Re: problems start cyclos in Tomcat with secutrity manager
awarnier wrote: stefan-b wrote: Hello, I hope you can help. I've installed cyclos (http://project.cyclos.org) on my tomcat5.5 running on debian lenny on amd64Bit Machine. A Mail to the Cyclos Team itself gets no answer since a week and the Cyclos Forum is nearly dead :( With an disabled security manager all works fine. The Manager was disabled in /etc/init.d/tomcat5.5 To make a long story short, I do not think that there is any problem in disabling the security manager, if you trust the webapps that you install on your server. It is another matter entirely if you are going to allow other people to load and install webapps on it. Finding out which specific permissions you need to grant to an application which you do not entirely know, can be a long and frustrating experience, and may well come to the same thing anyway in the end, given a complex application. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Very thanks for your quik answer. I now understand the sense of the security manager. It should save users from other users if there are more then one User has access to create webapps. I seems that there is no chance to get cyclos working with enabled security manager. However... I found some help here: http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.websphere.v4.doc/wasa_content/050107.html and added this lines to /etc/tomcat5.5/policy.d/50user.policy: - grant { permission java.lang.RuntimePermission createClassLoader; permission java.lang.RuntimePermission getClassLoader; permission java.lang.RuntimePermission setContextClassLoader; permission java.lang.RuntimePermission shutdownHooks; permission java.lang.RuntimePermission setFactory; permission java.lang.RuntimePermission setIO; permission java.lang.RuntimePermission modifyThread; permission java.lang.RuntimePermission stopThread; permission java.lang.RuntimePermission modifyThreadGroup; permission java.lang.RuntimePermission getProtectionDomain; permission java.lang.RuntimePermission readFileDescriptor; permission java.lang.RuntimePermission writeFileDescriptor; permission java.lang.RuntimePermission loadLibrary.*; permission java.lang.RuntimePermission accessClassInPackage.*; permission java.lang.RuntimePermission defineClassInPackage.*; permission java.lang.RuntimePermission accessDeclaredMembers; permission java.lang.RuntimePermission queuePrintJob; permission java.io.FilePermission ALL FILES, read,write,execute,delete; permission java.lang.reflect.ReflectPermission suppressAccessChecks; permission java.net.SocketPermission *, connect; permission javax.xml.ws.WebServicePermission publishEndpoint; permission java.util.PropertyPermission *, read,write; }; - ... and enabled nearly everything free that is possible or in fact disabled the security manager. The end of the Story is at final a nullPointerException on LifecycleListener.contextInitialized(): - ERROR LifecycleListener - Error on LifecycleListener.contextInitialized()#012java.lang.NullPointerException#012#011at nl.strohalm.cyclos.utils.SettingsHelper.storeLocalSettings(SettingsHelper.java:125)#012#011at nl.strohalm.cyclos.http.lifecycle.SettingsInitialization.init(SettingsInitialization.java:47)#012#011at nl.strohalm.cyclos.http.LifecycleListener$2.doInTransactionWithoutResult(LifecycleListener.java:199)#012#011at org.springframework.transaction.support.TransactionCallbackWithoutResult.doInTransaction(TransactionCallbackWithoutResult.java:33)#012#011at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:127)#012#011at nl.strohalm.cyclos.http.LifecycleListener.run(LifecycleListener.java:194)#012#011at nl.strohalm.cyclos.http.LifecycleListener.runAll(LifecycleListener.java:217)#012#011at nl.strohalm.cyclos.http.LifecycleListener.contextInitialized(LifecycleListener.java:138)#012#011at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3764)#012#011at org.apache.catalina.core.StandardCo Jul 15 16:45:07 srv097 jsvc.exec[17567]: ntext.start(StandardContext.java:4216)#012#011at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)#012#011at org.apache.catalina.core.ContainerBase.access$0(ContainerBase.java:744)#012#011at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:144)#012#011at java.security.AccessController.doPrivileged(Native Method)#012#011at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:738)#012#011at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)#012#011at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:926)#012#011at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:889)#012#011at
Re: problems start cyclos in Tomcat with secutrity manager (Solved)
Seems it runs with secutrity manager enabled. The Error from the Post above comes from a wrong Database version (cyclos 3.6 Beta3) what I've tested temporaly but not reset for Cyclos 3.5.6 Stable. This Lines I added to /etc/tomcat5.5/policy.d/50user.policy Inspired from this IBM Site: http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.websphere.v4.doc/wasa_content/050107.html --- This is the full enabled List and will be stepwise disabled/commented out to support only the realy needed Futures for Cyclos. - grant { permission java.lang.RuntimePermission createClassLoader; permission java.lang.RuntimePermission getClassLoader; permission java.lang.RuntimePermission setContextClassLoader; permission java.lang.RuntimePermission shutdownHooks; permission java.lang.RuntimePermission setFactory; permission java.lang.RuntimePermission setIO; permission java.lang.RuntimePermission modifyThread; permission java.lang.RuntimePermission stopThread; permission java.lang.RuntimePermission modifyThreadGroup; permission java.lang.RuntimePermission getProtectionDomain; permission java.lang.RuntimePermission readFileDescriptor; permission java.lang.RuntimePermission writeFileDescriptor; permission java.lang.RuntimePermission loadLibrary.*; permission java.lang.RuntimePermission accessClassInPackage.*; permission java.lang.RuntimePermission defineClassInPackage.*; permission java.lang.RuntimePermission accessDeclaredMembers; permission java.lang.RuntimePermission queuePrintJob; permission java.io.FilePermission ALL FILES, read,write,execute,delete; permission java.lang.reflect.ReflectPermission suppressAccessChecks; permission java.net.SocketPermission *, connect; permission javax.xml.ws.WebServicePermission publishEndpoint; permission java.util.PropertyPermission *, read,write; }; - This in /etc/init.d/tomcat5.5: # Use the Java security manager? (yes/no) TOMCAT5_SECURITY=yes # 250 MB of assured RAM for tomcat JAVA_OPTS=-Xmx250m Here it runs with secutrity Manager enabled :) - Jul 15 20:02:16 srv097 jsvc.exec[3323]: Jul 15, 2010 8:02:16 PM org.apache.coyote.http11.Http11BaseProtocol init#012INFO: Initializing Coyote HTTP/1.1 on http-8080 Jul 15 20:02:18 srv097 jsvc.exec[3323]: Jul 15, 2010 8:02:18 PM org.apache.coyote.http11.Http11BaseProtocol init#012INFO: Initializing Coyote HTTP/1.1 on http-8443 Jul 15 20:02:18 srv097 jsvc.exec[3323]: Jul 15, 2010 8:02:18 PM org.apache.catalina.startup.Catalina load#012INFO: Initialization processed in 2960 ms Jul 15 20:02:18 srv097 jsvc.exec[3323]: Jul 15, 2010 8:02:18 PM org.apache.catalina.core.StandardService start#012INFO: Starting service Catalina Jul 15 20:02:18 srv097 jsvc.exec[3323]: Jul 15, 2010 8:02:18 PM org.apache.catalina.core.StandardEngine start#012INFO: Starting Servlet Engine: Apache Tomcat/5.5 Jul 15 20:02:18 srv097 jsvc.exec[3323]: Jul 15, 2010 8:02:18 PM org.apache.catalina.core.StandardHost start#012INFO: XML validation disabled Jul 15 20:02:20 srv097 jsvc.exec[3323]: 20:02:20,352 INFO [/banks-of-community] - Initializing Spring root WebApplicationContext Jul 15 20:02:35 srv097 jsvc.exec[3323]: 20:02:35,726 INFO DataBaseConfiguration - Cyclos database version 3.5.6 found on MySQL version 5.0.51a-24+lenny4 Jul 15 20:02:38 srv097 jsvc.exec[3323]: 20:02:38,681 INFO CyclosOSCacheProvider - Enabling disk cache on /var/lib/tomcat5.5/webapps/banks-of-community/WEB-INF/cache Jul 15 20:03:12 srv097 jsvc.exec[3323]: 20:03:12,617 INFO [/banks-of-community] - Cyclos initialized Jul 15 20:03:13 srv097 jsvc.exec[3323]: 20:03:13,907 INFO [/banks-of-community] - No Configuration for this context. Initializing. Jul 15 20:03:13 srv097 jsvc.exec[3323]: 20:03:13,907 INFO [/banks-of-community] - configuring cewolf app.. Jul 15 20:03:13 srv097 jsvc.exec[3323]: 20:03:13,911 INFO [/banks-of-community] - using storage class de.laures.cewolf.storage.ClusterableSessionStorage Jul 15 20:03:13 srv097 jsvc.exec[3323]: 20:03:13,911 INFO [/banks-of-community] - using overlibURL /pages/scripts/overlib.js Jul 15 20:03:13 srv097 jsvc.exec[3323]: 20:03:13,912 INFO [/banks-of-community] - debugging is turned off Jul 15 20:03:13 srv097 jsvc.exec[3323]: 20:03:13,912 INFO [/banks-of-community] - ...done. Jul 15 20:03:16 srv097 jsvc.exec[3323]: Jul 15, 2010 8:03:16 PM org.apache.coyote.http11.Http11BaseProtocol start#012INFO: Starting Coyote HTTP/1.1 on http-8080 Jul 15 20:03:16 srv097 jsvc.exec[3323]: Jul 15, 2010 8:03:16 PM org.apache.coyote.http11.Http11BaseProtocol start#012INFO: Starting Coyote HTTP/1.1 on http-8443 Jul 15 20:03:16 srv097 jsvc.exec[3323]: Jul 15, 2010 8:03:16 PM org.apache.jk.common.ChannelSocket init#012INFO: JK: ajp13 listening on /0.0.0.0:8009 Jul 15 20:03:16 srv097 jsvc.exec[3323]: Jul 15, 2010 8:03:16 PM org.apache.jk.server.JkMain start#012INFO: Jk running ID=0 time=0/86 config=null Jul 15 20:03:16 srv097 jsvc.exec[3323]: Jul 15, 2010 8:03:16 PM
Re: problems start cyclos in Tomcat with secutrity manager
stefan-b wrote: Hello, I hope you can help. I've installed cyclos (http://project.cyclos.org) on my tomcat5.5 running on debian lenny on amd64Bit Machine. A Mail to the Cyclos Team itself gets no answer since a week and the Cyclos Forum is nearly dead :( With an disabled security manager all works fine. The Manager was disabled in /etc/init.d/tomcat5.5 To make a long story short, I do not think that there is any problem in disabling the security manager, if you trust the webapps that you install on your server. It is another matter entirely if you are going to allow other people to load and install webapps on it. Finding out which specific permissions you need to grant to an application which you do not entirely know, can be a long and frustrating experience, and may well come to the same thing anyway in the end, given a complex application. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org