Adding these permissions took care of the problem. Thanks a lot. -- Gayathri
-----Original Message----- From: Jeanfrancois Arcand [mailto:[EMAIL PROTECTED]] Sent: Friday, December 13, 2002 12:45 AM To: Tomcat Users List Subject: Re: Security violation in Tomcat 4.0.6 In catalina.properties, can you add: // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { [.....] // Required for sevlets and JSP's permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util.*"; permission java.lang.RuntimePermission "defineClassInPackage.org.apache.catalina.util"; permission java.lang.RuntimePermission "defineClassInPackage.org.apache.catalina.util.*"; That should fix theproblem. This has been fixed in 4.1.X. If it works, then file a bug against 4.0.6 (we will add the property next time we released 4.0.x) -- Jeanfrancois Gayathri Shaikh wrote: >Hi > >I am using Tomcat 4.0.6 LE JDK 1.4 with JDK 1.4.1_01. > >I am getting the following Security violation when I try to access my web >application. > >java.security.AccessControlException: access denied >(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util) > at >java.security.AccessControlContext.checkPermission(AccessControlContext.jav a >:272) > at >java.security.AccessController.checkPermission(AccessController.java:399) > at >java.lang.SecurityManager.checkPermission(SecurityManager.java:545) > at >java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1501) > at >org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoade r >.java:1056) > at >org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoade r >.java:992) > at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:313) > at >org.apache.catalina.connector.HttpRequestBase.parseParameters(HttpRequestBa s >e.java:615) > at >org.apache.catalina.connector.HttpRequestBase.getParameter(HttpRequestBase. j >ava:691) > at >org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java : >160) > at com.clickndone.billerdirect.BDRouter.doPost(BDRouter.java:141) > at com.clickndone.billerdirect.BDRouter.doGet(BDRouter.java:106) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) > at >org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applicatio n >FilterChain.java:247) > at >org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilte r >Chain.java:98) > at >org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChai n >.java:176) > at java.security.AccessController.doPrivileged(Native Method) > at >org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterC h >ain.java:172) > at >org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.j a >va:243) > at >org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java: 5 >66) > at >org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) > at >org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) > at >org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.j a >va:190) > at >org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java: 5 >66) > at >org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) > at >org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) > at >org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2347) > at >org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:18 0 >) > at >org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java: 5 >66) > at >org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve . >java:170) > at >org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java: 5 >64) > at >org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:17 0 >) > at >org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java: 5 >64) > at >org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468) > at >org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java: 5 >64) > at >org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) > at >org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) > at >org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.jav a >:174) > at >org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java: 5 >66) > at >org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) > at >org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) > at >org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java : >1027) > at >org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:112 5 >) > at java.lang.Thread.run(Thread.java:484) > >I have granted the following extra permissions: > >grant { > permission java.net.SocketPermission "LDP2KSEN0066:1024-65535", >"connect, resolve"; > > permission java.util.PropertyPermission "https.proxyHost", "write"; > permission java.util.PropertyPermission "https.proxyPort", "write"; > permission java.util.PropertyPermission "java.security.policy", "write"; > permission java.util.PropertyPermission "propertiesDirectory", "read"; > > permission java.lang.RuntimePermission "getClassLoader"; > > permission java.io.FilePermission "C:\\Program >Files\\Click-n-DoneServerSuite\\common\\properties\\-", "read, write"; > permission java.io.FilePermission "C:\\Program >Files\\Click-n-DoneServerSuite\\WebApplications\\BillerListWebApp\\CNDBille r >List.txt", "read, write"; > > permission java.io.FilePermission "C:\\Program >Files\\Click-n-DoneServerSuite\\logs\\-", "read, write"; > permission java.io.FilePermission "C:\\Tomcat_JDK1.3.1\\-", "read"; >}; > >If I access another web application (which has only JSPs), there is no >problem. Also after that if I access the first web-app also, there is no >problem. The first web-app has a servlet that accesses >HttpServletRequest.getParameter("currentPage") and this is what is throwing >the exception. I also have no problem if I use Tomcat 4.0.2 LE JDK 1.4. > >What has changed between versions 4.0.2 and 4.0.6 that causes this problem ? > >Thanks a lot. > >-- Gayathri > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
