You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2012/01/12 17:42:00 UTC

DO NOT REPLY [Bug 52460] New: Unable to run signed .war files with security manager

https://issues.apache.org/bugzilla/show_bug.cgi?id=52460

             Bug #: 52460
           Summary: Unable to run signed .war files with security manager
           Product: Tomcat 7
           Version: 7.0.23
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Servlet & JSP API
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: thomas.toth@oenb.at
    Classification: Unclassified


Hi,

I stumbled upon an issue when trying to run Tomcat 7.0.23 (presumably all
Tomcat versions) with a security manager. 

I managed without any problems to create a servlet, pack it into a .war
containing a signed .jar file and run it with a security manager.

According to the final Java Servlet Specification (November 2009) the
application directory structure of a .war the /WEB-INF/classes/ directory shall
contain the application's .class files. /WEB-INF/lib/*.jar shall contain
servlets, beans, static resources as well as other resources that are useful to
the Web application. 

So in my understanding the .war shall contain my application code under
/WEB-INF/classes/ while utility code shall be placed under /WEB-INF/lib/.

Here is the problem:
If I use this recommended way of files placement, it is impossible to run the
application with a security manager properly. As the .class files reside under
/WEB-INF/classes I can only sign the .war file. But this signature is not
reflected in the security manager. Although the .war file (and also the .class
files) is signed, the security manager is not provided with this information,
making it impossible to create custom policies in catalina.policy.

Is using signed jars the only way of running servlets with a security manager?

Is this a JVM or a Tomcat bug?

Thomas

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 52460] Unable to run signed .war files with security manager

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52460

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #1 from Mark Thomas <ma...@apache.org> 2012-01-12 19:39:19 UTC ---
Your understanding of the spec is incorrect. You can place application code in
JARs in WEB-INF/lib.

Please use the users mailing list if you have any further questions regarding
this matter.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org