You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2007/11/28 18:07:47 UTC
DO NOT REPLY [Bug 43983] New: - codeBase of a webapp changes if antiResourceLocking is active - Security policy fails
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43983>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43983
Summary: codeBase of a webapp changes if antiResourceLocking is
active - Security policy fails
Product: Tomcat 6
Version: 6.0.14
Platform: Sun
OS/Version: Windows Vista
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: mail@markus-kiss.de
I'm using Tomcat 6.0.14 with the "security" option in order to assign different
permissions to several webapps running within the Tomcat security sandbox.
However, I've encountered the following effect when I activate the
antiResourceLocking flag in the context.xml file of my webapp:
As this flag causes the server to copy all the files of my webapp to the temp
directory at runtime, the codeBase for the webapp also changes - but the
SecurityManager doesn't recognise that it has changed. Consequently, the
permissions for the specific webapp that I defined in catalina.policy actually
don't apply and I get an "access denied" exception. I have searched the web, the
security FAQ and newsgroups for a hint or a workaround, but with no success.
Neither the Tomcat Users Mailing List could help. With the help of the
java.security.debug=all option I came to the workaround to simply set the
codeBase in the catalina.policy file to the new location within the temp directory:
grant codeBase "file:${catalina.home}/temp/1-foo/-" {
/* list of assigned permissions */
};
With this workaround everything works fine. However, the numeric prefix (e.g.
"1-") of the webapp copied to the temp folder eventually changes, for instance
when I redeploy the webapp or when I clear the temp directory. As a result, I
always have to keep the catalina.policy file up-to-date with the current prefix
of the webapp, otherwise the permissions fail.
I ask myself if there is a more elegant way to fix this problem, maybe by an
internal mapping of the original codeBase of the webapp in
${catalina.home}/webapps/ to the ${catalina.home}/temp/ directory which then
would be transparent for the SecurityManager?
If there's no easy way to fix it, at least a hint should be placed in the Tomcat
Security FAQ that if antiResourceLocking is active, the codeBase of the webapp
has to be adapted within the catalina.policy file.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 43983] - codeBase of a webapp changes if antiResourceLocking is active - Security policy fails
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43983>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43983
markt@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Additional Comments From markt@apache.org 2007-12-24 07:35 -------
I can't see a way to map to the new code base without a custom security manager.
I think an FAQ entry is the best option.
The FAQ is now on the wiki (http://wiki.apache.org/tomcat/FAQ/Security) so I'll
leave it to you to add what you consider to the appropriate text.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org