Hi:
Is it possible that you're running into case-sensitivity or path-separator
problems? The following is from a policy file included in a Sun product:
* Note: ExecOptionPermission uses String.equals() for equality comparisons,
* so the values of these permissions are case sensitive. For example, the
* following two permissions are not equal:
* com.sun.rmi.rmid.ExecOptionPermission
* C:\jini1_2\lib\sharedvm.jar
* com.sun.rmi.rmid.ExecOptionPermission
* c:\jini1_2\lib\sharedvm.jar
* [Note the case of the drive letters.]
* This subtlety can occur, for example, when the com.sun.jini.jsk.home
* property is set to "c:\...", but the service starter
* framework, which uses File.getCanonicalFile() to build its command
* environment, ends up returning "C:\..." on certain platforms.
*
If you're on Windows, you might also need to use the backslash as the path
separator. I'm not sure if Tomcat's class loader uses a the standard policy
file reader or not, but with the standard security manager, you need to
escape the backslashes (double-backslashes), as in:
permission java.io.FilePermission "d:\\windows\\temp\\-",
"read,write,execute,delete";
Cheers,
Greg Trasuk, President
StratusCom Manufacturing Systems Inc. - We use information technology to
solve business problems on your plant floor.
http://stratuscom.ca
>-----Original Message-----
>From: John Pelly [mailto:[EMAIL PROTECTED]]
>Sent: November 18, 2002 22:19
>To: 'Tomcat Users List'; 'David Wall'
>Subject: RE: Granting security permissions not working
>
>
>Thank you for your suggestions. See my comments below:
>
>> First, ensure you are running with the -security option that
>> turns on Tomcat
>> with the security manager installed. Often you need to modify the
>
>I am definitely running with the -security option. I have
>double-checked
>that it's in my start.bat script in the bin/ directory and I see the
>statement "Using Security Manager" on the tomcat console. Plus, when
>running with -Djava.security.debug=access,failure, I see permissions
>checking etc. going on.
>
>> Second, you are granting your permissions far too low on the
>> file path. At
>> the very least, consider something like
>>
>> grant codeBase "file:${catalina.base}/webapps/yourappname/-" {
>
>The grant that I described there was a last-ditch desparate attempt to
>cover everything with AllPermission. I had previously tried granting on
>the individual .jar files, on the webapps directory, on my specific
>webapps directory, etc. I've tried every conceivable known permutation.
>Regardless, I did as you suggested and put the grant back on the
>specific webapp directory (using the "-" at the end)... No luck.
>
>>
>> Third, are you actually running multiple instances in which your
>> catalina.base is different than your catalina.home? If so,
>
>I'm only running one instance of tomcat. I'm not sure where/how
>catalina.base gets set, but I have a good feeling that the
>actual policy
>file is being read b/c if I remove that policy file then
>everything goes
>nuts.
>
>One interesting thing is that I can grant access in the general grant {
>... } clause (no specific codeBase specified... Just the
>default for all
>webapps), and things will work fine. However, I don't want to grant
>access to all webapps, I only want to grant access to a particular
>webapp/jar file.
>
>Basically, it looks like grant entries on codebase's under the webapps
>directory are *completely ignored*. No matter what I grant on a
>particular webapp (using grant codeBase
>"file:${catalina.base}/webapps/appname/-" { <perms> }), nothing takes
>effect at all. I can verify this by looking at debug output (setting
>java.debug.security=policy,access,failure) -- when it prints the
>Protection Domain that failed the access call, I can clearly see that
>*no permissions* are granted to the jar files under that
>webapp/codebase
>besides the default jndi and file read permissions. If I want any
>permissions to apply, I have to grant them generally in the grant { ...
>} clause (no codeBase).
>
>Obviously, this is not desired behavior. It looks like there could be a
>bug in the Tomcat policy management?
>
>JP
>
>
>--
>To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
