You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by "David Sean Taylor (JIRA)" <je...@jakarta.apache.org> on 2005/02/02 06:51:17 UTC
[jira] Created: (JS2-205) Using Tomcat Security Policy breaks RdbmsPolicy
Using Tomcat Security Policy breaks RdbmsPolicy
-----------------------------------------------
Key: JS2-205
URL: http://issues.apache.org/jira/browse/JS2-205
Project: Jetspeed 2
Type: Bug
Components: Security
Versions: 2.0-M2
Reporter: David Sean Taylor
Assigned to: David Sean Taylor
Fix For: 2.0-M2
I set my Tomcat Security policy to:
grant {
permission java.security.AllPermission;
};
Start Tomcat 5.0.31 as:
catalina run -security
And it gets a stack overflow from recursive loop in policy setup:
at java.security.AccessController.checkPermission(AccessController.java:
401)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
at javax.security.auth.Subject.getSubject(Subject.java:251)
at org.apache.jetspeed.security.impl.RdbmsPolicy.getPermissions(RdbmsPol
icy.java:90)
at java.security.Policy.getPermissions(Policy.java:343)
at java.security.Policy.implies(Policy.java:397)
at java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
at java.security.AccessControlContext.checkPermission(AccessControlConte
As an interim fix, if you don't need the Rdbms Policy,
In the jetspeed-spring.xml, comment out:
<!-- Security: RDBMS Policy implementation for JAAS -->
<!--
<bean id="org.apache.jetspeed.security.impl.RdbmsPolicy"
class="org.apache.jetspeed.security.impl.RdbmsPolicy"
>
<constructor-arg ><ref bean="org.apache.jetspeed.security.PermissionManager"/></constructor-arg>
</bean>
-->
<!-- Security: Authorization Provider -->
<!--
<bean id="org.apache.jetspeed.security.AuthorizationProvider"
class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
>
<constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
</bean>
-->
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org
[jira] Assigned: (JS2-205) Using Tomcat Security Policy breaks RdbmsPolicy
Posted by "David Le Strat (JIRA)" <je...@portals.apache.org>.
[ http://issues.apache.org/jira/browse/JS2-205?page=all ]
David Le Strat reassigned JS2-205:
----------------------------------
Assign To: David Le Strat (was: David Sean Taylor)
> Using Tomcat Security Policy breaks RdbmsPolicy
> -----------------------------------------------
>
> Key: JS2-205
> URL: http://issues.apache.org/jira/browse/JS2-205
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-M2
> Reporter: David Sean Taylor
> Assignee: David Le Strat
> Fix For: 2.0-M2
>
> I set my Tomcat Security policy to:
> grant {
> permission java.security.AllPermission;
> };
> Start Tomcat 5.0.31 as:
> catalina run -security
> And it gets a stack overflow from recursive loop in policy setup:
> at java.security.AccessController.checkPermission(AccessController.java:
> 401)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> at javax.security.auth.Subject.getSubject(Subject.java:251)
> at org.apache.jetspeed.security.impl.RdbmsPolicy.getPermissions(RdbmsPol
> icy.java:90)
> at java.security.Policy.getPermissions(Policy.java:343)
> at java.security.Policy.implies(Policy.java:397)
> at java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
> at java.security.AccessControlContext.checkPermission(AccessControlConte
> As an interim fix, if you don't need the Rdbms Policy,
> In the jetspeed-spring.xml, comment out:
> <!-- Security: RDBMS Policy implementation for JAAS -->
> <!--
> <bean id="org.apache.jetspeed.security.impl.RdbmsPolicy"
> class="org.apache.jetspeed.security.impl.RdbmsPolicy"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.PermissionManager"/></constructor-arg>
> </bean>
> -->
> <!-- Security: Authorization Provider -->
> <!--
> <bean id="org.apache.jetspeed.security.AuthorizationProvider"
> class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
> </bean>
> -->
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Updated: (JS2-205) Using Tomcat Security Policy breaks RdbmsPolicy
Posted by "Santiago Gala (JIRA)" <je...@portals.apache.org>.
[ http://issues.apache.org/jira/browse/JS2-205?page=all ]
Santiago Gala updated JS2-205:
------------------------------
Attachment: Rdbms.patch
It is very dirty, just for testing.
> Using Tomcat Security Policy breaks RdbmsPolicy
> -----------------------------------------------
>
> Key: JS2-205
> URL: http://issues.apache.org/jira/browse/JS2-205
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-M2
> Reporter: David Sean Taylor
> Assignee: David Le Strat
> Fix For: 2.0-M2
> Attachments: Rdbms.patch
>
> I set my Tomcat Security policy to:
> grant {
> permission java.security.AllPermission;
> };
> Start Tomcat 5.0.31 as:
> catalina run -security
> And it gets a stack overflow from recursive loop in policy setup:
> at java.security.AccessController.checkPermission(AccessController.java:
> 401)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> at javax.security.auth.Subject.getSubject(Subject.java:251)
> at org.apache.jetspeed.security.impl.RdbmsPolicy.getPermissions(RdbmsPol
> icy.java:90)
> at java.security.Policy.getPermissions(Policy.java:343)
> at java.security.Policy.implies(Policy.java:397)
> at java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
> at java.security.AccessControlContext.checkPermission(AccessControlConte
> As an interim fix, if you don't need the Rdbms Policy,
> In the jetspeed-spring.xml, comment out:
> <!-- Security: RDBMS Policy implementation for JAAS -->
> <!--
> <bean id="org.apache.jetspeed.security.impl.RdbmsPolicy"
> class="org.apache.jetspeed.security.impl.RdbmsPolicy"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.PermissionManager"/></constructor-arg>
> </bean>
> -->
> <!-- Security: Authorization Provider -->
> <!--
> <bean id="org.apache.jetspeed.security.AuthorizationProvider"
> class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
> </bean>
> -->
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Commented: (JS2-205) Using Tomcat Security Policy breaks RdbmsPolicy
Posted by "Ate Douma (JIRA)" <je...@portals.apache.org>.
[ http://issues.apache.org/jira/browse/JS2-205?page=comments#action_12323191 ]
Ate Douma commented on JS2-205:
-------------------------------
David,
Another issue which needs to be addressed is that the current implementation is tied to the SUN JDK.
DST and I encountered this problem when we worked on getting J2 running on WebSphere (which requires the IBM JDK).
I didn't have enough time left to find a solution the last time I worked on that, but maybe DST has looked into it by now.
> Using Tomcat Security Policy breaks RdbmsPolicy
> -----------------------------------------------
>
> Key: JS2-205
> URL: http://issues.apache.org/jira/browse/JS2-205
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-M2
> Reporter: David Sean Taylor
> Assignee: David Le Strat
> Fix For: 2.0-M2
>
> I set my Tomcat Security policy to:
> grant {
> permission java.security.AllPermission;
> };
> Start Tomcat 5.0.31 as:
> catalina run -security
> And it gets a stack overflow from recursive loop in policy setup:
> at java.security.AccessController.checkPermission(AccessController.java:
> 401)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> at javax.security.auth.Subject.getSubject(Subject.java:251)
> at org.apache.jetspeed.security.impl.RdbmsPolicy.getPermissions(RdbmsPol
> icy.java:90)
> at java.security.Policy.getPermissions(Policy.java:343)
> at java.security.Policy.implies(Policy.java:397)
> at java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
> at java.security.AccessControlContext.checkPermission(AccessControlConte
> As an interim fix, if you don't need the Rdbms Policy,
> In the jetspeed-spring.xml, comment out:
> <!-- Security: RDBMS Policy implementation for JAAS -->
> <!--
> <bean id="org.apache.jetspeed.security.impl.RdbmsPolicy"
> class="org.apache.jetspeed.security.impl.RdbmsPolicy"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.PermissionManager"/></constructor-arg>
> </bean>
> -->
> <!-- Security: Authorization Provider -->
> <!--
> <bean id="org.apache.jetspeed.security.AuthorizationProvider"
> class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
> </bean>
> -->
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Resolved: (JS2-205) Using Tomcat Security Policy breaks RdbmsPolicy
Posted by "David Le Strat (JIRA)" <je...@portals.apache.org>.
[ http://issues.apache.org/jira/browse/JS2-205?page=all ]
David Le Strat resolved JS2-205:
--------------------------------
Fix Version: 2.0-M4
(was: 2.0-M2)
Resolution: Fixed
This should take care of this issue, please validate.
> Using Tomcat Security Policy breaks RdbmsPolicy
> -----------------------------------------------
>
> Key: JS2-205
> URL: http://issues.apache.org/jira/browse/JS2-205
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-M2
> Reporter: David Sean Taylor
> Assignee: David Le Strat
> Fix For: 2.0-M4
> Attachments: Rdbms.patch
>
> I set my Tomcat Security policy to:
> grant {
> permission java.security.AllPermission;
> };
> Start Tomcat 5.0.31 as:
> catalina run -security
> And it gets a stack overflow from recursive loop in policy setup:
> at java.security.AccessController.checkPermission(AccessController.java:
> 401)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> at javax.security.auth.Subject.getSubject(Subject.java:251)
> at org.apache.jetspeed.security.impl.RdbmsPolicy.getPermissions(RdbmsPol
> icy.java:90)
> at java.security.Policy.getPermissions(Policy.java:343)
> at java.security.Policy.implies(Policy.java:397)
> at java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
> at java.security.AccessControlContext.checkPermission(AccessControlConte
> As an interim fix, if you don't need the Rdbms Policy,
> In the jetspeed-spring.xml, comment out:
> <!-- Security: RDBMS Policy implementation for JAAS -->
> <!--
> <bean id="org.apache.jetspeed.security.impl.RdbmsPolicy"
> class="org.apache.jetspeed.security.impl.RdbmsPolicy"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.PermissionManager"/></constructor-arg>
> </bean>
> -->
> <!-- Security: Authorization Provider -->
> <!--
> <bean id="org.apache.jetspeed.security.AuthorizationProvider"
> class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
> </bean>
> -->
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Commented: (JS2-205) Using Tomcat Security Policy breaks RdbmsPolicy
Posted by "David Le Strat (JIRA)" <je...@portals.apache.org>.
[ http://issues.apache.org/jira/browse/JS2-205?page=comments#action_12330365 ]
David Le Strat commented on JS2-205:
------------------------------------
Committing changes described above, also updated the docs.
> Using Tomcat Security Policy breaks RdbmsPolicy
> -----------------------------------------------
>
> Key: JS2-205
> URL: http://issues.apache.org/jira/browse/JS2-205
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-M2
> Reporter: David Sean Taylor
> Assignee: David Le Strat
> Fix For: 2.0-M2
> Attachments: Rdbms.patch
>
> I set my Tomcat Security policy to:
> grant {
> permission java.security.AllPermission;
> };
> Start Tomcat 5.0.31 as:
> catalina run -security
> And it gets a stack overflow from recursive loop in policy setup:
> at java.security.AccessController.checkPermission(AccessController.java:
> 401)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> at javax.security.auth.Subject.getSubject(Subject.java:251)
> at org.apache.jetspeed.security.impl.RdbmsPolicy.getPermissions(RdbmsPol
> icy.java:90)
> at java.security.Policy.getPermissions(Policy.java:343)
> at java.security.Policy.implies(Policy.java:397)
> at java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
> at java.security.AccessControlContext.checkPermission(AccessControlConte
> As an interim fix, if you don't need the Rdbms Policy,
> In the jetspeed-spring.xml, comment out:
> <!-- Security: RDBMS Policy implementation for JAAS -->
> <!--
> <bean id="org.apache.jetspeed.security.impl.RdbmsPolicy"
> class="org.apache.jetspeed.security.impl.RdbmsPolicy"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.PermissionManager"/></constructor-arg>
> </bean>
> -->
> <!-- Security: Authorization Provider -->
> <!--
> <bean id="org.apache.jetspeed.security.AuthorizationProvider"
> class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
> </bean>
> -->
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Commented: (JS2-205) Using Tomcat Security Policy breaks RdbmsPolicy
Posted by "David Le Strat (JIRA)" <je...@portals.apache.org>.
[ http://issues.apache.org/jira/browse/JS2-205?page=comments#action_12323188 ]
David Le Strat commented on JS2-205:
------------------------------------
I am revisiting the RdbmsPolicy and how policies get loaded in addition to the RdbmsPolicy. They are quite a few issues with the current implementation including the recursive loop reported above.
> Using Tomcat Security Policy breaks RdbmsPolicy
> -----------------------------------------------
>
> Key: JS2-205
> URL: http://issues.apache.org/jira/browse/JS2-205
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-M2
> Reporter: David Sean Taylor
> Assignee: David Le Strat
> Fix For: 2.0-M2
>
> I set my Tomcat Security policy to:
> grant {
> permission java.security.AllPermission;
> };
> Start Tomcat 5.0.31 as:
> catalina run -security
> And it gets a stack overflow from recursive loop in policy setup:
> at java.security.AccessController.checkPermission(AccessController.java:
> 401)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> at javax.security.auth.Subject.getSubject(Subject.java:251)
> at org.apache.jetspeed.security.impl.RdbmsPolicy.getPermissions(RdbmsPol
> icy.java:90)
> at java.security.Policy.getPermissions(Policy.java:343)
> at java.security.Policy.implies(Policy.java:397)
> at java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
> at java.security.AccessControlContext.checkPermission(AccessControlConte
> As an interim fix, if you don't need the Rdbms Policy,
> In the jetspeed-spring.xml, comment out:
> <!-- Security: RDBMS Policy implementation for JAAS -->
> <!--
> <bean id="org.apache.jetspeed.security.impl.RdbmsPolicy"
> class="org.apache.jetspeed.security.impl.RdbmsPolicy"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.PermissionManager"/></constructor-arg>
> </bean>
> -->
> <!-- Security: Authorization Provider -->
> <!--
> <bean id="org.apache.jetspeed.security.AuthorizationProvider"
> class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
> </bean>
> -->
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Commented: (JS2-205) Using Tomcat Security Policy breaks RdbmsPolicy
Posted by "weiwei (JIRA)" <je...@jakarta.apache.org>.
[ http://issues.apache.org/jira/browse/JS2-205?page=comments#action_61802 ]
weiwei commented on JS2-205:
----------------------------
I also have this problem. In order to execute my program, I need install a SecurityManager on tomcat server; But, when i started tomcat server with security and all permission, jetspeed2 threw many exceptions; I can't understand this problem. Hope this problem can be solved soon.
> Using Tomcat Security Policy breaks RdbmsPolicy
> -----------------------------------------------
>
> Key: JS2-205
> URL: http://issues.apache.org/jira/browse/JS2-205
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-M2
> Reporter: David Sean Taylor
> Assignee: David Sean Taylor
> Fix For: 2.0-M2
>
> I set my Tomcat Security policy to:
> grant {
> permission java.security.AllPermission;
> };
> Start Tomcat 5.0.31 as:
> catalina run -security
> And it gets a stack overflow from recursive loop in policy setup:
> at java.security.AccessController.checkPermission(AccessController.java:
> 401)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> at javax.security.auth.Subject.getSubject(Subject.java:251)
> at org.apache.jetspeed.security.impl.RdbmsPolicy.getPermissions(RdbmsPol
> icy.java:90)
> at java.security.Policy.getPermissions(Policy.java:343)
> at java.security.Policy.implies(Policy.java:397)
> at java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
> at java.security.AccessControlContext.checkPermission(AccessControlConte
> As an interim fix, if you don't need the Rdbms Policy,
> In the jetspeed-spring.xml, comment out:
> <!-- Security: RDBMS Policy implementation for JAAS -->
> <!--
> <bean id="org.apache.jetspeed.security.impl.RdbmsPolicy"
> class="org.apache.jetspeed.security.impl.RdbmsPolicy"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.PermissionManager"/></constructor-arg>
> </bean>
> -->
> <!-- Security: Authorization Provider -->
> <!--
> <bean id="org.apache.jetspeed.security.AuthorizationProvider"
> class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
> </bean>
> -->
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: jetspeed-dev-help@jakarta.apache.org
[jira] Commented: (JS2-205) Using Tomcat Security Policy breaks RdbmsPolicy
Posted by "Santiago Gala (JIRA)" <je...@portals.apache.org>.
[ http://issues.apache.org/jira/browse/JS2-205?page=comments#action_12330220 ]
Santiago Gala commented on JS2-205:
-----------------------------------
I'll take a look into the problem when I have the time.
OTOH, I have a solution that works for me to "untie" the implementation from Sun's JDK. I'm attaching a patch for people to test before committing.
> Using Tomcat Security Policy breaks RdbmsPolicy
> -----------------------------------------------
>
> Key: JS2-205
> URL: http://issues.apache.org/jira/browse/JS2-205
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-M2
> Reporter: David Sean Taylor
> Assignee: David Le Strat
> Fix For: 2.0-M2
> Attachments: Rdbms.patch
>
> I set my Tomcat Security policy to:
> grant {
> permission java.security.AllPermission;
> };
> Start Tomcat 5.0.31 as:
> catalina run -security
> And it gets a stack overflow from recursive loop in policy setup:
> at java.security.AccessController.checkPermission(AccessController.java:
> 401)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> at javax.security.auth.Subject.getSubject(Subject.java:251)
> at org.apache.jetspeed.security.impl.RdbmsPolicy.getPermissions(RdbmsPol
> icy.java:90)
> at java.security.Policy.getPermissions(Policy.java:343)
> at java.security.Policy.implies(Policy.java:397)
> at java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
> at java.security.AccessControlContext.checkPermission(AccessControlConte
> As an interim fix, if you don't need the Rdbms Policy,
> In the jetspeed-spring.xml, comment out:
> <!-- Security: RDBMS Policy implementation for JAAS -->
> <!--
> <bean id="org.apache.jetspeed.security.impl.RdbmsPolicy"
> class="org.apache.jetspeed.security.impl.RdbmsPolicy"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.PermissionManager"/></constructor-arg>
> </bean>
> -->
> <!-- Security: Authorization Provider -->
> <!--
> <bean id="org.apache.jetspeed.security.AuthorizationProvider"
> class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
> </bean>
> -->
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Commented: (JS2-205) Using Tomcat Security Policy breaks RdbmsPolicy
Posted by "David Le Strat (JIRA)" <je...@portals.apache.org>.
[ http://issues.apache.org/jira/browse/JS2-205?page=comments#action_12330254 ]
David Le Strat commented on JS2-205:
------------------------------------
All,
I have been working on this issue and have a fix to solve both problems. I will commit Saturday morning. As part of the changes I have been implementing, the Authorization provider is now configurable to specify whether J2 should enforce additional J2SE policies configured on top of the RdbmsPolicy. If this setting is set to true, the AuthorizationProvider will load a SecurityPolicies singleton that will provide a list of all Policies configured. I am still debating whether this is really needed and comments on this are welcome.
See authorization provider configuration below:
<!-- Security: Authorization Provider -->
<bean id="org.apache.jetspeed.security.AuthorizationProvider"
class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
>
<constructor-arg index="0"><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
<!-- Does not use the default policy as a default behavior -->
<constructor-arg index="1"><value>false</value></constructor-arg>
</bean>
The RdbmsPolicy code has been changed quite a bit. Checking whether a resource is authorized is now done in the implies method. The getPermissions method should not return permissions from the database configuration as those map to principals, not codesources.
getPermissions will return the permission configured for the J2SE policies if configured to do so through the AuthorizationProvider.
This code fixes the StackOverFlow issue with Tomcat -security enabled. It also remove the hard code dependency from Sun PolicyFile.
On another note, there are some differencies in folder constraints checking when running with -security or not. For instance admin can see the Administrative pages when running Tomcat in normal mode but cannot with the security mode. This may need to be reported as a separate issue.
Regards,
David Le Strat.
> Using Tomcat Security Policy breaks RdbmsPolicy
> -----------------------------------------------
>
> Key: JS2-205
> URL: http://issues.apache.org/jira/browse/JS2-205
> Project: Jetspeed 2
> Type: Bug
> Components: Security
> Versions: 2.0-M2
> Reporter: David Sean Taylor
> Assignee: David Le Strat
> Fix For: 2.0-M2
> Attachments: Rdbms.patch
>
> I set my Tomcat Security policy to:
> grant {
> permission java.security.AllPermission;
> };
> Start Tomcat 5.0.31 as:
> catalina run -security
> And it gets a stack overflow from recursive loop in policy setup:
> at java.security.AccessController.checkPermission(AccessController.java:
> 401)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> at javax.security.auth.Subject.getSubject(Subject.java:251)
> at org.apache.jetspeed.security.impl.RdbmsPolicy.getPermissions(RdbmsPol
> icy.java:90)
> at java.security.Policy.getPermissions(Policy.java:343)
> at java.security.Policy.implies(Policy.java:397)
> at java.security.ProtectionDomain.implies(ProtectionDomain.java:189)
> at java.security.AccessControlContext.checkPermission(AccessControlConte
> As an interim fix, if you don't need the Rdbms Policy,
> In the jetspeed-spring.xml, comment out:
> <!-- Security: RDBMS Policy implementation for JAAS -->
> <!--
> <bean id="org.apache.jetspeed.security.impl.RdbmsPolicy"
> class="org.apache.jetspeed.security.impl.RdbmsPolicy"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.PermissionManager"/></constructor-arg>
> </bean>
> -->
> <!-- Security: Authorization Provider -->
> <!--
> <bean id="org.apache.jetspeed.security.AuthorizationProvider"
> class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl"
> >
> <constructor-arg ><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>
> </bean>
> -->
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org