On Win32, the forward slash works as well . For example,
grant codebase "file://<drive name>:/-" {
Pae
----- Original Message -----
From: "Greg Trasuk" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <[EMAIL PROTECTED]>
Sent: Wednesday, November 20, 2002 5:05 AM
Subject: RE: Granting security permissions not working
> Hi:
>
> Is it possible that you're running into case-sensitivity or path-separator
> problems? The following is from a policy file included in a Sun product:
>
> * Note: ExecOptionPermission uses String.equals() for equality
comparisons,
> * so the values of these permissions are case sensitive. For example, the
> * following two permissions are not equal:
> * com.sun.rmi.rmid.ExecOptionPermission
> * C:\jini1_2\lib\sharedvm.jar
> * com.sun.rmi.rmid.ExecOptionPermission
> * c:\jini1_2\lib\sharedvm.jar
> * [Note the case of the drive letters.]
> * This subtlety can occur, for example, when the com.sun.jini.jsk.home
> * property is set to "c:\...", but the service starter
> * framework, which uses File.getCanonicalFile() to build its command
> * environment, ends up returning "C:\..." on certain platforms.
> *
>
> If you're on Windows, you might also need to use the backslash as the path
> separator. I'm not sure if Tomcat's class loader uses a the standard
policy
> file reader or not, but with the standard security manager, you need to
> escape the backslashes (double-backslashes), as in:
>
> permission java.io.FilePermission "d:\\windows\\temp\\-",
> "read,write,execute,delete";
>
>
> Cheers,
>
> Greg Trasuk, President
> StratusCom Manufacturing Systems Inc. - We use information technology to
> solve business problems on your plant floor.
> http://stratuscom.ca
>
> >-----Original Message-----
> >From: John Pelly [mailto:[EMAIL PROTECTED]]
> >Sent: November 18, 2002 22:19
> >To: 'Tomcat Users List'; 'David Wall'
> >Subject: RE: Granting security permissions not working
> >
> >
> >Thank you for your suggestions. See my comments below:
> >
> >> First, ensure you are running with the -security option that
> >> turns on Tomcat
> >> with the security manager installed. Often you need to modify the
> >
> >I am definitely running with the -security option. I have
> >double-checked
> >that it's in my start.bat script in the bin/ directory and I see the
> >statement "Using Security Manager" on the tomcat console. Plus, when
> >running with -Djava.security.debug=access,failure, I see permissions
> >checking etc. going on.
> >
> >> Second, you are granting your permissions far too low on the
> >> file path. At
> >> the very least, consider something like
> >>
> >> grant codeBase "file:${catalina.base}/webapps/yourappname/-" {
> >
> >The grant that I described there was a last-ditch desparate attempt to
> >cover everything with AllPermission. I had previously tried granting on
> >the individual .jar files, on the webapps directory, on my specific
> >webapps directory, etc. I've tried every conceivable known permutation.
> >Regardless, I did as you suggested and put the grant back on the
> >specific webapp directory (using the "-" at the end)... No luck.
> >
> >>
> >> Third, are you actually running multiple instances in which your
> >> catalina.base is different than your catalina.home? If so,
> >
> >I'm only running one instance of tomcat. I'm not sure where/how
> >catalina.base gets set, but I have a good feeling that the
> >actual policy
> >file is being read b/c if I remove that policy file then
> >everything goes
> >nuts.
> >
> >One interesting thing is that I can grant access in the general grant {
> >... } clause (no specific codeBase specified... Just the
> >default for all
> >webapps), and things will work fine. However, I don't want to grant
> >access to all webapps, I only want to grant access to a particular
> >webapp/jar file.
> >
> >Basically, it looks like grant entries on codebase's under the webapps
> >directory are *completely ignored*. No matter what I grant on a
> >particular webapp (using grant codeBase
> >"file:${catalina.base}/webapps/appname/-" { <perms> }), nothing takes
> >effect at all. I can verify this by looking at debug output (setting
> >java.debug.security=policy,access,failure) -- when it prints the
> >Protection Domain that failed the access call, I can clearly see that
> >*no permissions* are granted to the jar files under that
> >webapp/codebase
> >besides the default jndi and file read permissions. If I want any
> >permissions to apply, I have to grant them generally in the grant { ...
> >} clause (no codeBase).
> >
> >Obviously, this is not desired behavior. It looks like there could be a
> >bug in the Tomcat policy management?
> >
> >JP
> >
> >
> >--
> >To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
