You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Daniel Barclay <Da...@digitalfocus.com> on 2000/10/11 20:14:12 UTC

Re: Java security with Tomcat?

Rick Horowitz wrote:
> 
...
> When I traced into the java system code, I discovered that the
> ProtectionDomain for the jaas.jar file (which contains the
> javax.security.auth.Policy class) does not have the
> java.security.auth.AuthPermission "getPolicy" permission, even though I
> have the following grant entry in my policy file.
> 
> grant {
>         permission java.util.PropertyPermission "tomcat.sessionid.randomclass",
> "read";
>         permission java.security.auth.AuthPermission "getPolicy";
> };
> 
> Does anyone know if this *should* work, or is it not yet implemented or
> broken? 

I'm not sure about this, but you might want to check your codebase
specifications in the security policy file.  (Make sure that it
covers whichever directory holds your class or jar files.)




-- 
Daniel Barclay
Digital Focus
Daniel.Barclay@digitalfocus.com

Re: Java security with Tomcat?

Posted by Rick Horowitz <rh...@ni4u.com>.

Hi Dan,

Thanks for your reply, but I've already given up on using JAAS with
Tomcat for the time being. Don't want to spend any more time on it.  I
believe that my codebase in the security policy file does cover the
correct directory and/or jar files.  I plan to get back to this after
the release of jdk 1.4, which is supposed to contain the JAAS source
files.  I figure I have a better chance of figuring this out if I can
see why JAAS is actually rejecting this...

Rick Horowitz

Daniel Barclay wrote:
> 
> Rick Horowitz wrote:
> >
> ...
> > When I traced into the java system code, I discovered that the
> > ProtectionDomain for the jaas.jar file (which contains the
> > javax.security.auth.Policy class) does not have the
> > java.security.auth.AuthPermission "getPolicy" permission, even though I
> > have the following grant entry in my policy file.
> >
> > grant {
> >         permission java.util.PropertyPermission "tomcat.sessionid.randomclass",
> > "read";
> >         permission java.security.auth.AuthPermission "getPolicy";
> > };
> >
> > Does anyone know if this *should* work, or is it not yet implemented or
> > broken?
> 
> I'm not sure about this, but you might want to check your codebase
> specifications in the security policy file.  (Make sure that it
> covers whichever directory holds your class or jar files.)
> 
> --
> Daniel Barclay
> Digital Focus
> Daniel.Barclay@digitalfocus.com