Ville,
I am not a Security Manager expert. However, I have a few suggestions to try.
In the section of your policy where you grant permissions to web applications,
do you have a grant for all webapps? If you do not, add the following.
If you do, add the following permission so all host names are resolved using DNS:
grant {
// Let all host names be resolved using DNS
permission java.net.SocketPermission "*", "resolve";
};
In the second grant that you provided, there are two dashes
at the end of the codebase. I don't have any like that.
In addition, most of my grants for jar files follow this format:
grant codeBase "jar:file:${catalina.home}/webapps/test/WEB-INF/lib/dbtags.jar!/-" {
permission java.net.SocketPermission "xx.xx.xx.xx:1521", "connect";
};
I hope this helps.
Regards,
Garrel Renick
-----Original Message-----
From: Ville Sulko [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 26, 2002 8:08 AM
To: [EMAIL PROTECTED]
Subject: DBtags with Oracle and Security Manager : SocketPermission
Hi!
I'm trying to get DBTags to work to an Oracle DB.
The problem I'm having is that when Tomcat (4.0.2) is running with
Security Manager enabled, I always get an exception when my JSP-page
tries to connect to the DB. Here is the relevant code and config :
/test/dbtest.jsp
----------------
<%@ taglib uri="http://jakarta.apache.org/taglibs/dbtags"; prefix="sql" %>
<sql:connection id="conn1">
<sql:url>jdbc:oracle:thin:@xx.xx.xx.xx:1521:TEST</sql:url>
<sql:driver>oracle.jdbc.driver.OracleDriver</sql:driver>
<sql:userId>user</sql:userId>
<sql:password>passwd</sql:password>
</sql:connection>
...
<sql:closeConnection conn="conn1"/>
catalina.policy
---------------
grant codeBase "file:${catalina.home}/webapps/test/-" {
permission java.net.SocketPermission "xx.xx.xx.xx:1521", "connect";
}
grant codeBase "file:${catalina.home}/webapps/test/WEB-INF/lib/dbtags.jar!/--" {
permission java.net.SocketPermission "xx.xx.xx.xx:1521", "connect";
}
Tomcat is started with 'catalina.sh start -security'.
Oracle thin-client jar is installed as $CATALINA_HOME/common/lib/classes12_01.jar.
The exception I get when accessing the JSP is :
java.security.AccessControlException: access denied (java.net.SocketPermission
xx.xx.xx.xx resolve)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
at java.security.AccessController.checkPermission(AccessController.java:399)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1042)
at java.net.InetAddress.getAllByName0(InetAddress.java:559)
at java.net.InetAddress.getAllByName0(InetAddress.java:540)
at java.net.InetAddress.getByName(InetAddress.java:449)
at java.net.Socket.<init>(Socket.java:100)
at oracle.net.nt.TcpNTAdapter.connect(Unknown Source)
at oracle.net.nt.ConnOption.connect(Unknown Source)
at oracle.net.nt.ConnStrategy.execute(Unknown Source)
at oracle.net.resolver.AddrResolution.resolveAndExecute(Unknown Source)
at oracle.net.ns.NSProtocol.establishConnection(Unknown Source)
at oracle.net.ns.NSProtocol.connect(Unknown Source)
at oracle.jdbc.ttc7.TTC7Protocol.connect(TTC7Protocol.java:1120)
at oracle.jdbc.ttc7.TTC7Protocol.logon(TTC7Protocol.java:195)
at oracle.jdbc.driver.OracleConnection.<init>(OracleConnection.java:198)
at oracle.jdbc.driver.OracleDriver.getConnectionInstance(OracleDriver.java:251)
at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:224)
at java.sql.DriverManager.getConnection(DriverManager.java:517)
at java.sql.DriverManager.getConnection(DriverManager.java:177)
at
org.apache.taglibs.dbtags.connection.ConnectionTag.doEndTag(ConnectionTag.java:225)
at org.apache.jsp.dbtest$jsp._jspService(dbtest$jsp.java:237)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:107)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
....
The JSP works just fine when run without the security manager. I have
also tried to grant 'permission java.security.AllPermission;' for the
two above grants in catalina.policy, but the result is exactly the
same...
Anyone, any ideas?
Regards,
Ville
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
