Hi, I have a problem with the Catalina’s security manager. We are using Tomcat 6, with JDK 6 and JSF 2.1 with Spring, JPA and ICEFaces. My app works very well when I run my app with the security manager disable.
The problem presents when I enable the security manager of Tomcat. My app fails when Tomcat start giving me the next log: INFO: Checking whether login URL '/security/login.jsf' is accessible with your configuration 8/05/2013 12:29:11 PM org.springframework.web.context.ContextLoader initWebApplicationContext INFO: Root WebApplicationContext: initialization completed in 1969 ms 8/05/2013 12:29:11 PM org.apache.catalina.core.StandardContext start SEVERE: Error listenerStart 8/05/2013 12:29:11 PM org.apache.catalina.core.StandardContext start SEVERE: Falló en arranque del Contexto [/WebRed] debido a errores previos 8/05/2013 12:29:11 PM com.sun.faces.config.ConfigureListener contextDestroyed SEVERE: Unexpected exception when attempting to tear down the Mojarra runtime java.lang.NullPointerException at com.sun.faces.config.ConfigureListener.getInitFacesContext(ConfigureListener.java:740) at com.sun.faces.config.ConfigureListener.contextDestroyed(ConfigureListener.java:300) at org.apache.catalina.core.StandardContext.listenerStop(StandardContext.java:4245) at org.apache.catalina.core.StandardContext.stop(StandardContext.java:4886) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4750) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:799) at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:124) at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:146) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:777) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:601) at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:943) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:563) at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1399) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.tomcat.util.modeler.BaseModelMBean.invoke(BaseModelMBean.java:297) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:762) at org.apache.catalina.manager.ManagerServlet.check(ManagerServlet.java:1500) at org.apache.catalina.manager.HTMLManagerServlet.doPost(HTMLManagerServlet.java:252) at javax.servlet.http.HttpServlet.service(HttpServlet.java:643) at javax.servlet.http.HttpServlet.service(HttpServlet.java:723) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:283) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.apache.catalina.filters.CsrfPreventionFilter.doFilter(CsrfPreventionFilter.java:194) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:277) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:276) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:517) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:309) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:250) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:662) The app works very when I put this line in the Catalina.policy grant codeBase "file:${catalina.home}/webapps/WebRed/-" { permission java.security.AllPermission; }; There was other errors because the permissions, but I have been add some and the lines are the next: grant codeBase "file:${catalina.home}/webapps/WebRed/-" { permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.core"; permission java.lang.RuntimePermission "accessClassInPackage.org.springframework.web.context"; permission java.lang.RuntimePermission "accessClassInPackage.org.springframework.web.context.request"; permission java.lang.RuntimePermission "accessClassInPackage.org.springframework.web.filter"; permission java.lang.RuntimePermission "accessClassInPackage.com.sun.faces.config"; permission java.lang.RuntimePermission "accessClassInPackage.org.icefaces.util"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission org.apache.naming.JndiPermission "jndi://localhost/WebRed/*"; permission java.io.FilePermission "/WebRed", "read"; permission java.io.FilePermission "${catalina.home}/webapps/WebRed", "read,write"; permission java.io.FilePermission "${catalina.home}/webapps/WebRed/-", "read,write,delete"; permission java.util.PropertyPermission "org.apache.commons.logging.LogFactory.HashtableImpl", "read"; permission java.util.PropertyPermission "org.springframework.web.context.request", "read"; permission java.util.PropertyPermission "org.springframework.web.servlet", "read"; permission java.util.PropertyPermission "org.springframework.web.context", "read"; permission java.util.PropertyPermission "org.apache.catalina.manager.util", "read"; permission java.util.PropertyPermission "org.apache.catalina.manager", "read"; permission java.util.PropertyPermission "org.apache.catalina", "read"; permission java.util.PropertyPermission "org.apache.catalina.core", "read"; permission java.util.PropertyPermission "spring.security.strategy", "read"; permission java.util.PropertyPermission "com.icesoft.faces.webapp", "read"; permission java.util.PropertyPermission "com.sun.faces.config", "read"; permission java.util.PropertyPermission "javax.faces.webapp", "read"; permission java.util.PropertyPermission "catalina.base", "read"; permission java.util.PropertyPermission "org.icefaces.util", "read"; }; But still the app not works and I do not know what other permissions it needs to run. As I mentioned I think it’s only permission that are requiered, because with “java.security.AllPermission;” works very well. Thank you