You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@turbine.apache.org by Bastian Quilitz <tu...@quilitz.de> on 2003/04/03 14:51:14 UTC
Turbine - Tomcat security policy
Hello!
I'm just moving our turbine 2.1 app from a tdk development environment to a
production server based on apache and tomcat.
Running tomcat without the -security option everything works fine. Once
the -security option is enabled the following Exception is raised:
Horrible Exception: java.lang.Exception: Screen template 'Login.vm' not
found
at
org.apache.turbine.services.template.TurbineTemplateService.getParsedScreenT
emplateName(TurbineTemplateService.java:726)
at
org.apache.turbine.services.template.TurbineTemplateService.getCachedName(Tu
rbineTemplateService.java:572)
at
org.apache.turbine.services.template.TurbineTemplateService.getScreenTemplat
eName(TurbineTemplateService.java:412)
at
org.apache.turbine.services.template.TurbineTemplate.getScreenTemplateName(T
urbineTemplate.java:92)
at
org.apache.turbine.modules.screens.VelocityScreen.buildTemplate(VelocityScre
en.java:129)
at
org.apache.turbine.modules.screens.TemplateScreen.doBuild(TemplateScreen.jav
a:130)
at org.apache.turbine.modules.Screen.build(Screen.java:99)
at org.apache.turbine.modules.ScreenLoader.eval(ScreenLoader.java:129)
at
org.apache.turbine.modules.layouts.VelocityECSLayout.doBuild(VelocityECSLayo
ut.java:100)
at org.apache.turbine.modules.Layout.build(Layout.java:91)
at org.apache.turbine.modules.LayoutLoader.exec(LayoutLoader.java:123)
at
org.apache.turbine.modules.pages.DefaultPage.doBuild(DefaultPage.java:166)
at org.apache.turbine.modules.Page.build(Page.java:90)
at org.apache.turbine.modules.PageLoader.exec(PageLoader.java:123)
at org.apache.turbine.Turbine.doGet(Turbine.java:447)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:247)
[...]
This is because of an incorrect catalina.policy file.
When I add
grant codeBase "file:${catalina.home}/webapps/myapp/-" {
permission java.security.AllPermission;
}
grant codeBase
"file:${catalina.home}/webapps/examples/WEB-INF/lib/pg73jdbc3.jar!/-" {
permission java.net.SocketPermission "sushi-db:5432", "connect";
}
to the policy file it works fine, but as you may understand I don't want to
give myapp all permissions.
I tried some other grants:
grant codeBase "file:${catalina.home}/webapps/myapp/-" {
permission java.net.SocketPermission "app-db:5432", "connect";
// required!
permission java.net.SocketPermission "localhost:12345",
"listen,resolve";
permission java.io.FilePermission
"file:${catalina.home}/webapps/sushi/-", "read";
// Allow logs
permission java.io.FilePermission
"file:${catalina.home}/webapps/sushi/logs/*", "read,write"
// required!
permission java.lang.RuntimePermission "accessDeclaredMembers";
}
grant codeBase
"file:${catalina.home}/webapps/examples/WEB-INF/lib/pg73jdbc3.jar!/-" {
permission java.net.SocketPermission "sushi-db:5432", "connect";
}
This doesn't work. Everytime the mentioned exception.
Followig policy works:
grant codeBase "file:${catalina.home}/webapps/myapp/-" {
permission java.net.SocketPermission "sushi-db:5432", "connect";
permission java.net.SocketPermission "localhost:12345",
"listen,resolve";
permission java.io.FilePermission "<<ALL FILES>>", "read,write";
permission java.lang.RuntimePermission "accessDeclaredMembers";
}
When changing access to <<ALL FILES>> to just "read", allowing write acces
just for logs and/or application root, I get the mentioned exception. Even
when i change <<ALL FILES>> to "/-" the exception occures.
This is a strange thing, because I do not see any reason why turbine or the
TurbineTemplateService should need write access to any files outside
application root.
thanks.
regards,
Bastian Quilitz
---------------------------------------------------------------------
To unsubscribe, e-mail: turbine-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: turbine-dev-help@jakarta.apache.org