When I have set CATALINA_OPTS to:
linux:/var/log/tomcat5/base # echo $CATALINA_OPTS
-Djava.security.debug=all
linux:/var/log/tomcat5/base #
in log I see:
domain 1 ProtectionDomain
CodeSource=CodeSource, url=file:/usr/share/tomcat5/bin/bootstrap.jar,
<no certificates>
ClassLoader=sun.misc.Launcher$AppClassLoader@8e208e2
<no principals>
Permissions:
static: java.security.Permissions@8930893 (
(java.io.FilePermission /usr/share/tomcat5/bin/bootstrap.jar read)
(java.lang.RuntimePermission exitVM)
)
Dne 8. listopadu 2011 13:51 Petr Hracek <phrac...@gmail.com> napsal(a):
> Yes the tomcat should be run as a back-end server (AJP) with apache2-2.2.21.
> I have add to the catalina.policy following permission:
> permission javax.management.MBeanServerPermission "createMBeanServer";
> permission javax.management.MBeamPermission
> "com.javamonitor.mbeans.*","*";
> permission javax.management.MBeanTrustPermission "register";
> permission javax.management.MBeanServerPermission "findMBeanServer";
> permission java.net.SocketPermission "java-monitor.com:80", "connect";
> permission java.net.SocketPermission "java-monitor.com:80", "resolve";
>
> In the log of catalina.out I see:
> log4j:WARN No appenders could be found for logger
> (org.apache.catalina.startup.Embedded).
> log4j:WARN Please initialize the log4j system properly.
>
> But as in ps -ef | grep java and lsof -i | grep java I did not see any
> 8009 and 8005 port or even that tomcat5 is not starting.
>
> Where could be a problem?
>
> Dne 7. listopadu 2011 12:29 André Warnier <a...@ice-sa.com> napsal(a):
>> Petr Hracek wrote:
>>>
>>> Dear tomcat users,
>>>
>>> I have try to configure my really old tomcat5 configuration (for using
>>> -security).
>>> but tomcat is not running.
>>
>> Petr,
>> can you be a bit more specific ? what is not running ? does it start ? does
>> it crash after starting ? is it just not answering requests ? are there
>> error messages anywhere ?
>>
>> On my system tomcat5 is run only as servlet
>>>
>>> engine and not as web server.
>>>
>> Do you mean for example that it runs as a back-end server (through AJP
>> e.g.), with a front-end webserver serving all static content ?
>>
>>
>>
>>> Do you have any example catalina.policy file?
>>> My catalina.policy file is:
>>> // ========== SYSTEM CODE PERMISSIONS
>>> =========================================
>>>
>>>
>>> // These permissions apply to javac
>>> grant codeBase "file:${java.home}/lib/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to all shared system extensions
>>> grant codeBase "file:${java.home}/jre/lib/ext/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to javac when ${java.home] points at
>>> $JAVA_HOME/jre
>>> grant codeBase "file:${java.home}/../lib/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to all shared system extensions when
>>> // ${java.home} points at $JAVA_HOME/jre
>>> grant codeBase "file:${java.home}/lib/ext/-" {
>>> permission java.security.AllPermission;
>>> };
>>> // ========== CATALINA CODE PERMISSIONS
>>> =======================================
>>>
>>>
>>> // These permissions apply to the launcher code
>>> grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the daemon code
>>> grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the commons-logging API
>>> grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the server startup code
>>> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the JMX server
>>> grant codeBase "file:${catalina.home}/bin/jmx.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to JULI
>>> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
>>> permission java.util.PropertyPermission
>>> "java.util.logging.config.class", "read";
>>> permission java.util.PropertyPermission
>>> "java.util.logging.config.file", "read";
>>> permission java.io.FilePermission
>>> "${java.home}${file.separator}lib${file.separator}logging.properties",
>>> "read";
>>> permission java.lang.RuntimePermission "shutdownHooks";
>>> permission java.io.FilePermission
>>>
>>> "${catalina.base}${file.separator}conf${file.separator}logging.properties",
>>> "read";
>>> permission java.util.PropertyPermission "catalina.base", "read";
>>> permission java.util.logging.LoggingPermission "control";
>>> permission java.io.FilePermission
>>> "${catalina.base}${file.separator}logs", "read, write";
>>> permission java.io.FilePermission
>>> "${catalina.base}${file.separator}logs${file.separator}*", "read,
>>> write";
>>> permission java.lang.RuntimePermission "getClassLoader";
>>> // To enable per context logging configuration, permit read
>>> access to the appropriate file.
>>> // Be sure that the logging configuration is secure before
>>> enabling such access
>>> // eg for the examples web application:
>>> // permission java.io.FilePermission
>>>
>>> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
>>> "read";
>>> };
>>>
>>> // These permissions apply to the servlet API classes
>>> // and those that are shared across all class loaders
>>> // located in the "common" directory
>>> grant codeBase "file:${catalina.home}/common/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the container's core code, plus any
>>> additional
>>> // libraries installed in the "server" directory
>>> grant codeBase "file:${catalina.home}/server/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // The permissions granted to the balancer WEB-INF/classes and
>>> WEB-INF/lib directory
>>> grant codeBase "file:${catalina.home}/webapps/balancer/-" {
>>> permission java.lang.RuntimePermission
>>> "accessClassInPackage.org.apache.tomcat.util.digester";
>>> permission java.lang.RuntimePermission
>>> "accessClassInPackage.org.apache.tomcat.util.digester.*";
>>> };
>>> // ========== WEB APPLICATION PERMISSIONS
>>> =====================================
>>>
>>>
>>> // These permissions are granted by default to all web applications
>>> // In addition, a web application will be given a read FilePermission
>>> // and JndiPermission for all files and directories in its document root.
>>> grant {
>>> // Required for JNDI lookup of named JDBC DataSource's and
>>> // javamail named MimePart DataSource used to send mail
>>> permission java.util.PropertyPermission "java.home", "read";
>>> permission java.util.PropertyPermission "java.naming.*", "read";
>>> permission java.util.PropertyPermission "javax.sql.*", "read";
>>>
>>> // OS Specific properties to allow read access
>>> permission java.util.PropertyPermission "os.name", "read";
>>> permission java.util.PropertyPermission "os.version", "read";
>>> permission java.util.PropertyPermission "os.arch", "read";
>>> permission java.util.PropertyPermission "file.separator", "read";
>>> permission java.util.PropertyPermission "path.separator", "read";
>>> permission java.util.PropertyPermission "line.separator", "read";
>>>
>>> // JVM properties to allow read access
>>> permission java.util.PropertyPermission "java.version", "read";
>>> permission java.util.PropertyPermission "java.vendor", "read";
>>> permission java.util.PropertyPermission "java.vendor.url", "read";
>>> permission java.util.PropertyPermission "java.class.version", "read";
>>> permission java.util.PropertyPermission
>>> "java.specification.version", "read";
>>> permission java.util.PropertyPermission "java.specification.vendor",
>>> "read";
>>> permission java.util.PropertyPermission "java.specification.name",
>>> "read";
>>>
>>> permission java.util.PropertyPermission
>>> "java.vm.specification.version", "read";
>>> permission java.util.PropertyPermission
>>> "java.vm.specification.vendor", "read";
>>> permission java.util.PropertyPermission
>>> "java.vm.specification.name", "read";
>>> permission java.util.PropertyPermission "java.vm.version", "read";
>>> permission java.util.PropertyPermission "java.vm.vendor", "read";
>>> permission java.util.PropertyPermission "java.vm.name", "read";
>>>
>>> // Required for OpenJMX
>>> permission java.lang.RuntimePermission "getAttribute";
>>>
>>> // Allow read of JAXP compliant XML parser debug
>>> permission java.util.PropertyPermission "jaxp.debug", "read";
>>>
>>> // Precompiled JSPs need access to this package.
>>> permission java.lang.RuntimePermission
>>> "accessClassInPackage.org.apache.jasper.runtime";
>>> permission java.lang.RuntimePermission
>>> "accessClassInPackage.org.apache.jasper.runtime.*";
>>>
>>> // Precompiled JSPs need access to this system property.
>>> permission java.util.PropertyPermission
>>> "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
>>> };
>>>
>>>
>>> My server.xml configuration file is:
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <!--
>>> Licensed to the Apache Software Foundation (ASF) under one or more
>>> contributor license agreements. See the NOTICE file distributed with
>>> this work for additional information regarding copyright ownership.
>>> The ASF licenses this file to You under the Apache License, Version 2.0
>>> (the "License"); you may not use this file except in compliance with
>>> the License. You may obtain a copy of the License at
>>>
>>> http://www.apache.org/licenses/LICENSE-2.0
>>>
>>> Unless required by applicable law or agreed to in writing, software
>>> distributed under the License is distributed on an "AS IS" BASIS,
>>> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>>> See the License for the specific language governing permissions and
>>> limitations under the License.
>>> -->
>>>
>>> <Server port="8005" shutdown="SHUTDOWN">
>>>
>>> <Listener className="org.apache.catalina.core.AprLifecycleListener" />
>>> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
>>> />
>>> <Listener
>>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
>>> />
>>> <Listener
>>> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
>>>
>>> <!-- Global JNDI resources -->
>>> <GlobalNamingResources>
>>>
>>> <!-- Test entry for demonstration purposes -->
>>> <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>>>
>>> <!-- Editable user database that can also be used by
>>> UserDatabaseRealm to authenticate users -->
>>> <Resource name="UserDatabase" auth="Container"
>>> type="org.apache.catalina.UserDatabase"
>>> description="User database that can be updated and saved"
>>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>>> pathname="conf/tomcat-users.xml" />
>>>
>>> </GlobalNamingResources>
>>>
>>> <!-- Define the Tomcat Stand-Alone Service -->
>>> <Service name="Catalina">
>>>
>>> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
>>> <Connector port="8080" maxHttpHeaderSize="8192"
>>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>>> enableLookups="false" redirectPort="8443" acceptCount="100"
>>> connectionTimeout="20000" disableUploadTimeout="true" />
>>> <!-- Note : To disable connection timeouts, set connectionTimeout value
>>> to 0 -->
>>>
>>> <!-- Define an AJP 1.3 Connector on port 8009 -->
>>> <Connector port="8009"
>>> enableLookups="false" redirectPort="8443"
>>> protocol="AJP/1.3" address="127.0.0.1" />
>>>
>>> <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
>>> <!-- See proxy documentation for more information about using this. -->
>>> <Engine name="Catalina" defaultHost="localhost">
>>>
>>> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>>> resourceName="UserDatabase"/>
>>>
>>> <!-- Define the default virtual host
>>> Note: XML Schema validation will not work with Xerces 2.2.
>>> -->
>>> <Host name="localhost" appBase="webapps"
>>> unpackWARs="true" autoDeploy="true"
>>> xmlValidation="false" xmlNamespaceAware="false">
>>>
>>>
>>> <!--
>>> <Valve className="org.apache.catalina.authenticator.SingleSignOn"
>>> />
>>> -->
>>>
>>> <!--
>>> <Valve className="org.apache.catalina.valves.AccessLogValve"
>>> directory="logs" prefix="localhost_access_log."
>>> suffix=".txt"
>>> pattern="common" resolveHosts="false"/>
>>> -->
>>> <!--
>>> <Valve
>>> className="org.apache.catalina.valves.FastCommonAccessLogValve"
>>> directory="logs" prefix="localhost_access_log."
>>> suffix=".txt"
>>> pattern="common" resolveHosts="false"/>
>>> -->
>>> </Host>
>>>
>>> </Engine>
>>>
>>> </Service>
>>>
>>> </Server>
>>>
>>> Thank you in advance.
>>> If any logs will be need I can provide of course.
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
>
>
> --
> Best Regards / S pozdravem
> Petr Hracek
>
--
Best Regards / S pozdravem
Petr Hracek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
