You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gayathri Shaikh <GS...@mobius.com> on 2002/12/12 13:58:57 UTC
Security violation in Tomcat 4.0.6
Hi
I am using Tomcat 4.0.6 LE JDK 1.4 with JDK 1.4.1_01.
I am getting the following Security violation when I try to access my web
application.
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java
:272)
at
java.security.AccessController.checkPermission(AccessController.java:399)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1501)
at
org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoader
.java:1056)
at
org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoader
.java:992)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:313)
at
org.apache.catalina.connector.HttpRequestBase.parseParameters(HttpRequestBas
e.java:615)
at
org.apache.catalina.connector.HttpRequestBase.getParameter(HttpRequestBase.j
ava:691)
at
org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:
160)
at com.clickndone.billerdirect.BDRouter.doPost(BDRouter.java:141)
at com.clickndone.billerdirect.BDRouter.doGet(BDRouter.java:106)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:247)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter
Chain.java:98)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain
.java:176)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
ain.java:172)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja
va:243)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
66)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja
va:190)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
66)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2347)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
66)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
java:170)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
64)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170
)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
64)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
64)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
:174)
at
org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
66)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
at
org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:
1027)
at
org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1125
)
at java.lang.Thread.run(Thread.java:484)
I have granted the following extra permissions:
grant {
permission java.net.SocketPermission "LDP2KSEN0066:1024-65535",
"connect, resolve";
permission java.util.PropertyPermission "https.proxyHost", "write";
permission java.util.PropertyPermission "https.proxyPort", "write";
permission java.util.PropertyPermission "java.security.policy", "write";
permission java.util.PropertyPermission "propertiesDirectory", "read";
permission java.lang.RuntimePermission "getClassLoader";
permission java.io.FilePermission "C:\\Program
Files\\Click-n-DoneServerSuite\\common\\properties\\-", "read, write";
permission java.io.FilePermission "C:\\Program
Files\\Click-n-DoneServerSuite\\WebApplications\\BillerListWebApp\\CNDBiller
List.txt", "read, write";
permission java.io.FilePermission "C:\\Program
Files\\Click-n-DoneServerSuite\\logs\\-", "read, write";
permission java.io.FilePermission "C:\\Tomcat_JDK1.3.1\\-", "read";
};
If I access another web application (which has only JSPs), there is no
problem. Also after that if I access the first web-app also, there is no
problem. The first web-app has a servlet that accesses
HttpServletRequest.getParameter("currentPage") and this is what is throwing
the exception. I also have no problem if I use Tomcat 4.0.2 LE JDK 1.4.
What has changed between versions 4.0.2 and 4.0.6 that causes this problem ?
Thanks a lot.
-- Gayathri
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Security violation in Tomcat 4.0.6
Posted by Jeanfrancois Arcand <jf...@apache.org>.
In catalina.properties, can you add:
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
[.....]
// Required for sevlets and JSP's
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.util";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.util.*";
permission java.lang.RuntimePermission
"defineClassInPackage.org.apache.catalina.util";
permission java.lang.RuntimePermission
"defineClassInPackage.org.apache.catalina.util.*";
That should fix theproblem. This has been fixed in 4.1.X. If it works,
then file a bug against 4.0.6 (we will add the property next time we
released 4.0.x)
-- Jeanfrancois
Gayathri Shaikh wrote:
>Hi
>
>I am using Tomcat 4.0.6 LE JDK 1.4 with JDK 1.4.1_01.
>
>I am getting the following Security violation when I try to access my web
>application.
>
>java.security.AccessControlException: access denied
>(java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util)
> at
>java.security.AccessControlContext.checkPermission(AccessControlContext.java
>:272)
> at
>java.security.AccessController.checkPermission(AccessController.java:399)
> at
>java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
> at
>java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1501)
> at
>org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoader
>.java:1056)
> at
>org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoader
>.java:992)
> at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:313)
> at
>org.apache.catalina.connector.HttpRequestBase.parseParameters(HttpRequestBas
>e.java:615)
> at
>org.apache.catalina.connector.HttpRequestBase.getParameter(HttpRequestBase.j
>ava:691)
> at
>org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java:
>160)
> at com.clickndone.billerdirect.BDRouter.doPost(BDRouter.java:141)
> at com.clickndone.billerdirect.BDRouter.doGet(BDRouter.java:106)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
> at
>org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
>FilterChain.java:247)
> at
>org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter
>Chain.java:98)
> at
>org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain
>.java:176)
> at java.security.AccessController.doPrivileged(Native Method)
> at
>org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
>ain.java:172)
> at
>org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja
>va:243)
> at
>org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
>66)
> at
>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
> at
>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
> at
>org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja
>va:190)
> at
>org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
>66)
> at
>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
> at
>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
> at
>org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2347)
> at
>org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180
>)
> at
>org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
>66)
> at
>org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve.
>java:170)
> at
>org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
>64)
> at
>org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170
>)
> at
>org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
>64)
> at
>org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468)
> at
>org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
>64)
> at
>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
> at
>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
> at
>org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
>:174)
> at
>org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5
>66)
> at
>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472)
> at
>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943)
> at
>org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:
>1027)
> at
>org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1125
>)
> at java.lang.Thread.run(Thread.java:484)
>
>I have granted the following extra permissions:
>
>grant {
> permission java.net.SocketPermission "LDP2KSEN0066:1024-65535",
>"connect, resolve";
>
> permission java.util.PropertyPermission "https.proxyHost", "write";
> permission java.util.PropertyPermission "https.proxyPort", "write";
> permission java.util.PropertyPermission "java.security.policy", "write";
> permission java.util.PropertyPermission "propertiesDirectory", "read";
>
> permission java.lang.RuntimePermission "getClassLoader";
>
> permission java.io.FilePermission "C:\\Program
>Files\\Click-n-DoneServerSuite\\common\\properties\\-", "read, write";
> permission java.io.FilePermission "C:\\Program
>Files\\Click-n-DoneServerSuite\\WebApplications\\BillerListWebApp\\CNDBiller
>List.txt", "read, write";
>
> permission java.io.FilePermission "C:\\Program
>Files\\Click-n-DoneServerSuite\\logs\\-", "read, write";
> permission java.io.FilePermission "C:\\Tomcat_JDK1.3.1\\-", "read";
>};
>
>If I access another web application (which has only JSPs), there is no
>problem. Also after that if I access the first web-app also, there is no
>problem. The first web-app has a servlet that accesses
>HttpServletRequest.getParameter("currentPage") and this is what is throwing
>the exception. I also have no problem if I use Tomcat 4.0.2 LE JDK 1.4.
>
>What has changed between versions 4.0.2 and 4.0.6 that causes this problem ?
>
>Thanks a lot.
>
>-- Gayathri
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>