You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Witoslaw Koczewski <wi...@koczewski.de> on 2012/03/26 11:32:25 UTC
AccessControlException when starting embedded Tomcat from Java
Webstart
Hello,
for our Kunagi Java web application we have a signed kunagi.jar file which contains our classes together with classes from embedded Tomcat 6. This runs perfectly when calling java -jar kunagi.jar.
But when starting it with Java WebStart, I get an exception while embedded Tomcat is starting:
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.deploy)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
at java.security.AccessController.checkPermission(AccessController.java:553)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291)
at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
at net.sourceforge.jnlp.runtime.JNLPClassLoader.loadClass(JNLPClassLoader.java:1018)
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2444)
at java.lang.Class.getMethod0(Class.java:2687)
at java.lang.Class.getMethod(Class.java:1620)
at org.apache.catalina.startup.SetPublicIdRule.begin(WebRuleSet.java:639)
at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276)
... 33 more
Of course kunagi.jar is signed, otherwise it wouldn't even start. It seams Java WebStart enables Java Security globally, which somehow embedded Tomcat "inherits" and fails to initialize.
Is there a way to disable security checks for Tomcat inside of Java WebStart? Or how can I configure embedded Tomcat to permit access to org.apache.catalina...?
I have already posted this problem on StackOverflow, where someone said, this could be a Tomcat bug: stackoverflow.com/questions...
Best regards,
Witek
---
http://koczewski.de
RE: AccessControlException when starting embedded Tomcat from Java
Webstart
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Witoslaw Koczewski [mailto:wi@koczewski.de]
> Subject: Re: AccessControlException when starting embedded Tomcat from Java Webstart
> Usualy when I turn on a feature in software A, I don't expect
> it to affect software B.
You're not turning on a feature in an independent module; WebStart is changing the mode the JVM runs in.
> Does Tomcat use the same Security Manager as WebStart or does
> it just share the same switch?
The SecurityManager is an attribute of the JVM, not of any particular set of classes loaded in that JVM. If the SecurityManager is enabled, all classes running inside that JVM have to live with it.
> Is there perhaps a central place in the Tomcat source code where the
> switch is evaluated, so I can rename it or hard-code it to "false"?
You're missing the point; Tomcat isn't the one enforcing this, the JVM is. Since you have chosen to operate in an environment that includes a SecurityManager, you must find the controlling policy file for that SecurityManager and make sure it includes all the permissions Tomcat needs (the ones in catalina.policy).
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java
Webstart
Posted by Witoslaw Koczewski <wi...@koczewski.de>.
> For example, have you tried expanding *all* the JAR files that ship with
> Tomcat and then re-assembling them into your single kunagi.jar?
This is exactly what I do. And my JNLP requires all-permissions. My application can open ports, read and delete all files - but not start the embedded Tomcat I have signed :-(
Best regards,
Witek
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk9wmXMACgkQ9CaO5/Lv0PA6vQCfQ5xLZrCF2lQEcN0I9y5H17q7
> WZcAnjq4RSfUiZ73sns+vIVQ9HPYRweW
> =CeCU
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---
http://koczewski.de
Re: AccessControlException when starting embedded Tomcat from Java
Webstart
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Witoslaw,
On 3/26/12 12:25 PM, Christopher Schultz wrote:
> I have no idea how to do [customize the policy].
Looks like you can't:
http://lopica.sourceforge.net/faq.html#policy
You could try separately signing the Tomcat JAR files yourself and see
what happens. You haven't described your class loading strategy. For
example, have you tried expanding *all* the JAR files that ship with
Tomcat and then re-assembling them into your single kunagi.jar?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9wmXMACgkQ9CaO5/Lv0PA6vQCfQ5xLZrCF2lQEcN0I9y5H17q7
WZcAnjq4RSfUiZ73sns+vIVQ9HPYRweW
=CeCU
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java
Webstart
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pid,
On 3/26/12 11:07 AM, Pid wrote:
> On 26/03/2012 15:46, Witoslaw Koczewski wrote:
>>
>> Is there perhaps a central place in the Tomcat source code where
>> the switch is evaluated, so I can rename it or hard-code it to
>> "false"?
>
> No. The access controls are distributed in the code.
Nor would it help. Tomcat isn't just doing those checks because it's
playing nice: those checks (really attempts, not checks) are required
in order to work under a SecurityManager. If those privileges actions
weren't being used, those actions wouldn't work, anyway.
Seriously, there's nothing Tomcat can do about this: you have to tweak
the policy under which WebStart launches the JVM.
I have no idea how to do that. You may not even be able to do that,
otherwise a WebStart application could simply assert its rights to do
anything it wanted, like delete all the files off your hard disk, or
email a copy of your /etc/passwd file to the developer. WebStart runs
under a SecurityManager to protect the user from things it doesn't
want to allow.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9wmHoACgkQ9CaO5/Lv0PA0JACcDcB0tpqBnJrOoKWx2aCy6GkU
/HkAniTuTBP7Ly7x6RSTuyVl37kcAszQ
=xtcD
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AccessControlException when starting embedded Tomcat from Java
Webstart
Posted by Pid <pi...@pidster.com>.
On 26/03/2012 15:46, Witoslaw Koczewski wrote:
>>> Shouldn't there be a switch in Tomcat to turn off this checks?
>>
>> Why? If you don't want the Security Manager, don't turn it on.
>
> I don't, WebStart does. Usualy when I turn on a feature in software A, I don't expect it to affect software B.
You are (or WebStart is) turning the feature on *in the JVM*, not in
some arbitrary class running inside the JVM.
> Logging for example can be configured separately.
It is not comparable.
> Does Tomcat use the same Security Manager as WebStart or does it just share the same switch?
It's not Tomcat, it's the JVM.
> Is there perhaps a central place in the Tomcat source code where the switch is evaluated, so I can rename it or hard-code it to "false"?
No. The access controls are distributed in the code.
p
> Best regards,
> Witek,
>
>
> ---
> http://koczewski.de
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
--
[key:62590808]
Re: AccessControlException when starting embedded Tomcat from Java
Webstart
Posted by Witoslaw Koczewski <wi...@koczewski.de>.
> > Shouldn't there be a switch in Tomcat to turn off this checks?
>
> Why? If you don't want the Security Manager, don't turn it on.
I don't, WebStart does. Usualy when I turn on a feature in software A, I don't expect it to affect software B. Logging for example can be configured separately.
Does Tomcat use the same Security Manager as WebStart or does it just share the same switch?
Is there perhaps a central place in the Tomcat source code where the switch is evaluated, so I can rename it or hard-code it to "false"?
Best regards,
Witek,
---
http://koczewski.de
Re: AccessControlException when starting embedded Tomcat from Java
Webstart
Posted by Pid <pi...@pidster.com>.
On 26/03/2012 12:43, Witoslaw Koczewski wrote:
>> On 26/03/2012 11:12, Witoslaw Koczewski wrote:
>>>> There's a file called catalina.policy in tomcat/conf, which has some
>>>> rules in it. You'll need compare those rules to the ones implemented in
>>>> the client's policy file to work out what you need to add.
>>>
>>> Since I am using embedded Tomcat, there is no catalina.policy :-(
>>>
>>> Can't I just disable the checks in Tomcat?
>>
>> Yes, by applying the policy rules in the client JVM (as detailed in
>> catalina.policy).
>
> I have configured WebStart with <security><all-permissions/>, why do I need to define security rules for Tomcat?
Does that directly equate to applying an all-permission policy in a
.policy file?
> Shouldn't there be a switch in Tomcat to turn off this checks?
Why? If you don't want the Security Manager, don't turn it on.
>It works perfectly when starting from executable JAR file - why not work the same way when starting from WebStart?
Because WebStart turns on the Security Manager.
Tomcat isn't doing anything extra special, it only checks permissions if
the Security Manager is enabled. The following has details:
http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html
p
> Best regards,
> Witek
>
>
> ---
> http://koczewski.de
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
--
[key:62590808]
Re: AccessControlException when starting embedded Tomcat from Java
Webstart
Posted by Witoslaw Koczewski <wi...@koczewski.de>.
> On 26/03/2012 11:12, Witoslaw Koczewski wrote:
> >> There's a file called catalina.policy in tomcat/conf, which has some
> >> rules in it. You'll need compare those rules to the ones implemented in
> >> the client's policy file to work out what you need to add.
> >
> > Since I am using embedded Tomcat, there is no catalina.policy :-(
> >
> > Can't I just disable the checks in Tomcat?
>
> Yes, by applying the policy rules in the client JVM (as detailed in
> catalina.policy).
I have configured WebStart with <security><all-permissions/>, why do I need to define security rules for Tomcat? Shouldn't there be a switch in Tomcat to turn off this checks? It works perfectly when starting from executable JAR file - why not work the same way when starting from WebStart?
Best regards,
Witek
---
http://koczewski.de
Re: AccessControlException when starting embedded Tomcat from Java
Webstart
Posted by Pid <pi...@pidster.com>.
On 26/03/2012 11:12, Witoslaw Koczewski wrote:
>> There's a file called catalina.policy in tomcat/conf, which has some
>> rules in it. You'll need compare those rules to the ones implemented in
>> the client's policy file to work out what you need to add.
>
> Since I am using embedded Tomcat, there is no catalina.policy :-(
>
> Can't I just disable the checks in Tomcat?
Yes, by applying the policy rules in the client JVM (as detailed in
catalina.policy).
>>> I have already posted this problem on StackOverflow, where someone said, this could be a
>>> Tomcat bug: stackoverflow.com/questions...
>>
>> Really. URL please?
>
> http://stackoverflow.com/questions/9831063/accesscontrolexception-when-starting-embedded-tomcat-from-java-webstart
Bah.
p
> Best regards,
> Witek
>
> ---
> http://koczewski.de
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
--
[key:62590808]
Re: AccessControlException when starting embedded Tomcat from Java
Webstart
Posted by Witoslaw Koczewski <wi...@koczewski.de>.
> There's a file called catalina.policy in tomcat/conf, which has some
> rules in it. You'll need compare those rules to the ones implemented in
> the client's policy file to work out what you need to add.
Since I am using embedded Tomcat, there is no catalina.policy :-(
Can't I just disable the checks in Tomcat?
> > I have already posted this problem on StackOverflow, where someone said, this could be a
> > Tomcat bug: stackoverflow.com/questions...
>
> Really. URL please?
http://stackoverflow.com/questions/9831063/accesscontrolexception-when-starting-embedded-tomcat-from-java-webstart
Best regards,
Witek
---
http://koczewski.de
Re: AccessControlException when starting embedded Tomcat from Java
Webstart
Posted by Pid <pi...@pidster.com>.
On 26/03/2012 10:32, Witoslaw Koczewski wrote:
> Hello,
>
> for our Kunagi Java web application we have a signed kunagi.jar file which contains our classes together with classes from embedded Tomcat 6. This runs perfectly when calling java -jar kunagi.jar.
>
> But when starting it with Java WebStart, I get an exception while embedded Tomcat is starting:
>
> java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.deploy)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
> at java.security.AccessController.checkPermission(AccessController.java:553)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529)
> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
> at net.sourceforge.jnlp.runtime.JNLPClassLoader.loadClass(JNLPClassLoader.java:1018)
> at java.lang.Class.getDeclaredMethods0(Native Method)
> at java.lang.Class.privateGetDeclaredMethods(Class.java:2444)
> at java.lang.Class.getMethod0(Class.java:2687)
> at java.lang.Class.getMethod(Class.java:1620)
> at org.apache.catalina.startup.SetPublicIdRule.begin(WebRuleSet.java:639)
> at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276)
> ... 33 more
>
> Of course kunagi.jar is signed, otherwise it wouldn't even start. It seams Java WebStart enables Java Security globally, which somehow embedded Tomcat "inherits" and fails to initialize.
>
> Is there a way to disable security checks for Tomcat inside of Java WebStart? Or how can I configure embedded Tomcat to permit access to org.apache.catalina...?
There's a file called catalina.policy in tomcat/conf, which has some
rules in it. You'll need compare those rules to the ones implemented in
the client's policy file to work out what you need to add.
> I have already posted this problem on StackOverflow, where someone said, this could be a Tomcat bug: stackoverflow.com/questions...
Really. URL please?
p
> Best regards,
> Witek
>
> ---
> http://koczewski.de
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
--
[key:62590808]