You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Gauri Sukhatankar <gs...@empire.Central.Sun.COM> on 2001/01/30 01:50:56 UTC

problem in using SecurityManager with tomcat

Hi,

I am having problems in using the SecurityManager with tomcat 3.2.1. 
There seems to be a bug or documention mismatch.
Please let me know if you have any ideas on fixing this: 

I am using Tomcat 3.2.1 to run a servlet that acts as an RMI client.
Based on the documentation 
(http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/uguide/tomcat-security-
unix.html) I have done the following to allow for listen, accept, resolve socket 
security permissions through my web application:

1. Edited server.xml to use Policy:
<ContextInterceptor className="org.apache.tomcat.context.PolicyInterceptor" />

2. Edited tomcat.policy

3. Started tomcat with the "-security" option.
   >> tomcat.sh start -security
   
   
Although the script "tomcat.sh" accepts the "-security" option, the class:
org.apache.tomcat.startup.Tomcat
exits with a Usage error :
  
Usage: java org.apache.tomcat.startup.Tomcat {options}
  Options are:
    -config file (or -f file)  Use this file instead of server.xml
    -help (or help)            Show this usage report
    -home dir (or -h dir)      Use this directory as tomcat.home
    -stop                     


On the other hand, if i don't use policy I get an  access control exception with 
this stack trace:

java.security.AccessControlException: access denied (java.net.SocketPermission 
172.20.71.30:1099 connect,resolve)
        at java.lang.Throwable.fillInStackTrace(Native Method)
        at java.lang.Throwable.fillInStackTrace(Compiled Code)
        at java.lang.Throwable.<init>(Compiled Code)
        at java.lang.Exception.<init>(Compiled Code)
        at java.lang.RuntimeException.<init>(RuntimeException.java:47)
        at java.lang.SecurityException.<init>(SecurityException.java:39)
        at 
java.security.AccessControlException.<init>(AccessControlException.java:57)
        at java.security.AccessControlContext.checkPermission(Compiled Code)
        at java.security.AccessController.checkPermission(Compiled Code)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.SecurityManager.checkConnect(SecurityManager.java:1021)
        at java.net.Socket.<init>(Socket.java:258)
        at java.net.Socket.<init>(Socket.java:98)
        at 
sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFacto
ry.java:29)
        at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(Compiled 
Code)
        at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:497)
        at 
sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:194)
        at sun.rmi.transport.tcp.TCPChannel.newConnection(Compiled Code)
        at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:322)
        at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
        at java.rmi.Naming.lookup(Naming.java:89)
        at RMIServlet.connectToServer(RMIServlet.java:72)
        at RMIServlet.init(RMIServlet.java:21)
        at org.apache.tomcat.core.ServletWrapper.doInit(ServletWrapper.java:317)
        at org.apache.tomcat.core.Handler.init(Handler.java:215)
        at org.apache.tomcat.core.ServletWrapper.init(ServletWrapper.java:296)
        at org.apache.tomcat.core.Handler.service(Handler.java:254)
        at 
org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372)
        at 
org.apache.tomcat.core.ContextManager.internalService(ContextManager.java:797)
        at 
org.apache.tomcat.core.ContextManager.service(ContextManager.java:743)
        at 
org.apache.tomcat.service.http.HttpConnectionHandler.processConnection(HttpConne
ctionHandler.java:210)
        at org.apache.tomcat.service.TcpWorkerThread.runIt(Compiled Code)
        at org.apache.tomcat.util.ThreadPool$ControlRunnable.run(Compiled Code)
        at java.lang.Thread.run(Thread.java:479)


Thanks in advance,

Gauri Sukhatankar
Sun Microsystems, Inc.

Re: problem in using SecurityManager with tomcat

Posted by cm...@yahoo.com.

Hi,

> 1. Edited server.xml to use Policy:
> <ContextInterceptor className="org.apache.tomcat.context.PolicyInterceptor" />
> 2. Edited tomcat.policy
> 3. Started tomcat with the "-security" option.
>    >> tomcat.sh start -security

Are you sure you granted the right permission the the right codebase ?

It is very important to have TOMCAT_HOME set before running the server,
the code to detect it will guess something like "bin/.." - which is not
good for the policy file ( it expects full paths ).

Having the PolicyInterceptor is critical - AFAIK the "-security" option is
not needed ( PolicyInterceptor can do that for you ).

If you did set TOMCAT_HOME to the full path and still doesn't work you can
send the policy file fragment, I can take a look.
 

Costin