wrote:

 John,


 On 24.7.2014 21:11, John Smith wrote:

 1. Can I specify /admin/* as a security constraint url pattern so that
 only
 that directory runs under SSL?


 Yes, you can.



  2. The NIO connector is accepted for JSSE, since I'm using it already, is
 there any point in not using it as my SSL connector?


 If /admin has low traffic, then I would say, there is no need to use
 anything else. For high traffic TLS/SSL applications you may want to do
 some performance measurements of different Tomcat connectors, simulating
 your traffic patterns.



  3. Any known issues with routing 443 to 8443 in Iptables?


 I recommend using JSVC instead of iptables redirect. I had issues with
 redirect when used with virtual hosts. IPv6 (ip6tables) doesn't support
 redirect, either.



  4. The admin tools share underlying classes with the rest of the web
 application, which is why it makes sense to have it just as a subdirectory
 in the same webapp. But would I be better off migrating the admin tools to
 their own webapp for the purposes of SSL?


 Yes, I think so. From the security standpoint, that is way better. It will
 be much easier to apply IP address filtering, move it to another port /
 server, to isolate admin and user privileges, and so on.

 -Ognjen

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org


Thanks for the info.

Best,
John