You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Sergey V. Udaltsov" <se...@clients.ie> on 2001/06/20 00:13:58 UTC
Security exceptions.
Hi all
I am running tomcat 3.2.2 with Apache 1.3.19 using JDK 1.3.1 by Sun.
The script /usr/bin/tomcat is called with "-security" parameter.
The file /var/tomcat/conf/tomcat.policy contains, among others, the
lines:
grant codeBase "file:/usr/local/idle/web/-" {
permission java.security.AllPermission;
};
When I try to call some .jsp file which creates the bean from
/usr/local/idle/web/WEB-INF/lib/idlebase.jar,
I get the exception:
Error: 500
Location: /idle/common/jsp/courseList.jsp
Internal Servlet Error:
javax.servlet.ServletException: access denied (java.io.FilePermission
/usr/local/idle/web/WEB-INF/lib/idlebase.jar read)
at
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java)
at
jsp._0002fjsp_0002fcourseList_0002ejspcourseList_jsp_0._jspService(_0002fjsp_0002fcourseList_0002ejspcourseList_jsp_0.java:180)
at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java)
at javax.servlet.http.HttpServlet.service(HttpServlet.java)
at
org.apache.jasper.servlet.JspServlet$JspCountedServlet.service(JspServlet.java)
at javax.servlet.http.HttpServlet.service(HttpServlet.java)
at
org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.java)
at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java)
at javax.servlet.http.HttpServlet.service(HttpServlet.java)
at
org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java)
at org.apache.tomcat.core.Handler.service(Handler.java)
at
org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java)
at
org.apache.tomcat.core.ContextManager.internalService(ContextManager.java)
at
org.apache.tomcat.core.ContextManager.service(ContextManager.java)
at
org.apache.tomcat.service.connector.Ajp13ConnectionHandler.processConnection(Ajp13ConnectionHandler.java)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java)
at java.lang.Thread.run(Thread.java:484)
Root cause:
java.security.AccessControlException: access denied
(java.io.FilePermission /usr/local/idle/web/WEB-INF/lib/idlebase.jar
read)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
at
java.security.AccessController.checkPermission(AccessController.java:399)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
at java.lang.SecurityManager.checkRead(SecurityManager.java:890)
at java.io.File.isDirectory(File.java:567)
at
org.apache.tomcat.loader.AdaptiveClassLoader.getResourceAsStream(AdaptiveClassLoader.java)
at java.lang.Class.getResourceAsStream(Class.java:1220)
at spbtu.util.LogUtil.(LogUtil.java:37)
at spbtu.util.LogUtil.(LogUtil.java:23)
at
jsp._0002fjsp_0002fcourseList_0002ejspcourseList_jsp_0._jspService(_0002fjsp_0002fcourseList_0002ejspcourseList_jsp_0.java:69)
at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java)
at javax.servlet.http.HttpServlet.service(HttpServlet.java)
at
org.apache.jasper.servlet.JspServlet$JspCountedServlet.service(JspServlet.java)
at javax.servlet.http.HttpServlet.service(HttpServlet.java)
at
org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.java)
at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java)
at javax.servlet.http.HttpServlet.service(HttpServlet.java)
at
org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java)
at org.apache.tomcat.core.Handler.service(Handler.java)
at
org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java)
at
org.apache.tomcat.core.ContextManager.internalService(ContextManager.java)
at
org.apache.tomcat.core.ContextManager.service(ContextManager.java)
at
org.apache.tomcat.service.connector.Ajp13ConnectionHandler.processConnection(Ajp13ConnectionHandler.java)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java)
at java.lang.Thread.run(Thread.java:484)
The exception is caused by my class which is trying to read
(getResourceAsStream) some resource file existing in the same .jar.
Any ideas what's wrong here?
Regards,
Sergey
Re: Security exceptions.
Posted by "Sergey V. Udaltsov" <se...@clients.ie>.
Hi
It seems it is impossible to grant security permissions to the classes
loaded by either org.apache.tomcat.loader.AdaptiveClassLoader or
org.apache.jasper.servlet.JasperLoader.
At least when I write in the policy file
grant codeBase "XXX" { java.security.AllPermission; };
I get a lot of security exceptions (with either "file:/-" or
"http://*/-" codebase).
The codebase seems to be null!!!
If I write
grant { java.security.AllPermission; };
everything is OK.
Could anybody comment/fix/document this issue?
Regards,
Sergey