You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Lawlor, Frank" <Fr...@AthensGroup.com> on 2002/03/19 23:55:29 UTC
Security problem with 4.0.2
When I start tomact 4.0.2 with the -security option I get
the errors below. If I move it to server\lib the tomcat startup
problems go away, but the app startup gets SAX classNotFound errors.
After the error info is the first part of the output with
set CATALINA_OPTS=-Djava.security.debug=all
------------------------------------------------------------
D:\jakarta-tomcat-4.0.2\bin>call "..\bin\catalina.bat" run -security
Using CATALINA_BASE: ..
Using CATALINA_HOME: ..
Using CATALINA_TMPDIR: ..\temp
Using JAVA_HOME: D:\JDK1.3.1
Using Security Manager
Starting service Tomcat-Standalone
Apache Tomcat/4.0.2
logClassName=null
Security Violation, attempt to use Restricted Class:
org.apache.jasper.resources.messages
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackag
e.org.apache.jasper.resources)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java
:272)
at
java.security.AccessController.checkPermission(AccessController.java:399)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1501)
at
org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoader
.java:1056)
at
org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoader
.java:992)
at java.util.ResourceBundle.loadBundle(ResourceBundle.java:910)
at java.util.ResourceBundle.findBundle(ResourceBundle.java:791)
at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:621)
at java.util.ResourceBundle.getBundle(ResourceBundle.java:546)
at org.apache.jasper.Constants.initResources(Constants.java:216)
at org.apache.jasper.Constants.getString(Constants.java:235)
at
org.apache.jasper.parser.MyEntityResolver.resolveEntity(ParserUtils.java:413
)
at
org.apache.xerces.readers.DefaultEntityHandler.startReadingFromExternalEntit
y(DefaultEnti
tyHandler.java:750)
at
org.apache.xerces.readers.DefaultEntityHandler.startReadingFromExternalSubse
t(DefaultEnti
tyHandler.java:566)
at
org.apache.xerces.framework.XMLDTDScanner.scanDoctypeDecl(XMLDTDScanner.java
:1139)
at
org.apache.xerces.framework.XMLDocumentScanner.scanDoctypeDecl(XMLDocumentSc
anner.java:21
45)
at
org.apache.xerces.framework.XMLDocumentScanner.access$0(XMLDocumentScanner.j
ava:2100)
at
org.apache.xerces.framework.XMLDocumentScanner$PrologDispatcher.dispatch(XML
DocumentScann
er.java:831)
at
org.apache.xerces.framework.XMLDocumentScanner.parseSome(XMLDocumentScanner.
java:381)
at org.apache.xerces.framework.XMLParser.parse(XMLParser.java:1081)
at
org.apache.xerces.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:19
5)
at javax.xml.parsers.DocumentBuilder.parse(DocumentBuilder.java:122)
at
org.apache.jasper.parser.ParserUtils.parseXMLDocument(ParserUtils.java:200)
at
org.apache.jasper.compiler.TldLocationsCache.processWebDotXml(TldLocationsCa
che.java:165)
at
org.apache.jasper.compiler.TldLocationsCache.<init>(TldLocationsCache.java:1
38)
at
org.apache.jasper.EmbededServletOptions.<init>(EmbededServletOptions.java:34
5)
at org.apache.jasper.servlet.JspServlet.init(JspServlet.java:266)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:91
6)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:808)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:
3266)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:3395)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1123)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:614)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1123)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:343)
at
org.apache.catalina.core.StandardService.start(StandardService.java:388)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:506)
at org.apache.catalina.startup.Catalina.start(Catalina.java:781)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:681)
at org.apache.catalina.startup.Catalina.process(Catalina.java:179)
at java.lang.reflect.Method.invoke(Native Method)
---------------------------------------------------------------------
jar: beginEntry META-INF/MANIFEST.MF
jar: done with meta!
jar: nothing to verify!
policy: reading file:D:/jakarta-tomcat-4.0.2/conf/catalina.policy
policy: Adding policy entry:
policy: signedBy null
policy: codeBase file:D:/JDK1.3.1/jre/lib/-
policy:
policy: (java.security.AllPermission <all permissions> <all actions>)
policy:
policy: Adding policy entry:
policy: signedBy null
policy: codeBase file:D:/JDK1.3.1/jre/jre/lib/ext/-
policy:
policy: (java.security.AllPermission <all permissions> <all actions>)
policy:
policy: Adding policy entry:
policy: signedBy null
policy: codeBase file:D:/JDK1.3.1/jre/../lib/-
policy:
policy: (java.security.AllPermission <all permissions> <all actions>)
policy:
policy: Adding policy entry:
policy: signedBy null
policy: codeBase file:D:/JDK1.3.1/jre/lib/ext/-
policy:
policy: (java.security.AllPermission <all permissions> <all actions>)
policy:
policy: Adding policy entry:
policy: signedBy null
policy: codeBase file:../bin/bootstrap.jar
policy:
policy: (java.security.AllPermission <all permissions> <all actions>)
policy:
policy: Adding policy entry:
policy: signedBy null
policy: codeBase file:../common/-
policy:
policy: (java.security.AllPermission <all permissions> <all actions>)
policy:
policy: Adding policy entry:
policy: signedBy null
policy: codeBase file:../server/-
policy:
policy: (java.security.AllPermission <all permissions> <all actions>)
policy:
policy: Adding policy entry:
policy: signedBy null
policy: codeBase file:../lib/-
policy:
policy: (java.security.AllPermission <all permissions> <all actions>)
policy:
policy: Adding policy entry:
policy: signedBy null
policy: codeBase file:../classes/-
policy:
policy: (java.security.AllPermission <all permissions> <all actions>)
policy:
policy: Adding policy entry:
policy: signedBy null
policy: codeBase null
policy:
policy: (java.util.PropertyPermission java.home read)
policy: (java.util.PropertyPermission java.naming.* read)
policy: (java.util.PropertyPermission javax.sql.* read)
policy: (java.util.PropertyPermission os.name read)
policy: (java.util.PropertyPermission os.version read)
policy: (java.util.PropertyPermission os.arch read)
policy: (java.util.PropertyPermission file.separator read)
policy: (java.util.PropertyPermission path.separator read)
policy: (java.util.PropertyPermission line.separator read)
policy: (java.util.PropertyPermission java.version read)
policy: (java.util.PropertyPermission java.vendor read)
policy: (java.util.PropertyPermission java.vendor.url read)
policy: (java.util.PropertyPermission java.class.version read)
policy: (java.util.PropertyPermission java.specification.version read)
policy: (java.util.PropertyPermission java.specification.vendor read)
policy: (java.util.PropertyPermission java.specification.name read)
policy: (java.util.PropertyPermission java.vm.specification.version read)
policy: (java.util.PropertyPermission java.vm.specification.vendor read)
policy: (java.util.PropertyPermission java.vm.specification.name read)
policy: (java.util.PropertyPermission java.vm.version read)
policy: (java.util.PropertyPermission java.vm.vendor read)
policy: (java.util.PropertyPermission java.vm.name read)
policy: (java.lang.RuntimePermission accessClassInPackage.sun.beans.*)
policy: (java.util.PropertyPermission jaxp.debug read)
policy:
policy: overriding other policies!
java.lang.Exception: Stack trace
at java.lang.Thread.dumpStack(Thread.java:997)
at
java.security.AccessController.checkPermission(AccessController.java:389)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
at java.lang.SecurityManager.checkRead(SecurityManager.java:890)
at java.io.File.isDirectory(File.java:567)
at java.io.File.toURL(File.java:480)
at
sun.security.provider.PolicyFile.canonicalizeCodebase(PolicyFile.java:955)
at sun.security.provider.PolicyFile.access$400(PolicyFile.java:89)
at sun.security.provider.PolicyFile$5.run(PolicyFile.java:816)
at java.security.AccessController.doPrivileged(Native Method)
at
sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:813)
at
sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:787)
at
java.security.SecureClassLoader.getPermissions(SecureClassLoader.java:144)
at java.net.URLClassLoader.getPermissions(URLClassLoader.java:420)
at
sun.misc.Launcher$AppClassLoader.getPermissions(Launcher.java:294)
at
java.security.SecureClassLoader.getProtectionDomain(SecureClassLoader.java:1
62)
at
java.security.SecureClassLoader.defineClass(SecureClassLoader.java:111)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:248)
at java.net.URLClassLoader.access$100(URLClassLoader.java:56)
at java.net.URLClassLoader$1.run(URLClassLoader.java:195)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:188)
at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:286)
at java.lang.ClassLoader.loadClass(ClassLoader.java:255)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:315)
access: domain (context is null)
Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned consulting firm integrating technology
strategy and software solutions.
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>