tomcat9 access denied /var/lib/tomcat9/conf/web.xml

[Alban Espié-Guillon <al...@ow2.org>]

Hello,

I'm very new to tomcat, forgive me if I did not found my answer 
elsewhere, i'm currently out of of ideas.

I'm trying to setup a standalone tomcat9 (9.0.31-1~deb10u7) on Debian 
11, with security manager enabled.

I'm seeing in catalina logs the following stacktrace (full stacktrace 
provided in attachment):

37 21-Dec-2022 16:12:04.587 SEVERE [main] 
org.apache.tomcat.util.descriptor.web.WebXmlParser.parseWebXml Parse 
error in application web.xml file at [file:/var/lib/tomcat9/conf/web.xml]
38     java.security.AccessControlException: access denied 
("java.lang.RuntimePermission" 
"accessClassInPackage.org.apache.tomcat.util.buf")

Disabling the security manager makes it disappear, but I don't 
understand why tomcat has an issue reading 
/var/lib/tomcat9/conf/web.xml, which is a simlink to 
/etc/tomcat9/web.xml, and I did not edit the file as you see:

# ll /etc/tomcat9/web.xml
-rw-r----- 1 root tomcat 169K Feb  5  2020 /etc/tomcat9/web.xml

I tried to add the following policy in case of it could help:

grant codeBase "file:/var/lib/tomcat9/conf/web.xml" {
         permission java.security.AllPermission;
};

But the error was still logged.

-- 
Alban Espié-Guillon
OW2 System Administrator

Re: tomcat9 access denied /var/lib/tomcat9/conf/web.xml

[Mark Thomas <ma...@apache.org>]

The security manager is deprecated in newer versions of Java. If you are 
new to Tomcat, whatever problem using the security manager is intended 
to solve, I'd strongly encourage you to find an alternative solution.

The codebase refers to the JAR trying to read the file, not the file the 
JAR is trying to read.

I suspect the Debian distribution hasn't updated the catalina.policy 
file to take account of the way Debian redistributes the Tomcat files 
around the file system. If you really do want to use the security 
manager, you'll need to take that up with the Debian folks.

Mark


On 21/12/2022 17:20, Alban Espié-Guillon wrote:
> Hello,
> 
> I'm very new to tomcat, forgive me if I did not found my answer 
> elsewhere, i'm currently out of of ideas.
> 
> I'm trying to setup a standalone tomcat9 (9.0.31-1~deb10u7) on Debian 
> 11, with security manager enabled.
> 
> I'm seeing in catalina logs the following stacktrace (full stacktrace 
> provided in attachment):
> 
> 37 21-Dec-2022 16:12:04.587 SEVERE [main] 
> org.apache.tomcat.util.descriptor.web.WebXmlParser.parseWebXml Parse 
> error in application web.xml file at [file:/var/lib/tomcat9/conf/web.xml]
> 38     java.security.AccessControlException: access denied 
> ("java.lang.RuntimePermission" 
> "accessClassInPackage.org.apache.tomcat.util.buf")
> 
> Disabling the security manager makes it disappear, but I don't 
> understand why tomcat has an issue reading 
> /var/lib/tomcat9/conf/web.xml, which is a simlink to 
> /etc/tomcat9/web.xml, and I did not edit the file as you see:
> 
> # ll /etc/tomcat9/web.xml
> -rw-r----- 1 root tomcat 169K Feb  5  2020 /etc/tomcat9/web.xml
> 
> I tried to add the following policy in case of it could help:
> 
> grant codeBase "file:/var/lib/tomcat9/conf/web.xml" {
>          permission java.security.AllPermission;
> };
> 
> But the error was still logged.
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org