Tomcat security manager settings for Xindice database located outside the webapp directory

Thu, 16 Jun 2005 19:07:26 -0700 

I am struggling with the security manager settings for Tomcat 4 running
on Sun Java 1.42 (on Debian testing) for Xindice databases that are
stored outside of the xindice webapp itself.

I have set the dbroot attribute in the xindice system.xml
to /var/xindice/db/

The db directory is owned by root but is read and write accessible to
all (thoughts on which user should own it and what access rights make
sense would be much appreciated too).

If I start tomcat4 with the security manager turned off, all goes well
and the xindice webapp runs fine.

If I start tomcat4 with the security manager running but with the
security policy configured with the following xindice specific
permission

grant codeBase "file:{catalina.home}/webapps/xindice/WEB-INF/-" {
  permission java.io.FilePermission "/var/xindice/db/*",
"read,write,delete";
};

then I expect the xindice application to be able to read, write and
delete content in the /var/xindice/db.

Sadly, I get the following stack trace as the root cause of a problem:

java.security.AccessControlException: access denied
(java.io.FilePermission /var/xindice/db read)
        at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
        at 
java.security.AccessController.checkPermission(AccessController.java:401)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:863)
        at java.io.File.exists(File.java:678)
        at 
org.apache.xindice.core.Collection.setCollectionRoot(Collection.java:1324)
        at org.apache.xindice.core.Database.setConfig(Database.java:260)
        at org.apache.xindice.core.Database.getDatabase(Database.java:89)
        at 
org.apache.xindice.server.XindiceServlet.init(XindiceServlet.java:166)
        at 
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:888)
        at 
org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:621)
        at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:163)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:596)
        at 
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:433)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
        at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:144)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:596)
        at 
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:433)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
        at 
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2358)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:133)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:596)
        at 
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.java:118)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:594)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:116)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:594)
        at 
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:433)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:127)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:596)
        at 
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:433)
        at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
        at 
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:152)
        at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
        at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
        at 
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
        at java.lang.Thread.run(Thread.java:534)


Any thoughts on how to sort this out without turning off the security
manager?

Regards

Geoff Shuetrim

Reply via email to