When I have set CATALINA_OPTS to: linux:/var/log/tomcat5/base # echo $CATALINA_OPTS -Djava.security.debug=all linux:/var/log/tomcat5/base #
in log I see: domain 1 ProtectionDomain CodeSource=CodeSource, url=file:/usr/share/tomcat5/bin/bootstrap.jar, <no certificates> ClassLoader=sun.misc.Launcher$AppClassLoader@8e208e2 <no principals> Permissions: static: java.security.Permissions@8930893 ( (java.io.FilePermission /usr/share/tomcat5/bin/bootstrap.jar read) (java.lang.RuntimePermission exitVM) ) Dne 8. listopadu 2011 13:51 Petr Hracek <phrac...@gmail.com> napsal(a): > Yes the tomcat should be run as a back-end server (AJP) with apache2-2.2.21. > I have add to the catalina.policy following permission: > permission javax.management.MBeanServerPermission "createMBeanServer"; > permission javax.management.MBeamPermission > "com.javamonitor.mbeans.*","*"; > permission javax.management.MBeanTrustPermission "register"; > permission javax.management.MBeanServerPermission "findMBeanServer"; > permission java.net.SocketPermission "java-monitor.com:80", "connect"; > permission java.net.SocketPermission "java-monitor.com:80", "resolve"; > > In the log of catalina.out I see: > log4j:WARN No appenders could be found for logger > (org.apache.catalina.startup.Embedded). > log4j:WARN Please initialize the log4j system properly. > > But as in ps -ef | grep java and lsof -i | grep java I did not see any > 8009 and 8005 port or even that tomcat5 is not starting. > > Where could be a problem? > > Dne 7. listopadu 2011 12:29 André Warnier <a...@ice-sa.com> napsal(a): >> Petr Hracek wrote: >>> >>> Dear tomcat users, >>> >>> I have try to configure my really old tomcat5 configuration (for using >>> -security). >>> but tomcat is not running. >> >> Petr, >> can you be a bit more specific ? what is not running ? does it start ? does >> it crash after starting ? is it just not answering requests ? are there >> error messages anywhere ? >> >> On my system tomcat5 is run only as servlet >>> >>> engine and not as web server. >>> >> Do you mean for example that it runs as a back-end server (through AJP >> e.g.), with a front-end webserver serving all static content ? >> >> >> >>> Do you have any example catalina.policy file? >>> My catalina.policy file is: >>> // ========== SYSTEM CODE PERMISSIONS >>> ========================================= >>> >>> >>> // These permissions apply to javac >>> grant codeBase "file:${java.home}/lib/-" { >>> permission java.security.AllPermission; >>> }; >>> >>> // These permissions apply to all shared system extensions >>> grant codeBase "file:${java.home}/jre/lib/ext/-" { >>> permission java.security.AllPermission; >>> }; >>> >>> // These permissions apply to javac when ${java.home] points at >>> $JAVA_HOME/jre >>> grant codeBase "file:${java.home}/../lib/-" { >>> permission java.security.AllPermission; >>> }; >>> >>> // These permissions apply to all shared system extensions when >>> // ${java.home} points at $JAVA_HOME/jre >>> grant codeBase "file:${java.home}/lib/ext/-" { >>> permission java.security.AllPermission; >>> }; >>> // ========== CATALINA CODE PERMISSIONS >>> ======================================= >>> >>> >>> // These permissions apply to the launcher code >>> grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" { >>> permission java.security.AllPermission; >>> }; >>> >>> // These permissions apply to the daemon code >>> grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { >>> permission java.security.AllPermission; >>> }; >>> >>> // These permissions apply to the commons-logging API >>> grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" { >>> permission java.security.AllPermission; >>> }; >>> >>> // These permissions apply to the server startup code >>> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { >>> permission java.security.AllPermission; >>> }; >>> >>> // These permissions apply to the JMX server >>> grant codeBase "file:${catalina.home}/bin/jmx.jar" { >>> permission java.security.AllPermission; >>> }; >>> >>> // These permissions apply to JULI >>> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { >>> permission java.util.PropertyPermission >>> "java.util.logging.config.class", "read"; >>> permission java.util.PropertyPermission >>> "java.util.logging.config.file", "read"; >>> permission java.io.FilePermission >>> "${java.home}${file.separator}lib${file.separator}logging.properties", >>> "read"; >>> permission java.lang.RuntimePermission "shutdownHooks"; >>> permission java.io.FilePermission >>> >>> "${catalina.base}${file.separator}conf${file.separator}logging.properties", >>> "read"; >>> permission java.util.PropertyPermission "catalina.base", "read"; >>> permission java.util.logging.LoggingPermission "control"; >>> permission java.io.FilePermission >>> "${catalina.base}${file.separator}logs", "read, write"; >>> permission java.io.FilePermission >>> "${catalina.base}${file.separator}logs${file.separator}*", "read, >>> write"; >>> permission java.lang.RuntimePermission "getClassLoader"; >>> // To enable per context logging configuration, permit read >>> access to the appropriate file. >>> // Be sure that the logging configuration is secure before >>> enabling such access >>> // eg for the examples web application: >>> // permission java.io.FilePermission >>> >>> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", >>> "read"; >>> }; >>> >>> // These permissions apply to the servlet API classes >>> // and those that are shared across all class loaders >>> // located in the "common" directory >>> grant codeBase "file:${catalina.home}/common/-" { >>> permission java.security.AllPermission; >>> }; >>> >>> // These permissions apply to the container's core code, plus any >>> additional >>> // libraries installed in the "server" directory >>> grant codeBase "file:${catalina.home}/server/-" { >>> permission java.security.AllPermission; >>> }; >>> >>> // The permissions granted to the balancer WEB-INF/classes and >>> WEB-INF/lib directory >>> grant codeBase "file:${catalina.home}/webapps/balancer/-" { >>> permission java.lang.RuntimePermission >>> "accessClassInPackage.org.apache.tomcat.util.digester"; >>> permission java.lang.RuntimePermission >>> "accessClassInPackage.org.apache.tomcat.util.digester.*"; >>> }; >>> // ========== WEB APPLICATION PERMISSIONS >>> ===================================== >>> >>> >>> // These permissions are granted by default to all web applications >>> // In addition, a web application will be given a read FilePermission >>> // and JndiPermission for all files and directories in its document root. >>> grant { >>> // Required for JNDI lookup of named JDBC DataSource's and >>> // javamail named MimePart DataSource used to send mail >>> permission java.util.PropertyPermission "java.home", "read"; >>> permission java.util.PropertyPermission "java.naming.*", "read"; >>> permission java.util.PropertyPermission "javax.sql.*", "read"; >>> >>> // OS Specific properties to allow read access >>> permission java.util.PropertyPermission "os.name", "read"; >>> permission java.util.PropertyPermission "os.version", "read"; >>> permission java.util.PropertyPermission "os.arch", "read"; >>> permission java.util.PropertyPermission "file.separator", "read"; >>> permission java.util.PropertyPermission "path.separator", "read"; >>> permission java.util.PropertyPermission "line.separator", "read"; >>> >>> // JVM properties to allow read access >>> permission java.util.PropertyPermission "java.version", "read"; >>> permission java.util.PropertyPermission "java.vendor", "read"; >>> permission java.util.PropertyPermission "java.vendor.url", "read"; >>> permission java.util.PropertyPermission "java.class.version", "read"; >>> permission java.util.PropertyPermission >>> "java.specification.version", "read"; >>> permission java.util.PropertyPermission "java.specification.vendor", >>> "read"; >>> permission java.util.PropertyPermission "java.specification.name", >>> "read"; >>> >>> permission java.util.PropertyPermission >>> "java.vm.specification.version", "read"; >>> permission java.util.PropertyPermission >>> "java.vm.specification.vendor", "read"; >>> permission java.util.PropertyPermission >>> "java.vm.specification.name", "read"; >>> permission java.util.PropertyPermission "java.vm.version", "read"; >>> permission java.util.PropertyPermission "java.vm.vendor", "read"; >>> permission java.util.PropertyPermission "java.vm.name", "read"; >>> >>> // Required for OpenJMX >>> permission java.lang.RuntimePermission "getAttribute"; >>> >>> // Allow read of JAXP compliant XML parser debug >>> permission java.util.PropertyPermission "jaxp.debug", "read"; >>> >>> // Precompiled JSPs need access to this package. >>> permission java.lang.RuntimePermission >>> "accessClassInPackage.org.apache.jasper.runtime"; >>> permission java.lang.RuntimePermission >>> "accessClassInPackage.org.apache.jasper.runtime.*"; >>> >>> // Precompiled JSPs need access to this system property. >>> permission java.util.PropertyPermission >>> "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; >>> }; >>> >>> >>> My server.xml configuration file is: >>> <?xml version="1.0" encoding="UTF-8"?> >>> <!-- >>> Licensed to the Apache Software Foundation (ASF) under one or more >>> contributor license agreements. See the NOTICE file distributed with >>> this work for additional information regarding copyright ownership. >>> The ASF licenses this file to You under the Apache License, Version 2.0 >>> (the "License"); you may not use this file except in compliance with >>> the License. You may obtain a copy of the License at >>> >>> http://www.apache.org/licenses/LICENSE-2.0 >>> >>> Unless required by applicable law or agreed to in writing, software >>> distributed under the License is distributed on an "AS IS" BASIS, >>> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >>> See the License for the specific language governing permissions and >>> limitations under the License. >>> --> >>> >>> <Server port="8005" shutdown="SHUTDOWN"> >>> >>> <Listener className="org.apache.catalina.core.AprLifecycleListener" /> >>> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" >>> /> >>> <Listener >>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" >>> /> >>> <Listener >>> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> >>> >>> <!-- Global JNDI resources --> >>> <GlobalNamingResources> >>> >>> <!-- Test entry for demonstration purposes --> >>> <Environment name="simpleValue" type="java.lang.Integer" value="30"/> >>> >>> <!-- Editable user database that can also be used by >>> UserDatabaseRealm to authenticate users --> >>> <Resource name="UserDatabase" auth="Container" >>> type="org.apache.catalina.UserDatabase" >>> description="User database that can be updated and saved" >>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory" >>> pathname="conf/tomcat-users.xml" /> >>> >>> </GlobalNamingResources> >>> >>> <!-- Define the Tomcat Stand-Alone Service --> >>> <Service name="Catalina"> >>> >>> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 --> >>> <Connector port="8080" maxHttpHeaderSize="8192" >>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75" >>> enableLookups="false" redirectPort="8443" acceptCount="100" >>> connectionTimeout="20000" disableUploadTimeout="true" /> >>> <!-- Note : To disable connection timeouts, set connectionTimeout value >>> to 0 --> >>> >>> <!-- Define an AJP 1.3 Connector on port 8009 --> >>> <Connector port="8009" >>> enableLookups="false" redirectPort="8443" >>> protocol="AJP/1.3" address="127.0.0.1" /> >>> >>> <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> >>> <!-- See proxy documentation for more information about using this. --> >>> <Engine name="Catalina" defaultHost="localhost"> >>> >>> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" >>> resourceName="UserDatabase"/> >>> >>> <!-- Define the default virtual host >>> Note: XML Schema validation will not work with Xerces 2.2. >>> --> >>> <Host name="localhost" appBase="webapps" >>> unpackWARs="true" autoDeploy="true" >>> xmlValidation="false" xmlNamespaceAware="false"> >>> >>> >>> <!-- >>> <Valve className="org.apache.catalina.authenticator.SingleSignOn" >>> /> >>> --> >>> >>> <!-- >>> <Valve className="org.apache.catalina.valves.AccessLogValve" >>> directory="logs" prefix="localhost_access_log." >>> suffix=".txt" >>> pattern="common" resolveHosts="false"/> >>> --> >>> <!-- >>> <Valve >>> className="org.apache.catalina.valves.FastCommonAccessLogValve" >>> directory="logs" prefix="localhost_access_log." >>> suffix=".txt" >>> pattern="common" resolveHosts="false"/> >>> --> >>> </Host> >>> >>> </Engine> >>> >>> </Service> >>> >>> </Server> >>> >>> Thank you in advance. >>> If any logs will be need I can provide of course. >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > > -- > Best Regards / S pozdravem > Petr Hracek > -- Best Regards / S pozdravem Petr Hracek --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org