You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Gauri Sukhatankar <gs...@empire.Central.Sun.COM> on 2001/01/30 01:50:56 UTC
problem in using SecurityManager with tomcat
Hi,
I am having problems in using the SecurityManager with tomcat 3.2.1.
There seems to be a bug or documention mismatch.
Please let me know if you have any ideas on fixing this:
I am using Tomcat 3.2.1 to run a servlet that acts as an RMI client.
Based on the documentation
(http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/uguide/tomcat-security-
unix.html) I have done the following to allow for listen, accept, resolve socket
security permissions through my web application:
1. Edited server.xml to use Policy:
<ContextInterceptor className="org.apache.tomcat.context.PolicyInterceptor" />
2. Edited tomcat.policy
3. Started tomcat with the "-security" option.
>> tomcat.sh start -security
Although the script "tomcat.sh" accepts the "-security" option, the class:
org.apache.tomcat.startup.Tomcat
exits with a Usage error :
Usage: java org.apache.tomcat.startup.Tomcat {options}
Options are:
-config file (or -f file) Use this file instead of server.xml
-help (or help) Show this usage report
-home dir (or -h dir) Use this directory as tomcat.home
-stop
On the other hand, if i don't use policy I get an access control exception with
this stack trace:
java.security.AccessControlException: access denied (java.net.SocketPermission
172.20.71.30:1099 connect,resolve)
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Compiled Code)
at java.lang.RuntimeException.<init>(RuntimeException.java:47)
at java.lang.SecurityException.<init>(SecurityException.java:39)
at
java.security.AccessControlException.<init>(AccessControlException.java:57)
at java.security.AccessControlContext.checkPermission(Compiled Code)
at java.security.AccessController.checkPermission(Compiled Code)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1021)
at java.net.Socket.<init>(Socket.java:258)
at java.net.Socket.<init>(Socket.java:98)
at
sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFacto
ry.java:29)
at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(Compiled
Code)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:497)
at
sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:194)
at sun.rmi.transport.tcp.TCPChannel.newConnection(Compiled Code)
at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:322)
at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
at java.rmi.Naming.lookup(Naming.java:89)
at RMIServlet.connectToServer(RMIServlet.java:72)
at RMIServlet.init(RMIServlet.java:21)
at org.apache.tomcat.core.ServletWrapper.doInit(ServletWrapper.java:317)
at org.apache.tomcat.core.Handler.init(Handler.java:215)
at org.apache.tomcat.core.ServletWrapper.init(ServletWrapper.java:296)
at org.apache.tomcat.core.Handler.service(Handler.java:254)
at
org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372)
at
org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:797)
at
org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpConne
ctionHandler.java:210)
at org.apache.tomcat.service.TcpWorkerThread.runIt(Compiled Code)
at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(Compiled Code)
at java.lang.Thread.run(Thread.java:479)
Thanks in advance,
Gauri Sukhatankar
Sun Microsystems, Inc.
Re: problem in using SecurityManager with tomcat
Posted by cm...@yahoo.com.
Hi,
> 1. Edited server.xml to use Policy:
> <ContextInterceptor className="org.apache.tomcat.context.PolicyInterceptor" />
> 2. Edited tomcat.policy
> 3. Started tomcat with the "-security" option.
> >> tomcat.sh start -security
Are you sure you granted the right permission the the right codebase ?
It is very important to have TOMCAT_HOME set before running the server,
the code to detect it will guess something like "bin/.." - which is not
good for the policy file ( it expects full paths ).
Having the PolicyInterceptor is critical - AFAIK the "-security" option is
not needed ( PolicyInterceptor can do that for you ).
If you did set TOMCAT_HOME to the full path and still doesn't work you can
send the policy file fragment, I can take a look.
Costin