You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2008/05/18 16:00:31 UTC
Security manager issue under Windows XP
Hi All,
I'm an Apache OFBiz commiter. Recently I done some work to allow OFBiz to run under WASCE 2.0.1 and Geronimo 2.0.3 http://docs.ofbiz.org/pages/viewpage.action?pageId=4098
But I'm now facing an issue on Windows XPsp2: I can't run WASCE with a security manager settled from the command line using -Djava.security.manager=default -Djava.security.policy=client.policy options. I get the error below. Note that this is working properly under Linux (Ubuntu and Suze as well). Am I missing someting or should I open a Jira issue ? (I tried also -Djava.security.manager, but I guess it's the same)
C:\wasce\bin>geronimo run
Using GERONIMO_BASE: C:\wasce
Using GERONIMO_HOME: C:\wasce
Using GERONIMO_TMPDIR: var\temp
Using JRE_HOME: C:\Program Files\Java\jre1.5.0_11
Starting server...
Server Build: V2.0.0.1-200711082042
Java Version: 1.5.0_11
[***> ] 11% 13s Starting org.apac...15:47:40,953 ERROR [GBeanInstanceState] Error while starting; GBean is now in the FAILED state: abstractName="org.apache.geronimo.configs/
j2ee-security/2.0.1/car?ServiceModule=org.apache.geronimo.configs/j2ee-security/2.0.1/car,j2eeType=GBean,name=SecurityService"
java.lang.LinkageError: org/apache/geronimo/security/jacc/GeronimoPolicyConfigurationFactory
at org.apache.geronimo.security.jacc.GeronimoPolicy.implies(GeronimoPolicy.java:74)
at java.security.ProtectionDomain.implies(Unknown Source)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.Thread.setContextClassLoader(Unknown Source)
at org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:1056)
at org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:268)
at org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:102)
at org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:124)
at org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:553)
at org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:379)
at org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:448)
at org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:187)
at org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:530)
at org.apache.geronimo.kernel.config.SimpleConfigurationManager$$FastClassByCGLIB$$ce77a924.invoke(<generated>)
at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
at org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38)
at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:124)
at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:830)
at org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
at org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35)
at org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)
at org.apache.geronimo.kernel.config.EditableConfigurationManager$$EnhancerByCGLIB$$fd24670e.startConfiguration(<generated>)
at org.apache.geronimo.system.main.EmbeddedDaemon.doStartup(EmbeddedDaemon.java:161)
at org.apache.geronimo.system.main.EmbeddedDaemon.execute(EmbeddedDaemon.java:83)
at org.apache.geronimo.kernel.util.MainConfigurationBootstrapper.main(MainConfigurationBootstrapper.java:45)
at org.apache.geronimo.cli.AbstractCLI.executeMain(AbstractCLI.java:67)
at org.apache.geronimo.cli.daemon.DaemonCLI.main(DaemonCLI.java:30)
15:47:40,953 WARN [BasicLifecycleMonitor] Exception occured while notifying listener
[...]
C:\geronimo-tomcat6-jee5-2.0.3\bin>geronimo run
Using GERONIMO_BASE: C:\geronimo-tomcat6-jee5-2.0.3
Using GERONIMO_HOME: C:\geronimo-tomcat6-jee5-2.0.3
Using GERONIMO_TMPDIR: var\temp
Using JRE_HOME: C:\Program Files\Java\jre1.5.0_11
Listening for transport dt_socket at address: 5005
Booting Geronimo Kernel (in Java 1.5.0_11)...
Starting Geronimo Application Server v2.0.3-SNAPSHOT
[***> ] 11% 27s Starting org.apac...15:57:28,625 ERROR [GBeanInstanceState] Error while starting; GBean is now in the FAILED state: abstractName="org.apache.geronimo.configs/
j2ee-security/2.0.3-SNAPSHOT/car?ServiceModule=org.apache.geronimo.configs/j2ee-security/2.0.3-SNAPSHOT/car,j2eeType=GBean,name=SecurityService"
java.lang.LinkageError: org/apache/geronimo/security/jacc/GeronimoPolicyConfigurationFactory
at org.apache.geronimo.security.jacc.GeronimoPolicy.implies(GeronimoPolicy.java:74)
at java.security.ProtectionDomain.implies(Unknown Source)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.Thread.setContextClassLoader(Unknown Source)
at org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:1056)
at org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:268)
at org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:102)
at org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:124)
at org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:553)
at org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:379)
at org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:448)
at org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:187)
at org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:530)
at org.apache.geronimo.kernel.config.SimpleConfigurationManager$$FastClassByCGLIB$$ce77a924.invoke(<generated>)
at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
at org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38)
at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:124)
at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:830)
at org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
at org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35)
at org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)
at org.apache.geronimo.kernel.config.EditableConfigurationManager$$EnhancerByCGLIB$$7e14cd11.startConfiguration(<generated>)
at org.apache.geronimo.system.main.EmbeddedDaemon.doStartup(EmbeddedDaemon.java:156)
at org.apache.geronimo.system.main.EmbeddedDaemon.execute(EmbeddedDaemon.java:78)
at org.apache.geronimo.kernel.util.MainConfigurationBootstrapper.main(MainConfigurationBootstrapper.java:45)
at org.apache.geronimo.cli.AbstractCLI.executeMain(AbstractCLI.java:67)
at org.apache.geronimo.cli.daemon.DaemonCLI.main(DaemonCLI.java:30)
15:57:28,640 WARN [BasicLifecycleMonitor] Exception occured while notifying listener
[...]
Thanks
Jacques
Re: Security manager issue under Windows XP
Posted by Jacques Le Roux <ja...@les7arts.com>.
Kevan,
Yes it works (ie open and close cleanly). Actually it was not a deep problem for me as the client I was working for on this is (of course ;o) using a Linux Server on production.
I will update the OFBIz guidelines with your comments, they will certainly help people in the future...
Thanks a bunch
Jacques
----- Original Message -----
From: Kevan Miller
To: user@geronimo.apache.org
Sent: Wednesday, May 28, 2008 1:14 AM
Subject: Re: Security manager issue under Windows XP
On May 18, 2008, at 10:00 AM, Jacques Le Roux wrote:
Hi All,
I'm an Apache OFBiz commiter. Recently I done some work to allow OFBiz to run under WASCE 2.0.1 and Geronimo 2.0.3 http://docs.ofbiz.org/pages/viewpage.action?pageId=4098
But I'm now facing an issue on Windows XPsp2: I can't run WASCE with a security manager settled from the command line using -Djava.security.manager=default -Djava.security.policy=client.policy options. I get the error below. Note that this is working properly under Linux (Ubuntu and Suze as well). Am I missing someting or should I open a Jira issue ? (I tried also -Djava.security.manager, but I guess it's the same)
As posted on the corresponding Jira, here's a work-around:
Set the Xorg.apache.geronimo.JarFileClassLoader property to "false". E.g.:
set JAVA_OPTS=-Djava.security.manager -Djava.security.policy=client.security -DXorg.apache.geronimo.JarFileClassLoader=false
Your should be able to start Geronimo, now. This isn't really a fix. However, for a relatively static deployment of Geronimo, this should work fine. If you're using the server as a development environment and repeatedly deploying/undeploying applications you'll find that deployment artifacts are not properly deleted and you also may encounter ClassLoader memory leaks.
--kevan
Re: Security manager issue under Windows XP
Posted by Kevan Miller <ke...@gmail.com>.
On May 18, 2008, at 10:00 AM, Jacques Le Roux wrote:
> Hi All,
>
> I'm an Apache OFBiz commiter. Recently I done some work to allow
> OFBiz to run under WASCE 2.0.1 and Geronimo 2.0.3 http://docs.ofbiz.org/pages/viewpage.action?pageId=4098
> But I'm now facing an issue on Windows XPsp2: I can't run WASCE with
> a security manager settled from the command line using -
> Djava.security.manager=default -Djava.security.policy=client.policy
> options. I get the error below. Note that this is working properly
> under Linux (Ubuntu and Suze as well). Am I missing someting or
> should I open a Jira issue ? (I tried also -Djava.security.manager,
> but I guess it's the same)
As posted on the corresponding Jira, here's a work-around:
Set the Xorg.apache.geronimo.JarFileClassLoader property to "false".
E.g.:
set JAVA_OPTS=-Djava.security.manager -
Djava.security.policy=client.security -
DXorg.apache.geronimo.JarFileClassLoader=false
Your should be able to start Geronimo, now. This isn't really a fix.
However, for a relatively static deployment of Geronimo, this should
work fine. If you're using the server as a development environment and
repeatedly deploying/undeploying applications you'll find that
deployment artifacts are not properly deleted and you also may
encounter ClassLoader memory leaks.
--kevan
Re: Security manager issue under Windows XP
Posted by Dan Becker <da...@gmail.com>.
Jacques Le Roux <ja...@...> writes:
> But I'm now facing an issue on Windows XPsp2: I
> can't run WASCE with a security manager settled from the command line using
> -Djava.security.manager=default -Djava.security.policy=client.policy options.
> get the error below. Note that this is working properly under Linux (Ubuntu
> Suze as well). Am I missing someting or should I open a Jira issue ? (I
> tried also -Djava.security.manager, but I guess it's the same)
Hi Jacques, as I mention in JIRA GERONIMO-4037,
It is definitely strange that your security policy would work on Linux but not
on Windows. The behavior you mention should be the same on all platforms.
>From your stack trace above, it appears that
org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance
is attempting to set a class loader, which is privileged action requiring a
runtime permission, but somehow the policy you have set is not visible to the
security manager.
Three possible problems with your security policy client.policy that you might
be able to easily test.
1) I thought the grant statement in the policy file required a URL for the code
base. You might need to add the URL for the Geronimo code base in order for this
permission to be visible.
2) The JVM command line arg -Djava.security.policy=client.policy requires a URL
for the location of the policy file. It could be that this file is visible in
Linux and not in Windows. You might want to hard code a file URL to test this.
3) The "-Djava.security.policy" policy file value will be ignored if the
"policy.allowSystemProperty" property in the security properties file is set to
false. The default is true. You can add this to the command line with
-Dpolicy.allowSystemProperty=true.
You can also get lots of security diagnostics of running with security managers
when you add -Djava.security.debug=policy or -Djava.security.debug=all.
Report back and let me know if any of these work.