You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Renato <we...@cienciapura.com.br> on 2002/01/22 16:14:37 UTC
Tomcat 4.0.2-b2 + JSSE + Security Manager
Hi all,
I'm installing Tomcat 4.0.2B2. Everything is fine except for the following:
- I try to run a servlet that uses JSSE. If I start Catalina without the '-
security' it works fine, if I start with the '-security' it generates the
error:
java.net.SocketException: SSL implementation not available
(...)
The JSSE libraries are on ${java.home}/jre/lib/ext and this path has
permission to all.
I also tried on Tomcat 3.3 and the servlet works with or without the
security manager.
Any hint ?
Thanks
Renato - Brazil
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Tomcat 4.0.2-b2 + JSSE + Security Manager
Posted by Renato <we...@cienciapura.com.br>.
This is the last message I got, besides the usual already reported.
default context init failed: java.security.PrivilegedActionException
<<java.security.NoSuchAlgorithmException: Algorithm SunX509 not available>>
Looking at the docs, it looks like it couldn't find the JSSE libraries. I
even forced the jsse.jar, jcert.jar and jnet.jar on the global classpath
when starting Catalina but I still can't use Security Manager and JSSE at
the same time.
Anything else I could do ?
On Tue, 22 Jan 2002 13:58:17 -0600, Glenn Nielsen
<gl...@voyager.apg.more.net> escreveu :
> Try starting tomcat 4 with -security and the following properties defined:
>
> -Djava.security.debug=access,failure -Djava.net.debug=ssl
>
> That should generate alot of debug data to help you track down the source
> of the problem.
>
> Regards,
>
> Glenn
>
> Renato wrote:
>
> > Hi all,
> >
> > I'm installing Tomcat 4.0.2B2. Everything is fine except for the
following:
> >
> > - I try to run a servlet that uses JSSE. If I start Catalina without
the '-
> > security' it works fine, if I start with the '-security' it generates
the
> > error:
> >
> > java.net.SocketException: SSL implementation not available
> > (...)
> >
> > The JSSE libraries are on ${java.home}/jre/lib/ext and this path has
> > permission to all.
> >
> > I also tried on Tomcat 3.3 and the servlet works with or without the
> > security manager.
> >
> > Any hint ?
> >
> > Thanks
> > Renato - Brazil
> >
> > --
> > To unsubscribe, e-mail: <mailto:tomcat-dev-
unsubscribe@jakarta.apache.org>
> > For additional commands, e-mail: <mailto:tomcat-dev-
help@jakarta.apache.org>
> >
>
>
>
> --
> ----------------------------------------------------------------------
> Glenn Nielsen glenn@more.net | /* Spelin donut madder |
> MOREnet System Programming | * if iz ina coment. |
> Missouri Research and Education Network | */ |
> ----------------------------------------------------------------------
>
>
> --
> To unsubscribe, e-mail: <mailto:tomcat-dev-
unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-
help@jakarta.apache.org>
>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Tomcat 4.0.2-b2 + JSSE + Security Manager
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Tue, 22 Jan 2002, Paul Speed wrote:
> Date: Tue, 22 Jan 2002 19:46:06 -0500
> From: Paul Speed <ps...@progeeks.com>
> Reply-To: Tomcat Developers List <to...@jakarta.apache.org>
> To: Tomcat Developers List <to...@jakarta.apache.org>
> Subject: Re: Tomcat 4.0.2-b2 + JSSE + Security Manager
>
> Important safety note:
>
> >From experience, there seems to be at least one type of access check
> failure that will not be printed with this option. It bit me when
> I was trying to figure out why the automated tests would fail when
> run with a security manager. If I remember correctly it turned out
> to be a call to SecurityManager.checkPropertiesAccess(). Individual
> property checks would show up in the log, but the check for access
> to all properties did not.
>
> Some portion of the test code (org.apache.tester.ContextListener02)
> was using the PropertyEditorManager object to set and retrieve a
> PropertyEditor for Date.class. For what reason, I can only guess.
> (Possibly date to text conversion?) Anyway, PropertyEditorManager
> is really bad security-wise since using it in user-space requires
> full access to _all_ system properties.
>
The idea was to test the use of PropertyEditors in JSP pages, the way that
the JSP spec requires. I've commented out this test in the HEAD branch;
looks like I forgot to do so on the 4.0 branch.
> To make a long post short, if you still have problems after trying
> the flags below, try modifying your policy file to give webapps
> full property access. Although I can't imagine that mattering in
> your case.
>
Craig
> -Paul Speed
>
> Glenn Nielsen wrote:
> >
> > Try starting tomcat 4 with -security and the following properties defined:
> >
> > -Djava.security.debug=access,failure -Djava.net.debug=ssl
> >
> > That should generate alot of debug data to help you track down the source
> > of the problem.
> >
> > Regards,
> >
> > Glenn
> >
> > Renato wrote:
> >
> > > Hi all,
> > >
> > > I'm installing Tomcat 4.0.2B2. Everything is fine except for the following:
> > >
> > > - I try to run a servlet that uses JSSE. If I start Catalina without the '-
> > > security' it works fine, if I start with the '-security' it generates the
> > > error:
> > >
> > > java.net.SocketException: SSL implementation not available
> > > (...)
> > >
> > > The JSSE libraries are on ${java.home}/jre/lib/ext and this path has
> > > permission to all.
> > >
> > > I also tried on Tomcat 3.3 and the servlet works with or without the
> > > security manager.
> > >
> > > Any hint ?
> > >
> > > Thanks
> > > Renato - Brazil
> > >
> > > --
> > > To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> > > For additional commands, e-mail: <ma...@jakarta.apache.org>
> > >
> >
> > --
> > ----------------------------------------------------------------------
> > Glenn Nielsen glenn@more.net | /* Spelin donut madder |
> > MOREnet System Programming | * if iz ina coment. |
> > Missouri Research and Education Network | */ |
> > ----------------------------------------------------------------------
> >
> > --
> > To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> > For additional commands, e-mail: <ma...@jakarta.apache.org>
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Tomcat 4.0.2-b2 + JSSE + Security Manager
Posted by Paul Speed <ps...@progeeks.com>.
Important safety note:
>From experience, there seems to be at least one type of access check
failure that will not be printed with this option. It bit me when
I was trying to figure out why the automated tests would fail when
run with a security manager. If I remember correctly it turned out
to be a call to SecurityManager.checkPropertiesAccess(). Individual
property checks would show up in the log, but the check for access
to all properties did not.
Some portion of the test code (org.apache.tester.ContextListener02)
was using the PropertyEditorManager object to set and retrieve a
PropertyEditor for Date.class. For what reason, I can only guess.
(Possibly date to text conversion?) Anyway, PropertyEditorManager
is really bad security-wise since using it in user-space requires
full access to _all_ system properties.
To make a long post short, if you still have problems after trying
the flags below, try modifying your policy file to give webapps
full property access. Although I can't imagine that mattering in
your case.
-Paul Speed
Glenn Nielsen wrote:
>
> Try starting tomcat 4 with -security and the following properties defined:
>
> -Djava.security.debug=access,failure -Djava.net.debug=ssl
>
> That should generate alot of debug data to help you track down the source
> of the problem.
>
> Regards,
>
> Glenn
>
> Renato wrote:
>
> > Hi all,
> >
> > I'm installing Tomcat 4.0.2B2. Everything is fine except for the following:
> >
> > - I try to run a servlet that uses JSSE. If I start Catalina without the '-
> > security' it works fine, if I start with the '-security' it generates the
> > error:
> >
> > java.net.SocketException: SSL implementation not available
> > (...)
> >
> > The JSSE libraries are on ${java.home}/jre/lib/ext and this path has
> > permission to all.
> >
> > I also tried on Tomcat 3.3 and the servlet works with or without the
> > security manager.
> >
> > Any hint ?
> >
> > Thanks
> > Renato - Brazil
> >
> > --
> > To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> > For additional commands, e-mail: <ma...@jakarta.apache.org>
> >
>
> --
> ----------------------------------------------------------------------
> Glenn Nielsen glenn@more.net | /* Spelin donut madder |
> MOREnet System Programming | * if iz ina coment. |
> Missouri Research and Education Network | */ |
> ----------------------------------------------------------------------
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: [4.1] Removal of circular dependency with JTC
Posted by Remy Maucherat <re...@apache.org>.
> I could go on and describe the changes to the script for a while, but
unless
> someone (Craig ?) really has a problem with the philosophy of that change,
> I'll commit the new script, and we'll work from there.
Since nobody complained, I applied the patch. I did a lot of testing, so I
hope there won't be any problem (please let me know if there is).
Remy
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
[4.1] Removal of circular dependency with JTC
Posted by Remy Maucherat <re...@apache.org>.
Hi,
After running into trouble with packaging 4.0.2 b2, I've decided to overhaul
the build system (again :)).
I modified the Catalina build.xml so that it calls the scripts in j-t-c at
the appropriate time during the Catalina build process (and the two JARs
from j-t-c which are committed in the CVS are now useless). It is far for
perfect, but it's a very nice improvement over the current solution already,
given the amount of JAR dependencies Catalina now has (or will have) with
j-t-c.
Unfortunately, the amount of changes makes it unlikely this will ever be
ported to the 4.0 branch (which I think we should now put as much as
possible in feature freeze mode; with the exception of new modules).
I could go on and describe the changes to the script for a while, but unless
someone (Craig ?) really has a problem with the philosophy of that change,
I'll commit the new script, and we'll work from there.
Remy
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Tomcat 4.0.2-b2 + JSSE + Security Manager
Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.
Try starting tomcat 4 with -security and the following properties defined:
-Djava.security.debug=access,failure -Djava.net.debug=ssl
That should generate alot of debug data to help you track down the source
of the problem.
Regards,
Glenn
Renato wrote:
> Hi all,
>
> I'm installing Tomcat 4.0.2B2. Everything is fine except for the following:
>
> - I try to run a servlet that uses JSSE. If I start Catalina without the '-
> security' it works fine, if I start with the '-security' it generates the
> error:
>
> java.net.SocketException: SSL implementation not available
> (...)
>
> The JSSE libraries are on ${java.home}/jre/lib/ext and this path has
> permission to all.
>
> I also tried on Tomcat 3.3 and the servlet works with or without the
> security manager.
>
> Any hint ?
>
> Thanks
> Renato - Brazil
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
--
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>