Re: Security Manager Exception
2014-07-22 20:04 GMT+04:00 George Sexton geor...@mhsoftware.com: I'm using Tomcat 7.0.54 with the security manager. I'm getting an exception I don't understand: 2014-07-22 09:27:03,934 [http-bio-80-exec-64] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[somehostname.mhsoftware.com].[/].[jsp]- Servlet.service() for servlet [jsp] in context with path [] threw exception [java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)] with root cause java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.ClassLoader.checkClassLoaderPermission(Unknown Source) at java.lang.ClassLoader.getParent(Unknown Source) at org.apache.juli.ClassLoaderLogManager.findProperty(ClassLoaderLogManager.java:295) at org.apache.juli.ClassLoaderLogManager.getProperty(ClassLoaderLogManager.java:266) at org.apache.juli.ClassLoaderLogManager.addLogger(ClassLoaderLogManager.java:144) at java.util.logging.LogManager.demandLogger(Unknown Source) at java.util.logging.Logger.demandLogger(Unknown Source) at java.util.logging.Logger.getLogger(Unknown Source) at com.sun.mail.util.MailLogger.init(MailLogger.java:115) at javax.mail.Session.initLogger(Session.java:226) at javax.mail.Session.init(Session.java:210) at javax.mail.Session.getInstance(Session.java:247) at com.MHSoftware.net.mail.MHMail.sendSMTP(MHMail.java:470) Line 144 of ClassLoaderLogManager is the addLogger method trying to read the .level property for the logger being created. The catalina.policy is pretty much the stock one. I'm confused because the catalina.policy has: grant codeBase file:${catalina.home}/bin/tomcat-juli.jar { permission java.lang.RuntimePermission getClassLoader; The page in question that's erroring out is a JSP that's calling a per-context jar. The hierarchy looks something like: JSP - context/WEB-INF/lib/jar Class File - $CATALINA_BASE/lib/ MH Software.jar - $CATALINA_BASE javax.mail.jar - $CATALINA_HOME/bin/tomcat-juli.jar $CATALINA_BASE/lib, has the grant for java.security.AllPermission; I don't know if this makes a difference, but I'm using log4j, and following the instructions here: http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j I've made $CATALINA_BASE/conf/logging.properties an empty file. Finally, it SEEMS to only be happening in JSP files. calls directly from classes in the context jar file don't seem to be failing. If anyone could point me in the right direction, I would really appreciate it. I filed an issue for this into bugzilla: https://issues.apache.org/bugzilla/show_bug.cgi?id=56776 per-context jar. The hierarchy looks something like: JSP - context/WEB-INF/lib/jar Class File - $CATALINA_BASE/lib/ MH Software.jar - $CATALINA_BASE javax.mail.jar - $CATALINA_HOME/bin/tomcat-juli.jar $CATALINA_BASE/lib, has the grant for java.security.AllPermission; Unless all classes in the call chain have the necessary permission (java.lang.RuntimePermission getClassLoader) the call won't be allowed. A workaround is to grant that permission to web applications, but I would not really recommend that as a long-term solution, as it makes the system less secure. It should be possible to fix this at Tomcat side, thus I filed the issue. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: TC7 and SSL Questions
On Thu, Jul 24, 2014 at 6:24 PM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com wrote: John, On 24.7.2014 21:11, John Smith wrote: 1. Can I specify /admin/* as a security constraint url pattern so that only that directory runs under SSL? Yes, you can. 2. The NIO connector is accepted for JSSE, since I'm using it already, is there any point in not using it as my SSL connector? If /admin has low traffic, then I would say, there is no need to use anything else. For high traffic TLS/SSL applications you may want to do some performance measurements of different Tomcat connectors, simulating your traffic patterns. 3. Any known issues with routing 443 to 8443 in Iptables? I recommend using JSVC instead of iptables redirect. I had issues with redirect when used with virtual hosts. IPv6 (ip6tables) doesn't support redirect, either. 4. The admin tools share underlying classes with the rest of the web application, which is why it makes sense to have it just as a subdirectory in the same webapp. But would I be better off migrating the admin tools to their own webapp for the purposes of SSL? Yes, I think so. From the security standpoint, that is way better. It will be much easier to apply IP address filtering, move it to another port / server, to isolate admin and user privileges, and so on. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Thanks for the info. Best, John