You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Sergey V. Udaltsov" <se...@clients.ie> on 2001/06/20 00:13:58 UTC

Security exceptions.

Hi all

I am running tomcat 3.2.2 with Apache 1.3.19 using JDK 1.3.1 by Sun.

The script /usr/bin/tomcat is called with "-security" parameter.

The file /var/tomcat/conf/tomcat.policy contains, among others, the
lines:

grant codeBase "file:/usr/local/idle/web/-" {
    permission java.security.AllPermission;
};

When I try to call some .jsp file which creates the bean from
/usr/local/idle/web/WEB-INF/lib/idlebase.jar,
I get the exception:

Error: 500

Location: /idle/common/jsp/courseList.jsp

Internal Servlet Error:

javax.servlet.ServletException: access denied (java.io.FilePermission
/usr/local/idle/web/WEB-INF/lib/idlebase.jar read)
        at
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java)
        at
jsp._0002fjsp_0002fcourseList_0002ejspcourseList_jsp_0._jspService(_0002fjsp_0002fcourseList_0002ejspcourseList_jsp_0.java:180)
        at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java)
        at
org.apache.jasper.servlet.JspServlet$JspCountedServlet.service(JspServlet.java)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java)
        at
org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.java)
        at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java)
        at
org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java)
        at org.apache.tomcat.core.Handler.service(Handler.java)
        at
org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java)
        at
org.apache.tomcat.core.ContextManager.internalService(ContextManager.java)
        at
org.apache.tomcat.core.ContextManager.service(ContextManager.java)
        at
org.apache.tomcat.service.connector.Ajp13ConnectionHandler.processConnection(Ajp13ConnectionHandler.java)
        at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java)
        at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java)
        at java.lang.Thread.run(Thread.java:484)

Root cause: 

java.security.AccessControlException: access denied
(java.io.FilePermission /usr/local/idle/web/WEB-INF/lib/idlebase.jar
read)
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
        at
java.security.AccessController.checkPermission(AccessController.java:399)
        at
java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
        at java.lang.SecurityManager.checkRead(SecurityManager.java:890)
        at java.io.File.isDirectory(File.java:567)
        at
org.apache.tomcat.loader.AdaptiveClassLoader.getResourceAsStream(AdaptiveClassLoader.java)
        at java.lang.Class.getResourceAsStream(Class.java:1220)
        at spbtu.util.LogUtil.(LogUtil.java:37)
        at spbtu.util.LogUtil.(LogUtil.java:23)
        at
jsp._0002fjsp_0002fcourseList_0002ejspcourseList_jsp_0._jspService(_0002fjsp_0002fcourseList_0002ejspcourseList_jsp_0.java:69)
        at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java)
        at
org.apache.jasper.servlet.JspServlet$JspCountedServlet.service(JspServlet.java)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java)
        at
org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(JspServlet.java)
        at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java)
        at org.apache.jasper.servlet.JspServlet.service(JspServlet.java)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java)
        at
org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java)
        at org.apache.tomcat.core.Handler.service(Handler.java)
        at
org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java)
        at
org.apache.tomcat.core.ContextManager.internalService(ContextManager.java)
        at
org.apache.tomcat.core.ContextManager.service(ContextManager.java)
        at
org.apache.tomcat.service.connector.Ajp13ConnectionHandler.processConnection(Ajp13ConnectionHandler.java)
        at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java)
        at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java)
        at java.lang.Thread.run(Thread.java:484)

The exception is caused by my class which is trying to read
(getResourceAsStream) some resource file existing in the same .jar.

Any ideas what's wrong here?

Regards,

Sergey

Re: Security exceptions.

Posted by "Sergey V. Udaltsov" <se...@clients.ie>.

Hi

It seems it is impossible to grant security permissions to the classes
loaded by either org.apache.tomcat.loader.AdaptiveClassLoader or
org.apache.jasper.servlet.JasperLoader.

At least when I write in the policy file 
  grant codeBase "XXX"  { java.security.AllPermission; };
I get a lot of security exceptions (with either "file:/-" or
"http://*/-" codebase). 

The codebase seems to be null!!!

If I write
  grant  { java.security.AllPermission; };
everything is OK.

Could anybody comment/fix/document this issue?

Regards,

Sergey