You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jspwiki.apache.org by Paul Sterk <Pa...@Sun.COM> on 2009/07/20 23:33:17 UTC
ProtectionDomain failure
Hi,
I am in the process of moving a JSPWiki 2.2 instance from one host to
another using version GlassFish 9.1_u01 and have come across the
following failure displayed in the log file:
context(null)-
permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish Wiki"))
domain that failed(ProtectionDomain
(file:/storage/glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
More details are shown below. After some searching, I found out that I
must have jspwiki.jks located in (app name)/WEB-INF and in the app
server's domains/domain1/config directory. I have done that. I also
found out that I had to append the JSPWiki server.policy section to the
app server's server.policy file (see below). I have done that also.
I still get the domain protection failure. What did I miss? BTW, I do
not have the option to upgrade the JSPWiki.
Paul
[#|2009-07-19T17:41:38.727-0700|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-80-0;|JACC
Policy Provider: PolicyWrapper.implies, context(null)-
permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish Wiki"))
domain that failed(ProtectionDomain
(file:/storage/glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
[
[
Version: V1
Subject: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,
O=jspwiki.org, C=FI
Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
Key: SunPKCS11-Solaris DSA public key, 1024 bits (id 143695096,
session object)
y:
685336709211189479978176481322996401882667342822443461375871414904657271343827072933994730697972525463287186110312511525703609990543636216407479486
03057873733660321330081871201176281154664912732522693955389713650625161330397090864782939712676489034956390674378204731139907826475282246840419508442831
762130982
p:
178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668
38814403412974522117181850604723115003930107995935806739534871706631980226201971496652413506094591370759495651467285569060679413583754270737172742955134
3320695239
q: 864205495604807476120572616017955259175325408501
g:
174068207532402095185811980123523436538604490794561350978495831040599953488455823147851597408940950725307797094915759492368300574252438761037084473
46718014887611810308304375498519098347260155049469132948808339549231385000036164648264460849230407872181895999905649609776936801774927370896200668918795
6744210730
Validity: [From: Fri Mar 02 09:35:56 PST 2007,
To: Thu May 31 10:35:56 PDT 2007]
Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,
O=jspwiki.org, C=FI
SerialNumber: [ 45e8607c]
]
Algorithm: [SHA1withDSA]
Signature:
0000: 30 2C 02 14 37 83 53 EC 47 39 1B 73 EE 7C 7E 39 0,..7.S.G9.s...9
0010: 89 78 04 31 86 22 DF 1C 02 14 5A CB CE 61 E3 F8 .x.1."....Z..a..
0020: 8F 73 70 E7 47 DA 5A D9 28 2C DE E0 4C F2 .sp.G.Z.(,..L.
])
WebappClassLoader
delegate: true
repositories:
/WEB-INF/classes/
----------> Parent Classloader:
EJBClassLoader :
urlSet = []
doneCalled = false
Parent -> java.net.URLClassLoader@1f0cf51
(principals com.ecyrd.jspwiki.auth.WikiPrincipal "Guest",
com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
com.ecyrd.jspwiki.auth.authorize.Role "All")
-------------------------------------------------------------------------------------------------------
keystore "jspwiki.jks";
// JSPWiki itself needs some basic privileges in order to operate.
// If you are running JSPWiki with a security manager, don't change these,
// because it will totally b0rk the system.
grant signedBy "jspwiki" {
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
permission java.util.PropertyPermission
"java.security.auth.login.config", "write";
permission java.util.PropertyPermission
"java.security.policy", "read,write";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
};
grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"view";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editPreferences";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editProfile";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"login";
};
grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:*", "view";
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"view";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editPreferences";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editProfile";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"login";
};
grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:*", "view";
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"view";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editPreferences";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editProfile";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"login";
};
grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.authorize.Role "Validated" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:*", "view";
// permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:<groupmember>", "edit";
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify,rename";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages,createGroups";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editPreferences";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editProfile";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"login";
};
grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.GroupPrincipal "Validated" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:*", "view";
// permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:<groupmember>", "edit";
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify,rename";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages,createGroups";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editPreferences";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editProfile";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"login";
};
grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.GroupPrincipal "ServletSpec" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:*", "view";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:<groupmember>", "edit";
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify,rename";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages,createGroups";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editPreferences";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editProfile";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"login";
};
grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.GroupPrincipal "Sip" {
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:*", "view";
permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
"*:<groupmember>", "edit";
permission com.ecyrd.jspwiki.auth.permissions.PagePermission "*:*",
"modify,rename";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"createPages,createGroups";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editPreferences";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"editProfile";
permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
"login";
};
// Administrators (principals or roles possessing AllPermission)
// are allowed to delete any page, and can edit, rename and delete
// groups. You should match the permission target (here, 'JSPWiki')
// with the value of the 'jspwiki.applicationName' property in
// jspwiki.properties. Two administative groups are set up below:
// the wiki group "Admin" (stored by default in wiki page GroupAdmin)
// and the container role "Admin" (managed by the web container).
grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission
"GlassFish Wiki";
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open
ESB Wiki";
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Slynkr
Wiki";
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Update
Center Wiki";
permission com.ecyrd.jspwiki.auth.permissions.AllPermission
"SocialSite Wiki";
};
grant signedBy "jspwiki",
principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
permission com.ecyrd.jspwiki.auth.permissions.AllPermission
"GlassFish Wiki";
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open
ESB Wiki";
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Slynkr
Wiki";
permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Update
Center Wiki";
permission com.ecyrd.jspwiki.auth.permissions.AllPermission
"SocialSite Wiki";
};
Re: ProtectionDomain failure
Posted by Andrew Jaquith <an...@gmail.com>.
If anything, you should "unsign" the jar. I can't remember off the
top of my head if there is a jarsigner command to do this. At worst
you could expand the jar, remove the signature manifest file from META-
INF, then re-jar.
Andrew
On Jul 20, 2009, at 19:31, Paul Sterk <Pa...@Sun.COM> wrote:
> On 7/20/2009 3:03 PM, Andrew Jaquith wrote:
>> The easiest way to fix this problem is to turn off Java security
>> policy enforcement. JSPWiki wasn't really ever fully tuned to run
>> with a SecurityManager installed.
> I checked the GlassFish Security pane and the Security Manager is
> unchecked. Is there more I need to do?
>>
>> Your might also experiment (instead) with removing the 'signedBy
>> JSPWiki' clauses in the policy files -- these are causing the
>> search for the .jks file.
>
> I did this. I changed the file in domains/domain1/config and in WEB-
> INF. I am seeing the same problem.
>
> What else can I check? Should I resign the jar file?
>
> Paul
>>
>> Andrew
>>
>> On Jul 20, 2009, at 17:33, Paul Sterk <Pa...@Sun.COM> wrote:
>>
>>>
>>> Hi,
>>>
>>> I am in the process of moving a JSPWiki 2.2 instance from one host
>>> to another using version GlassFish 9.1_u01 and have come across
>>> the following failure displayed in the log file:
>>>
>>> context(null)- permission
>>> (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish
>>> Wiki")) domain that failed(ProtectionDomain (file:/storage/
>>> glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/
>>> j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
>>>
>>> More details are shown below. After some searching, I found out
>>> that I must have jspwiki.jks located in (app name)/WEB-INF and in
>>> the app server's domains/domain1/config directory. I have done
>>> that. I also found out that I had to append the JSPWiki
>>> server.policy section to the app server's server.policy file (see
>>> below). I have done that also.
>>>
>>> I still get the domain protection failure. What did I miss? BTW,
>>> I do not have the option to upgrade the JSPWiki.
>>>
>>> Paul
>>>
>>> [#|2009-07-19T17:41:38.727-0700|INFO|sun-appserver9.1|
>>> javax.enterprise.system.core.security|
>>> _ThreadID=15;_ThreadName=httpSSLWorkerThread-80-0;|JACC Policy
>>> Provider: PolicyWrapper.implies, context(null)- permission
>>> (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish
>>> Wiki")) domain that failed(ProtectionDomain (file:/storage/
>>> glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/
>>> j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar [
>>> [
>>> Version: V1
>>> Subject: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,
>>> O=jspwiki.org, C=FI
>>> Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
>>>
>>> Key: SunPKCS11-Solaris DSA public key, 1024 bits (id 143695096,
>>> session object)
>>> y:
>>> 685336709211189479978176481322996401882667342822443461375871414904657271343827072933994730697972525463287186110312511525703609990543636216407479486
>>
>>
>>> 03057873733660321330081871201176281154664912732522693955389713650625161330397090864782939712676489034956390674378204731139907826475282246840419508442831
>>
>>
>>> 762130982
>>> p:
>>> 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668
>>
>>
>>> 38814403412974522117181850604723115003930107995935806739534871706631980226201971496652413506094591370759495651467285569060679413583754270737172742955134
>>
>>
>>> 3320695239
>>> q: 864205495604807476120572616017955259175325408501
>>> g:
>>> 174068207532402095185811980123523436538604490794561350978495831040599953488455823147851597408940950725307797094915759492368300574252438761037084473
>>
>>
>>> 46718014887611810308304375498519098347260155049469132948808339549231385000036164648264460849230407872181895999905649609776936801774927370896200668918795
>>
>>
>>> 6744210730
>>> Validity: [From: Fri Mar 02 09:35:56 PST 2007,
>>> To: Thu May 31 10:35:56 PDT 2007]
>>> Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,
>>> O=jspwiki.org, C=FI
>>> SerialNumber: [ 45e8607c]
>>>
>>> ]
>>> Algorithm: [SHA1withDSA]
>>> Signature:
>>> 0000: 30 2C 02 14 37 83 53 EC 47 39 1B 73 EE 7C 7E 39
>>> 0,..7.S.G9.s...9
>>> 0010: 89 78 04 31 86 22 DF 1C 02 14 5A CB CE 61 E3 F8 .x.
>>> 1."....Z..a..
>>> 0020: 8F 73 70 E7 47 DA 5A D9 28 2C DE E0 4C F2 .sp.G.Z.
>>> (,..L.
>>>
>>> ])
>>> WebappClassLoader
>>> delegate: true
>>> repositories:
>>> /WEB-INF/classes/
>>> ----------> Parent Classloader:
>>> EJBClassLoader :
>>> urlSet = []
>>> doneCalled = false
>>> Parent -> java.net.URLClassLoader@1f0cf51
>>>
>>>
>>> (principals com.ecyrd.jspwiki.auth.WikiPrincipal "Guest",
>>> com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
>>> com.ecyrd.jspwiki.auth.authorize.Role "All")
>>>
>>> ---
>>> ---
>>> ---
>>> ---
>>> ---
>>> ---
>>> ---
>>> ---
>>> ---
>>> ---
>>> ---
>>> ---
>>> -------------------------------------------------------------------
>>>
>>> keystore "jspwiki.jks";
>>>
>>> // JSPWiki itself needs some basic privileges in order to operate.
>>> // If you are running JSPWiki with a security manager, don't
>>> change these,
>>> // because it will totally b0rk the system.
>>>
>>> grant signedBy "jspwiki" {
>>> permission java.security.SecurityPermission "getPolicy";
>>> permission java.security.SecurityPermission "setPolicy";
>>> permission java.util.PropertyPermission
>>> "java.security.auth.login.config", "write";
>>> permission java.util.PropertyPermission
>>> "java.security.policy", "read,write";
>>> permission javax.security.auth.AuthPermission
>>> "getLoginConfiguration";
>>> permission javax.security.auth.AuthPermission
>>> "setLoginConfiguration";
>>> };
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>>> "*:*", "view";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editPreferences";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editProfile";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "login";
>>> };
>>>
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
>>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>>> "*:*", "view";
>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>>> "*:*", "view";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editPreferences";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editProfile";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "login";
>>> };
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>>> "*:*", "view";
>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>>> "*:*", "view";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editPreferences";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editProfile";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "login";
>>> };
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.authorize.Role "Validated" {
>>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>>> "*:*", "view";
>>> // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>>> "*:<groupmember>", "edit";
>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>>> "*:*", "modify,rename";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "createPages,createGroups";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editPreferences";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editProfile";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "login";
>>> };
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Validated" {
>>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>>> "*:*", "view";
>>> // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>>> "*:<groupmember>", "edit";
>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>>> "*:*", "modify,rename";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "createPages,createGroups";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editPreferences";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editProfile";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "login";
>>> };
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "ServletSpec" {
>>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>>> "*:*", "view";
>>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>>> "*:<groupmember>", "edit";
>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>>> "*:*", "modify,rename";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "createPages,createGroups";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editPreferences";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editProfile";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "login";
>>> };
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Sip" {
>>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>>> "*:*", "view";
>>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>>> "*:<groupmember>", "edit";
>>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>>> "*:*", "modify,rename";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "createPages,createGroups";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editPreferences";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "editProfile";
>>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission
>>> "*", "login";
>>> };
>>>
>>> // Administrators (principals or roles possessing AllPermission)
>>> // are allowed to delete any page, and can edit, rename and delete
>>> // groups. You should match the permission target (here, 'JSPWiki')
>>> // with the value of the 'jspwiki.applicationName' property in
>>> // jspwiki.properties. Two administative groups are set up below:
>>> // the wiki group "Admin" (stored by default in wiki page
>>> GroupAdmin)
>>> // and the container role "Admin" (managed by the web container).
>>>
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
>>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>>> "GlassFish Wiki";
>>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>>> "Open ESB Wiki";
>>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>>> "Slynkr Wiki";
>>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>>> "Update Center Wiki";
>>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>>> "SocialSite Wiki";
>>> };
>>> grant signedBy "jspwiki",
>>> principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
>>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>>> "GlassFish Wiki";
>>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>>> "Open ESB Wiki";
>>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>>> "Slynkr Wiki";
>>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>>> "Update Center Wiki";
>>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>>> "SocialSite Wiki";
>>> };
>
Re: ProtectionDomain failure
Posted by Paul Sterk <Pa...@Sun.COM>.
On 7/20/2009 3:03 PM, Andrew Jaquith wrote:
> The easiest way to fix this problem is to turn off Java security
> policy enforcement. JSPWiki wasn't really ever fully tuned to run with
> a SecurityManager installed.
I checked the GlassFish Security pane and the Security Manager is
unchecked. Is there more I need to do?
>
> Your might also experiment (instead) with removing the 'signedBy
> JSPWiki' clauses in the policy files -- these are causing the search
> for the .jks file.
I did this. I changed the file in domains/domain1/config and in
WEB-INF. I am seeing the same problem.
What else can I check? Should I resign the jar file?
Paul
>
> Andrew
>
> On Jul 20, 2009, at 17:33, Paul Sterk <Pa...@Sun.COM> wrote:
>
>>
>> Hi,
>>
>> I am in the process of moving a JSPWiki 2.2 instance from one host to
>> another using version GlassFish 9.1_u01 and have come across the
>> following failure displayed in the log file:
>>
>> context(null)-
>> permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish
>> Wiki")) domain that failed(ProtectionDomain
>> (file:/storage/glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
>>
>>
>> More details are shown below. After some searching, I found out that
>> I must have jspwiki.jks located in (app name)/WEB-INF and in the app
>> server's domains/domain1/config directory. I have done that. I also
>> found out that I had to append the JSPWiki server.policy section to
>> the app server's server.policy file (see below). I have done that also.
>>
>> I still get the domain protection failure. What did I miss? BTW, I
>> do not have the option to upgrade the JSPWiki.
>>
>> Paul
>>
>> [#|2009-07-19T17:41:38.727-0700|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-80-0;|JACC
>> Policy Provider: PolicyWrapper.implies, context(null)-
>> permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish
>> Wiki")) domain that failed(ProtectionDomain
>> (file:/storage/glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
>> [
>> [
>> Version: V1
>> Subject: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,
>> O=jspwiki.org, C=FI
>> Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
>>
>> Key: SunPKCS11-Solaris DSA public key, 1024 bits (id 143695096,
>> session object)
>> y:
>> 685336709211189479978176481322996401882667342822443461375871414904657271343827072933994730697972525463287186110312511525703609990543636216407479486
>>
>
>
>> 03057873733660321330081871201176281154664912732522693955389713650625161330397090864782939712676489034956390674378204731139907826475282246840419508442831
>>
>
>
>> 762130982
>> p:
>> 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668
>>
>
>
>> 38814403412974522117181850604723115003930107995935806739534871706631980226201971496652413506094591370759495651467285569060679413583754270737172742955134
>>
>
>
>> 3320695239
>> q: 864205495604807476120572616017955259175325408501
>> g:
>> 174068207532402095185811980123523436538604490794561350978495831040599953488455823147851597408940950725307797094915759492368300574252438761037084473
>>
>
>
>> 46718014887611810308304375498519098347260155049469132948808339549231385000036164648264460849230407872181895999905649609776936801774927370896200668918795
>>
>
>
>> 6744210730
>> Validity: [From: Fri Mar 02 09:35:56 PST 2007,
>> To: Thu May 31 10:35:56 PDT 2007]
>> Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,
>> O=jspwiki.org, C=FI
>> SerialNumber: [ 45e8607c]
>>
>> ]
>> Algorithm: [SHA1withDSA]
>> Signature:
>> 0000: 30 2C 02 14 37 83 53 EC 47 39 1B 73 EE 7C 7E 39
>> 0,..7.S.G9.s...9
>> 0010: 89 78 04 31 86 22 DF 1C 02 14 5A CB CE 61 E3 F8
>> .x.1."....Z..a..
>> 0020: 8F 73 70 E7 47 DA 5A D9 28 2C DE E0 4C F2 .sp.G.Z.(,..L.
>>
>> ])
>> WebappClassLoader
>> delegate: true
>> repositories:
>> /WEB-INF/classes/
>> ----------> Parent Classloader:
>> EJBClassLoader :
>> urlSet = []
>> doneCalled = false
>> Parent -> java.net.URLClassLoader@1f0cf51
>>
>>
>> (principals com.ecyrd.jspwiki.auth.WikiPrincipal "Guest",
>> com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
>> com.ecyrd.jspwiki.auth.authorize.Role "All")
>>
>> -------------------------------------------------------------------------------------------------------
>>
>>
>> keystore "jspwiki.jks";
>>
>> // JSPWiki itself needs some basic privileges in order to operate.
>> // If you are running JSPWiki with a security manager, don't change
>> these,
>> // because it will totally b0rk the system.
>>
>> grant signedBy "jspwiki" {
>> permission java.security.SecurityPermission "getPolicy";
>> permission java.security.SecurityPermission "setPolicy";
>> permission java.util.PropertyPermission
>> "java.security.auth.login.config", "write";
>> permission java.util.PropertyPermission
>> "java.security.policy", "read,write";
>> permission javax.security.auth.AuthPermission
>> "getLoginConfiguration";
>> permission javax.security.auth.AuthPermission
>> "setLoginConfiguration";
>> };
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.authorize.Role "Validated" {
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:*", "view";
>> // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:<groupmember>", "edit";
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "modify,rename";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "createPages,createGroups";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Validated" {
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:*", "view";
>> // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:<groupmember>", "edit";
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "modify,rename";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "createPages,createGroups";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "ServletSpec" {
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:<groupmember>", "edit";
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "modify,rename";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "createPages,createGroups";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Sip" {
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:<groupmember>", "edit";
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "modify,rename";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "createPages,createGroups";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>> // Administrators (principals or roles possessing AllPermission)
>> // are allowed to delete any page, and can edit, rename and delete
>> // groups. You should match the permission target (here, 'JSPWiki')
>> // with the value of the 'jspwiki.applicationName' property in
>> // jspwiki.properties. Two administative groups are set up below:
>> // the wiki group "Admin" (stored by default in wiki page GroupAdmin)
>> // and the container role "Admin" (managed by the web container).
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "GlassFish Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open
>> ESB Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "Slynkr Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "Update Center Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "SocialSite Wiki";
>> };
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "GlassFish Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open
>> ESB Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "Slynkr Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "Update Center Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "SocialSite Wiki";
>> };
Re: ProtectionDomain failure
Posted by Andrew Jaquith <an...@gmail.com>.
The easiest way to fix this problem is to turn off Java security
policy enforcement. JSPWiki wasn't really ever fully tuned to run with
a SecurityManager installed.
Your might also experiment (instead) with removing the 'signedBy
JSPWiki' clauses in the policy files -- these are causing the search
for the .jks file.
Andrew
On Jul 20, 2009, at 17:33, Paul Sterk <Pa...@Sun.COM> wrote:
>
> Hi,
>
> I am in the process of moving a JSPWiki 2.2 instance from one host
> to another using version GlassFish 9.1_u01 and have come across the
> following failure displayed in the log file:
>
> context(null)- permission
> (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish
> Wiki")) domain that failed(ProtectionDomain (file:/storage/
> glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/
> j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
>
> More details are shown below. After some searching, I found out that
> I must have jspwiki.jks located in (app name)/WEB-INF and in the app
> server's domains/domain1/config directory. I have done that. I
> also found out that I had to append the JSPWiki server.policy
> section to the app server's server.policy file (see below). I have
> done that also.
>
> I still get the domain protection failure. What did I miss? BTW, I
> do not have the option to upgrade the JSPWiki.
>
> Paul
>
> [#|2009-07-19T17:41:38.727-0700|INFO|sun-appserver9.1|
> javax.enterprise.system.core.security|
> _ThreadID=15;_ThreadName=httpSSLWorkerThread-80-0;|JACC Policy
> Provider: PolicyWrapper.implies, context(null)- permission
> (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish
> Wiki")) domain that failed(ProtectionDomain (file:/storage/
> glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/
> j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar [
> [
> Version: V1
> Subject: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,
> O=jspwiki.org, C=FI
> Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
>
> Key: SunPKCS11-Solaris DSA public key, 1024 bits (id 143695096,
> session object)
> y:
> 685336709211189479978176481322996401882667342822443461375871414904657271343827072933994730697972525463287186110312511525703609990543636216407479486
> 03057873733660321330081871201176281154664912732522693955389713650625161330397090864782939712676489034956390674378204731139907826475282246840419508442831
> 762130982
> p:
> 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668
> 38814403412974522117181850604723115003930107995935806739534871706631980226201971496652413506094591370759495651467285569060679413583754270737172742955134
> 3320695239
> q: 864205495604807476120572616017955259175325408501
> g:
> 174068207532402095185811980123523436538604490794561350978495831040599953488455823147851597408940950725307797094915759492368300574252438761037084473
> 46718014887611810308304375498519098347260155049469132948808339549231385000036164648264460849230407872181895999905649609776936801774927370896200668918795
> 6744210730
> Validity: [From: Fri Mar 02 09:35:56 PST 2007,
> To: Thu May 31 10:35:56 PDT 2007]
> Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,
> O=jspwiki.org, C=FI
> SerialNumber: [ 45e8607c]
>
> ]
> Algorithm: [SHA1withDSA]
> Signature:
> 0000: 30 2C 02 14 37 83 53 EC 47 39 1B 73 EE 7C 7E 39
> 0,..7.S.G9.s...9
> 0010: 89 78 04 31 86 22 DF 1C 02 14 5A CB CE 61 E3 F8 .x.
> 1."....Z..a..
> 0020: 8F 73 70 E7 47 DA 5A D9 28 2C DE E0 4C F2 .sp.G.Z.
> (,..L.
>
> ])
> WebappClassLoader
> delegate: true
> repositories:
> /WEB-INF/classes/
> ----------> Parent Classloader:
> EJBClassLoader :
> urlSet = []
> doneCalled = false
> Parent -> java.net.URLClassLoader@1f0cf51
>
>
> (principals com.ecyrd.jspwiki.auth.WikiPrincipal "Guest",
> com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
> com.ecyrd.jspwiki.auth.authorize.Role "All")
>
> ---
> ---
> ---
> ---
> ---
> ---
> ---
> ---
> ---
> ---
> ---
> ----------------------------------------------------------------------
>
> keystore "jspwiki.jks";
>
> // JSPWiki itself needs some basic privileges in order to operate.
> // If you are running JSPWiki with a security manager, don't change
> these,
> // because it will totally b0rk the system.
>
> grant signedBy "jspwiki" {
> permission java.security.SecurityPermission "getPolicy";
> permission java.security.SecurityPermission "setPolicy";
> permission java.util.PropertyPermission
> "java.security.auth.login.config", "write";
> permission java.util.PropertyPermission
> "java.security.policy", "read,write";
> permission javax.security.auth.AuthPermission
> "getLoginConfiguration";
> permission javax.security.auth.AuthPermission
> "setLoginConfiguration";
> };
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.authorize.Role "Validated" {
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*", "view";
> // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "modify,rename";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Validated" {
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*", "view";
> // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "modify,rename";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.GroupPrincipal "ServletSpec" {
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "modify,rename";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Sip" {
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "modify,rename";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> // Administrators (principals or roles possessing AllPermission)
> // are allowed to delete any page, and can edit, rename and delete
> // groups. You should match the permission target (here, 'JSPWiki')
> // with the value of the 'jspwiki.applicationName' property in
> // jspwiki.properties. Two administative groups are set up below:
> // the wiki group "Admin" (stored by default in wiki page GroupAdmin)
> // and the container role "Admin" (managed by the web container).
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "GlassFish Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open
> ESB Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "Slynkr Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "Update Center Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "SocialSite Wiki";
> };
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "GlassFish Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open
> ESB Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "Slynkr Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "Update Center Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "SocialSite Wiki";
> };
Re: ProtectionDomain failure
Posted by Andrew Jaquith <an...@gmail.com>.
While I'm not an expert at Glassfish by any means, a quick skim
through the source of Glassfish' PolicyWrapper shows that it is doing
a policy evaluation (ProtectionDomain.implies(), actually). So it is
clearly consulting a static policy somewhere. You need to figure out a
way to turn this off.
Andrew
On Wed, Jul 22, 2009 at 4:19 PM, Brian Bowling<bo...@gmail.com> wrote:
> Hi Paul,
> If you renamed the .jar file, I'm wondering why jspwiki.jar is referenced in
> the failure message?
> Brian
>
> Paul Sterk wrote:
>>
>> Ok. I was able to make no headway. So, I did the following:
>>
>> 1) Completely removed JSPWiki 2.4 and GlassFish v2u1
>> 2) Did a new install of GlassFish v2u1
>> 3) Downloaded JSPWiki 2.8.2 (latest stable release)
>> 4) Renamed JSPWiki.war to appserver.war
>> 4) Deployed appserver.war
>> 5) Entered this URL in my browser: localhost:/appserver/Install.jsp
>>
>> I immediately see the permission failure below. Is this right? JSPWiki.jar
>> is not signed in version 2.8.2. Why am I getting JACC domain failure? If I
>> try to continue, I see further permission failure messages in the log file,
>> and authentication fails to work.
>>
>> Please help - this is a roadblock for my deployment!
>>
>> Thanks,
>> Paul
>>
>>
>> [#|2009-07-22T11:31:57.553-0700|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=19;_ThreadName=httpSSLWorkerThread-80-1;|JACC
>> Policy Provider: PolicyWrapper.implies, context(nul
>> )-
>> permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","JSPWiki"))
>> domain that failed(ProtectionDomain
>> (file:/storage/glassfishwiki/server/glassfish_v2u1/domains/domain1/applications/j2ee
>> modules/appserver/WEB-INF/lib/JSPWiki.jar <no signer certificates>)
>> WebappClassLoader
>> delegate: true
>> repositories:
>> /WEB-INF/classes/
>> ----------> Parent Classloader:
>> EJBClassLoader :
>> urlSet = []
>> doneCalled = false
>> Parent -> java.net.URLClassLoader@173eca6
>>
>>
>> (principals com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
>> com.ecyrd.jspwiki.auth.WikiPrincipal "192.18.101.5",
>> com.ecyrd.jspwiki.auth.authorize.Role "All")
>>
>> java.security.Permissions@7e4019 (
>> (java.net.SocketPermission localhost:1024- listen,resolve)
>> (java.net.SocketPermission * connect,resolve)
>> (javax.management.MBeanTrustPermission register)
>> (javax.management.MBeanPermission [com.sun.messaging.jms.*:*] *)
>> (javax.security.auth.PrivateCredentialPermission
>> javax.resource.spi.security.PasswordCredential * "*" read)
>> (java.util.PropertyPermission line.separator read)
>> (java.util.PropertyPermission java.vm.version read)
>> (java.util.PropertyPermission java.vm.specification.version read)
>> (java.util.PropertyPermission java.vm.specification.vendor read)
>> (java.util.PropertyPermission java.vendor.url read)
>> (java.util.PropertyPermission java.vm.name read)
>> (java.util.PropertyPermission * read,write)
>> (java.util.PropertyPermission os.name read)
>> (java.util.PropertyPermission java.vm.vendor read)
>> (java.util.PropertyPermission path.separator read)
>> (java.util.PropertyPermission java.specification.name read)
>> (java.util.PropertyPermission os.version read)
>> (java.util.PropertyPermission os.arch read)
>> (java.util.PropertyPermission java.class.version read)
>> (java.util.PropertyPermission java.version read)
>> (java.util.PropertyPermission file.separator read)
>> (java.util.PropertyPermission java.vendor read)
>> (java.util.PropertyPermission java.vm.specification.name read)
>> (java.util.PropertyPermission java.specification.version read)
>> (java.util.PropertyPermission java.specification.vendor read)
>> (java.lang.RuntimePermission getClassLoader)
>> (java.lang.RuntimePermission loadLibrary.*)
>> (java.lang.RuntimePermission accessDeclaredMembers)
>> (java.lang.RuntimePermission getProtectionDomain)
>> (java.lang.RuntimePermission modifyThreadGroup)
>> (java.lang.RuntimePermission stopThread)
>> (java.lang.RuntimePermission setContextClassLoader)
>> (java.lang.RuntimePermission queuePrintJob)
>> (java.io.FilePermission /var/tmp//- delete)
>> (java.io.FilePermission
>> /storage/glassfishwiki/server/glassfish_v2u1/domains/domain1/lib/databases/-
>> delete)
>> (java.io.FilePermission <<ALL FILES>> read,write)
>> (java.io.FilePermission
>> /storage/glassfishwiki/server/glassfish_v2u1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
>> read)
>> (unresolved
>> com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
>> (unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
>> )
>>
>> )|#]
>>
>
>
Re: ProtectionDomain failure
Posted by Paul Sterk <Pa...@Sun.COM>.
On 7/22/2009 1:19 PM, Brian Bowling wrote:
> Hi Paul,
> If you renamed the .jar file, I'm wondering why jspwiki.jar is
> referenced in the failure message?
I renamed JSPWiki.war to appserver.war
appserver.war contains JSPWiki.jar.
Ok? BTW, I don't think this matters as it failed the same way with
JSPWiki.war.
Paul
> Brian
>
> Paul Sterk wrote:
>>
>> Ok. I was able to make no headway. So, I did the following:
>>
>> 1) Completely removed JSPWiki 2.4 and GlassFish v2u1
>> 2) Did a new install of GlassFish v2u1
>> 3) Downloaded JSPWiki 2.8.2 (latest stable release)
>> 4) Renamed JSPWiki.war to appserver.war
>> 4) Deployed appserver.war
>> 5) Entered this URL in my browser: localhost:/appserver/Install.jsp
>>
>> I immediately see the permission failure below. Is this right?
>> JSPWiki.jar is not signed in version 2.8.2. Why am I getting JACC
>> domain failure? If I try to continue, I see further permission
>> failure messages in the log file, and authentication fails to work.
>>
>> Please help - this is a roadblock for my deployment!
>>
>> Thanks,
>> Paul
>>
>> [#|2009-07-22T11:31:57.553-0700|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=19;_ThreadName=httpSSLWorkerThread-80-1;|JACC
>> Policy Provider: PolicyWrapper.implies, context(nul
>> )-
>> permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","JSPWiki"))
>> domain that failed(ProtectionDomain
>> (file:/storage/glassfishwiki/server/glassfish_v2u1/domains/domain1/applications/j2ee
>>
>> modules/appserver/WEB-INF/lib/JSPWiki.jar <no signer certificates>)
>> WebappClassLoader
>> delegate: true
>> repositories:
>> /WEB-INF/classes/
>> ----------> Parent Classloader:
>> EJBClassLoader :
>> urlSet = []
>> doneCalled = false
>> Parent -> java.net.URLClassLoader@173eca6
>>
>>
>> (principals com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
>> com.ecyrd.jspwiki.auth.WikiPrincipal "192.18.101.5",
>> com.ecyrd.jspwiki.auth.authorize.Role "All")
>>
>> java.security.Permissions@7e4019 (
>> (java.net.SocketPermission localhost:1024- listen,resolve)
>> (java.net.SocketPermission * connect,resolve)
>> (javax.management.MBeanTrustPermission register)
>> (javax.management.MBeanPermission [com.sun.messaging.jms.*:*] *)
>> (javax.security.auth.PrivateCredentialPermission
>> javax.resource.spi.security.PasswordCredential * "*" read)
>> (java.util.PropertyPermission line.separator read)
>> (java.util.PropertyPermission java.vm.version read)
>> (java.util.PropertyPermission java.vm.specification.version read)
>> (java.util.PropertyPermission java.vm.specification.vendor read)
>> (java.util.PropertyPermission java.vendor.url read)
>> (java.util.PropertyPermission java.vm.name read)
>> (java.util.PropertyPermission * read,write)
>> (java.util.PropertyPermission os.name read)
>> (java.util.PropertyPermission java.vm.vendor read)
>> (java.util.PropertyPermission path.separator read)
>> (java.util.PropertyPermission java.specification.name read)
>> (java.util.PropertyPermission os.version read)
>> (java.util.PropertyPermission os.arch read)
>> (java.util.PropertyPermission java.class.version read)
>> (java.util.PropertyPermission java.version read)
>> (java.util.PropertyPermission file.separator read)
>> (java.util.PropertyPermission java.vendor read)
>> (java.util.PropertyPermission java.vm.specification.name read)
>> (java.util.PropertyPermission java.specification.version read)
>> (java.util.PropertyPermission java.specification.vendor read)
>> (java.lang.RuntimePermission getClassLoader)
>> (java.lang.RuntimePermission loadLibrary.*)
>> (java.lang.RuntimePermission accessDeclaredMembers)
>> (java.lang.RuntimePermission getProtectionDomain)
>> (java.lang.RuntimePermission modifyThreadGroup)
>> (java.lang.RuntimePermission stopThread)
>> (java.lang.RuntimePermission setContextClassLoader)
>> (java.lang.RuntimePermission queuePrintJob)
>> (java.io.FilePermission /var/tmp//- delete)
>> (java.io.FilePermission
>> /storage/glassfishwiki/server/glassfish_v2u1/domains/domain1/lib/databases/-
>> delete)
>> (java.io.FilePermission <<ALL FILES>> read,write)
>> (java.io.FilePermission
>> /storage/glassfishwiki/server/glassfish_v2u1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
>> read)
>> (unresolved
>> com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access
>> null)
>> (unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
>> )
>>
>> )|#]
>>
>
Re: ProtectionDomain failure
Posted by Brian Bowling <bo...@gmail.com>.
Hi Paul,
If you renamed the .jar file, I'm wondering why jspwiki.jar is
referenced in the failure message?
Brian
Paul Sterk wrote:
>
> Ok. I was able to make no headway. So, I did the following:
>
> 1) Completely removed JSPWiki 2.4 and GlassFish v2u1
> 2) Did a new install of GlassFish v2u1
> 3) Downloaded JSPWiki 2.8.2 (latest stable release)
> 4) Renamed JSPWiki.war to appserver.war
> 4) Deployed appserver.war
> 5) Entered this URL in my browser: localhost:/appserver/Install.jsp
>
> I immediately see the permission failure below. Is this right?
> JSPWiki.jar is not signed in version 2.8.2. Why am I getting JACC
> domain failure? If I try to continue, I see further permission
> failure messages in the log file, and authentication fails to work.
>
> Please help - this is a roadblock for my deployment!
>
> Thanks,
> Paul
>
> [#|2009-07-22T11:31:57.553-0700|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=19;_ThreadName=httpSSLWorkerThread-80-1;|JACC
> Policy Provider: PolicyWrapper.implies, context(nul
> )-
> permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","JSPWiki"))
> domain that failed(ProtectionDomain
> (file:/storage/glassfishwiki/server/glassfish_v2u1/domains/domain1/applications/j2ee
>
> modules/appserver/WEB-INF/lib/JSPWiki.jar <no signer certificates>)
> WebappClassLoader
> delegate: true
> repositories:
> /WEB-INF/classes/
> ----------> Parent Classloader:
> EJBClassLoader :
> urlSet = []
> doneCalled = false
> Parent -> java.net.URLClassLoader@173eca6
>
>
> (principals com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
> com.ecyrd.jspwiki.auth.WikiPrincipal "192.18.101.5",
> com.ecyrd.jspwiki.auth.authorize.Role "All")
>
> java.security.Permissions@7e4019 (
> (java.net.SocketPermission localhost:1024- listen,resolve)
> (java.net.SocketPermission * connect,resolve)
> (javax.management.MBeanTrustPermission register)
> (javax.management.MBeanPermission [com.sun.messaging.jms.*:*] *)
> (javax.security.auth.PrivateCredentialPermission
> javax.resource.spi.security.PasswordCredential * "*" read)
> (java.util.PropertyPermission line.separator read)
> (java.util.PropertyPermission java.vm.version read)
> (java.util.PropertyPermission java.vm.specification.version read)
> (java.util.PropertyPermission java.vm.specification.vendor read)
> (java.util.PropertyPermission java.vendor.url read)
> (java.util.PropertyPermission java.vm.name read)
> (java.util.PropertyPermission * read,write)
> (java.util.PropertyPermission os.name read)
> (java.util.PropertyPermission java.vm.vendor read)
> (java.util.PropertyPermission path.separator read)
> (java.util.PropertyPermission java.specification.name read)
> (java.util.PropertyPermission os.version read)
> (java.util.PropertyPermission os.arch read)
> (java.util.PropertyPermission java.class.version read)
> (java.util.PropertyPermission java.version read)
> (java.util.PropertyPermission file.separator read)
> (java.util.PropertyPermission java.vendor read)
> (java.util.PropertyPermission java.vm.specification.name read)
> (java.util.PropertyPermission java.specification.version read)
> (java.util.PropertyPermission java.specification.vendor read)
> (java.lang.RuntimePermission getClassLoader)
> (java.lang.RuntimePermission loadLibrary.*)
> (java.lang.RuntimePermission accessDeclaredMembers)
> (java.lang.RuntimePermission getProtectionDomain)
> (java.lang.RuntimePermission modifyThreadGroup)
> (java.lang.RuntimePermission stopThread)
> (java.lang.RuntimePermission setContextClassLoader)
> (java.lang.RuntimePermission queuePrintJob)
> (java.io.FilePermission /var/tmp//- delete)
> (java.io.FilePermission
> /storage/glassfishwiki/server/glassfish_v2u1/domains/domain1/lib/databases/-
> delete)
> (java.io.FilePermission <<ALL FILES>> read,write)
> (java.io.FilePermission
> /storage/glassfishwiki/server/glassfish_v2u1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
> read)
> (unresolved
> com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access
> null)
> (unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
> )
>
> )|#]
>
Re: ProtectionDomain failure
Posted by Paul Sterk <Pa...@Sun.COM>.
Ok. I was able to make no headway. So, I did the following:
1) Completely removed JSPWiki 2.4 and GlassFish v2u1
2) Did a new install of GlassFish v2u1
3) Downloaded JSPWiki 2.8.2 (latest stable release)
4) Renamed JSPWiki.war to appserver.war
4) Deployed appserver.war
5) Entered this URL in my browser: localhost:/appserver/Install.jsp
I immediately see the permission failure below. Is this right?
JSPWiki.jar is not signed in version 2.8.2. Why am I getting JACC domain
failure? If I try to continue, I see further permission failure
messages in the log file, and authentication fails to work.
Please help - this is a roadblock for my deployment!
Thanks,
Paul
[#|2009-07-22T11:31:57.553-0700|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=19;_ThreadName=httpSSLWorkerThread-80-1;|JACC
Policy Provider: PolicyWrapper.implies, context(nul
)-
permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","JSPWiki"))
domain that failed(ProtectionDomain
(file:/storage/glassfishwiki/server/glassfish_v2u1/domains/domain1/applications/j2ee
modules/appserver/WEB-INF/lib/JSPWiki.jar <no signer certificates>)
WebappClassLoader
delegate: true
repositories:
/WEB-INF/classes/
----------> Parent Classloader:
EJBClassLoader :
urlSet = []
doneCalled = false
Parent -> java.net.URLClassLoader@173eca6
(principals com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
com.ecyrd.jspwiki.auth.WikiPrincipal "192.18.101.5",
com.ecyrd.jspwiki.auth.authorize.Role "All")
java.security.Permissions@7e4019 (
(java.net.SocketPermission localhost:1024- listen,resolve)
(java.net.SocketPermission * connect,resolve)
(javax.management.MBeanTrustPermission register)
(javax.management.MBeanPermission [com.sun.messaging.jms.*:*] *)
(javax.security.auth.PrivateCredentialPermission
javax.resource.spi.security.PasswordCredential * "*" read)
(java.util.PropertyPermission line.separator read)
(java.util.PropertyPermission java.vm.version read)
(java.util.PropertyPermission java.vm.specification.version read)
(java.util.PropertyPermission java.vm.specification.vendor read)
(java.util.PropertyPermission java.vendor.url read)
(java.util.PropertyPermission java.vm.name read)
(java.util.PropertyPermission * read,write)
(java.util.PropertyPermission os.name read)
(java.util.PropertyPermission java.vm.vendor read)
(java.util.PropertyPermission path.separator read)
(java.util.PropertyPermission java.specification.name read)
(java.util.PropertyPermission os.version read)
(java.util.PropertyPermission os.arch read)
(java.util.PropertyPermission java.class.version read)
(java.util.PropertyPermission java.version read)
(java.util.PropertyPermission file.separator read)
(java.util.PropertyPermission java.vendor read)
(java.util.PropertyPermission java.vm.specification.name read)
(java.util.PropertyPermission java.specification.version read)
(java.util.PropertyPermission java.specification.vendor read)
(java.lang.RuntimePermission getClassLoader)
(java.lang.RuntimePermission loadLibrary.*)
(java.lang.RuntimePermission accessDeclaredMembers)
(java.lang.RuntimePermission getProtectionDomain)
(java.lang.RuntimePermission modifyThreadGroup)
(java.lang.RuntimePermission stopThread)
(java.lang.RuntimePermission setContextClassLoader)
(java.lang.RuntimePermission queuePrintJob)
(java.io.FilePermission /var/tmp//- delete)
(java.io.FilePermission
/storage/glassfishwiki/server/glassfish_v2u1/domains/domain1/lib/databases/-
delete)
(java.io.FilePermission <<ALL FILES>> read,write)
(java.io.FilePermission
/storage/glassfishwiki/server/glassfish_v2u1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
read)
(unresolved
com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access null)
(unresolved com.sun.enterprise.security.CORBAObjectPermission * *)
)
)|#]
Re: ProtectionDomain failure
Posted by Paul Sterk <Pa...@Sun.COM>.
On 7/21/2009 1:36 AM, Janne Jalkanen wrote:
> java -cp JSPWiki.jar com.ecyrd.jspwiki.Release
Thanks! I am using version 2.4.103
Paul
Re: ProtectionDomain failure
Posted by Janne Jalkanen <ja...@ecyrd.com>.
> I could be mistaken. What is the surest way to verify the version
> number?
java -cp JSPWiki.jar com.ecyrd.jspwiki.Release
That outputs the version number.
/Janne
Re: ProtectionDomain failure
Posted by Paul Sterk <Pa...@Sun.COM>.
On 7/20/2009 3:00 PM, Janne Jalkanen wrote:
>
> Sounds a bit fishy, since 2.2 didn't (IIRC) have any sort of working
> ACLs or use the jks file at all. So if you're sure it's a 2.2
> instance, it sounds to me like you have accidentally copied some
> 2.4/2.6 -specific files in there and those are messing everything up.
I could be mistaken. What is the surest way to verify the version number?
Paul
>
> You could of course try and sign the app yourself too and see if that
> helps. I think the signing password was hardcoded into the build
> scripts ;-)
>
> [If Glassfish has a security manager, please turn it off. JSPWiki does
> not play ball with Tomcat's security manager either.]
>
> /Janne
>
> On 21 Jul 2009, at 00:33, Paul Sterk wrote:
>
>>
>> Hi,
>>
>> I am in the process of moving a JSPWiki 2.2 instance from one host to
>> another using version GlassFish 9.1_u01 and have come across the
>> following failure displayed in the log file:
>>
>> context(null)-
>> permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish
>> Wiki")) domain that failed(ProtectionDomain
>> (file:/storage/glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
>>
>>
>> More details are shown below. After some searching, I found out that
>> I must have jspwiki.jks located in (app name)/WEB-INF and in the app
>> server's domains/domain1/config directory. I have done that. I also
>> found out that I had to append the JSPWiki server.policy section to
>> the app server's server.policy file (see below). I have done that also.
>>
>> I still get the domain protection failure. What did I miss? BTW, I
>> do not have the option to upgrade the JSPWiki.
>>
>> Paul
>>
>> [#|2009-07-19T17:41:38.727-0700|INFO|sun-appserver9.1|javax.enterprise.system.core.security|_ThreadID=15;_ThreadName=httpSSLWorkerThread-80-0;|JACC
>> Policy Provider: PolicyWrapper.implies, context(null)-
>> permission(("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish
>> Wiki")) domain that failed(ProtectionDomain
>> (file:/storage/glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
>> [
>> [
>> Version: V1
>> Subject: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,
>> O=jspwiki.org, C=FI
>> Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
>>
>> Key: SunPKCS11-Solaris DSA public key, 1024 bits (id 143695096,
>> session object)
>> y:
>> 685336709211189479978176481322996401882667342822443461375871414904657271343827072933994730697972525463287186110312511525703609990543636216407479486
>>
>> 03057873733660321330081871201176281154664912732522693955389713650625161330397090864782939712676489034956390674378204731139907826475282246840419508442831
>>
>> 762130982
>> p:
>> 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668
>>
>> 38814403412974522117181850604723115003930107995935806739534871706631980226201971496652413506094591370759495651467285569060679413583754270737172742955134
>>
>> 3320695239
>> q: 864205495604807476120572616017955259175325408501
>> g:
>> 174068207532402095185811980123523436538604490794561350978495831040599953488455823147851597408940950725307797094915759492368300574252438761037084473
>>
>> 46718014887611810308304375498519098347260155049469132948808339549231385000036164648264460849230407872181895999905649609776936801774927370896200668918795
>>
>> 6744210730
>> Validity: [From: Fri Mar 02 09:35:56 PST 2007,
>> To: Thu May 31 10:35:56 PDT 2007]
>> Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,
>> O=jspwiki.org, C=FI
>> SerialNumber: [ 45e8607c]
>>
>> ]
>> Algorithm: [SHA1withDSA]
>> Signature:
>> 0000: 30 2C 02 14 37 83 53 EC 47 39 1B 73 EE 7C 7E 39
>> 0,..7.S.G9.s...9
>> 0010: 89 78 04 31 86 22 DF 1C 02 14 5A CB CE 61 E3 F8
>> .x.1."....Z..a..
>> 0020: 8F 73 70 E7 47 DA 5A D9 28 2C DE E0 4C F2 .sp.G.Z.(,..L.
>>
>> ])
>> WebappClassLoader
>> delegate: true
>> repositories:
>> /WEB-INF/classes/
>> ----------> Parent Classloader:
>> EJBClassLoader :
>> urlSet = []
>> doneCalled = false
>> Parent -> java.net.URLClassLoader@1f0cf51
>>
>>
>> (principals com.ecyrd.jspwiki.auth.WikiPrincipal "Guest",
>> com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
>> com.ecyrd.jspwiki.auth.authorize.Role "All")
>>
>> -------------------------------------------------------------------------------------------------------
>>
>>
>> keystore "jspwiki.jks";
>>
>> // JSPWiki itself needs some basic privileges in order to operate.
>> // If you are running JSPWiki with a security manager, don't change
>> these,
>> // because it will totally b0rk the system.
>>
>> grant signedBy "jspwiki" {
>> permission java.security.SecurityPermission "getPolicy";
>> permission java.security.SecurityPermission "setPolicy";
>> permission java.util.PropertyPermission
>> "java.security.auth.login.config", "write";
>> permission java.util.PropertyPermission
>> "java.security.policy", "read,write";
>> permission javax.security.auth.AuthPermission
>> "getLoginConfiguration";
>> permission javax.security.auth.AuthPermission
>> "setLoginConfiguration";
>> };
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.authorize.Role "Validated" {
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:*", "view";
>> // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:<groupmember>", "edit";
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "modify,rename";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "createPages,createGroups";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Validated" {
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:*", "view";
>> // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:<groupmember>", "edit";
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "modify,rename";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "createPages,createGroups";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "ServletSpec" {
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:<groupmember>", "edit";
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "modify,rename";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "createPages,createGroups";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Sip" {
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:*", "view";
>> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
>> "*:<groupmember>", "edit";
>> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
>> "*:*", "modify,rename";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "createPages,createGroups";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editPreferences";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "editProfile";
>> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
>> "login";
>> };
>>
>> // Administrators (principals or roles possessing AllPermission)
>> // are allowed to delete any page, and can edit, rename and delete
>> // groups. You should match the permission target (here, 'JSPWiki')
>> // with the value of the 'jspwiki.applicationName' property in
>> // jspwiki.properties. Two administative groups are set up below:
>> // the wiki group "Admin" (stored by default in wiki page GroupAdmin)
>> // and the container role "Admin" (managed by the web container).
>>
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "GlassFish Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open
>> ESB Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "Slynkr Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "Update Center Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "SocialSite Wiki";
>> };
>> grant signedBy "jspwiki",
>> principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "GlassFish Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open
>> ESB Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "Slynkr Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "Update Center Wiki";
>> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
>> "SocialSite Wiki";
>> };
>
Re: ProtectionDomain failure
Posted by Janne Jalkanen <ja...@ecyrd.com>.
Sounds a bit fishy, since 2.2 didn't (IIRC) have any sort of working
ACLs or use the jks file at all. So if you're sure it's a 2.2
instance, it sounds to me like you have accidentally copied some
2.4/2.6 -specific files in there and those are messing everything up.
You could of course try and sign the app yourself too and see if that
helps. I think the signing password was hardcoded into the build
scripts ;-)
[If Glassfish has a security manager, please turn it off. JSPWiki does
not play ball with Tomcat's security manager either.]
/Janne
On 21 Jul 2009, at 00:33, Paul Sterk wrote:
>
> Hi,
>
> I am in the process of moving a JSPWiki 2.2 instance from one host
> to another using version GlassFish 9.1_u01 and have come across the
> following failure displayed in the log file:
>
> context(null)-
> permission
> (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish
> Wiki")) domain that failed(ProtectionDomain (file:/storage/
> glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/
> j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar
>
> More details are shown below. After some searching, I found out that
> I must have jspwiki.jks located in (app name)/WEB-INF and in the app
> server's domains/domain1/config directory. I have done that. I
> also found out that I had to append the JSPWiki server.policy
> section to the app server's server.policy file (see below). I have
> done that also.
>
> I still get the domain protection failure. What did I miss? BTW, I
> do not have the option to upgrade the JSPWiki.
>
> Paul
>
> [#|2009-07-19T17:41:38.727-0700|INFO|sun-appserver9.1|
> javax.enterprise.system.core.security|
> _ThreadID=15;_ThreadName=httpSSLWorkerThread-80-0;|JACC Policy
> Provider: PolicyWrapper.implies, context(null)-
> permission
> (("com.ecyrd.jspwiki.auth.permissions.AllPermission","GlassFish
> Wiki")) domain that failed(ProtectionDomain (file:/storage/
> glassfishwiki/server/glassfish_v2ur1/domains/domain1/applications/
> j2ee-modules/appserver/WEB-INF/lib/JSPWiki.jar [
> [
> Version: V1
> Subject: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,
> O=jspwiki.org, C=FI
> Signature Algorithm: SHA1withDSA, OID = 1.2.840.10040.4.3
>
> Key: SunPKCS11-Solaris DSA public key, 1024 bits (id 143695096,
> session object)
> y:
> 685336709211189479978176481322996401882667342822443461375871414904657271343827072933994730697972525463287186110312511525703609990543636216407479486
> 03057873733660321330081871201176281154664912732522693955389713650625161330397090864782939712676489034956390674378204731139907826475282246840419508442831
> 762130982
> p:
> 178011905478542266528237562450159990145232156369120674273274450314442865788737020770612695252123463079567156784778466449970650770920727857050009668
> 38814403412974522117181850604723115003930107995935806739534871706631980226201971496652413506094591370759495651467285569060679413583754270737172742955134
> 3320695239
> q: 864205495604807476120572616017955259175325408501
> g:
> 174068207532402095185811980123523436538604490794561350978495831040599953488455823147851597408940950725307797094915759492368300574252438761037084473
> 46718014887611810308304375498519098347260155049469132948808339549231385000036164648264460849230407872181895999905649609776936801774927370896200668918795
> 6744210730
> Validity: [From: Fri Mar 02 09:35:56 PST 2007,
> To: Thu May 31 10:35:56 PDT 2007]
> Issuer: CN=Janne Jalkanen, OU=JSPWiki Code Signing Division,
> O=jspwiki.org, C=FI
> SerialNumber: [ 45e8607c]
>
> ]
> Algorithm: [SHA1withDSA]
> Signature:
> 0000: 30 2C 02 14 37 83 53 EC 47 39 1B 73 EE 7C 7E 39
> 0,..7.S.G9.s...9
> 0010: 89 78 04 31 86 22 DF 1C 02 14 5A CB CE 61 E3 F8 .x.
> 1."....Z..a..
> 0020: 8F 73 70 E7 47 DA 5A D9 28 2C DE E0 4C F2 .sp.G.Z.
> (,..L.
>
> ])
> WebappClassLoader
> delegate: true
> repositories:
> /WEB-INF/classes/
> ----------> Parent Classloader:
> EJBClassLoader :
> urlSet = []
> doneCalled = false
> Parent -> java.net.URLClassLoader@1f0cf51
>
>
> (principals com.ecyrd.jspwiki.auth.WikiPrincipal "Guest",
> com.ecyrd.jspwiki.auth.authorize.Role "Anonymous",
> com.ecyrd.jspwiki.auth.authorize.Role "All")
>
> -------------------------------------------------------------------------------------------------------
>
> keystore "jspwiki.jks";
>
> // JSPWiki itself needs some basic privileges in order to operate.
> // If you are running JSPWiki with a security manager, don't change
> these,
> // because it will totally b0rk the system.
>
> grant signedBy "jspwiki" {
> permission java.security.SecurityPermission "getPolicy";
> permission java.security.SecurityPermission "setPolicy";
> permission java.util.PropertyPermission
> "java.security.auth.login.config", "write";
> permission java.util.PropertyPermission
> "java.security.policy", "read,write";
> permission javax.security.auth.AuthPermission
> "getLoginConfiguration";
> permission javax.security.auth.AuthPermission
> "setLoginConfiguration";
> };
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.authorize.Role "Anonymous" {
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.authorize.Role "Asserted" {
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.authorize.Role "Authenticated" {
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.authorize.Role "Validated" {
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*", "view";
> // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "modify,rename";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Validated" {
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*", "view";
> // permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "modify,rename";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.GroupPrincipal "ServletSpec" {
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "modify,rename";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Sip" {
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:*", "view";
> permission com.ecyrd.jspwiki.auth.permissions.GroupPermission
> "*:<groupmember>", "edit";
> permission com.ecyrd.jspwiki.auth.permissions.PagePermission
> "*:*", "modify,rename";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "createPages,createGroups";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editPreferences";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "editProfile";
> permission com.ecyrd.jspwiki.auth.permissions.WikiPermission "*",
> "login";
> };
>
> // Administrators (principals or roles possessing AllPermission)
> // are allowed to delete any page, and can edit, rename and delete
> // groups. You should match the permission target (here, 'JSPWiki')
> // with the value of the 'jspwiki.applicationName' property in
> // jspwiki.properties. Two administative groups are set up below:
> // the wiki group "Admin" (stored by default in wiki page GroupAdmin)
> // and the container role "Admin" (managed by the web container).
>
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.GroupPrincipal "Admin" {
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "GlassFish Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open
> ESB Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "Slynkr Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "Update Center Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "SocialSite Wiki";
> };
> grant signedBy "jspwiki",
> principal com.ecyrd.jspwiki.auth.authorize.Role "Admin" {
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "GlassFish Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission "Open
> ESB Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "Slynkr Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "Update Center Wiki";
> permission com.ecyrd.jspwiki.auth.permissions.AllPermission
> "SocialSite Wiki";
> };