You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Marcel Overdijk <m....@oravision.nl> on 2003/05/15 09:00:37 UTC
sequrity problem with accessing files
Hello,
I'm having a sequrity problem with accessing files. I received the below
information from Robert.
Which do I have to change ?
---------------
your ISP is running a security manager with a restricted security
policy.
this policy is preventing dynamic discovery of properties through
reflection. this prevents beanutils from working correctly.
IMHO there is no real security reason why your ISP should have this
policy
(for non-applets). i would suggest that you learn about security
managers
and use this information to education your ISP and to lobby for a change
to a less restrictive security policy for servlets.
- robert
---------------
Starting service Tomcat-Apache13
Apache Tomcat/4.0.3
WebappLoader[]: Deploying class repositories to work directory
/var/tomcat4/work/defaulthost/_
StandardManager[]: Seeding random number generator class
java.security.SecureRandom
StandardManager[]: Seeding of random number generator has been completed
ContextConfig[]: Missing application web.xml, using defaults only
ContextConfig[]: Added certificates -> request attribute Valve
StandardWrapper[:default]: Loading container servlet default
StandardWrapper[:invoker]: Loading container servlet invoker
register('-//Apache Software Foundation//DTD Struts Configuration
1.0//EN',
'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
org/apache/struts/resources/struts-config_1_0.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN',
'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
org/apache/struts/resources/web-app_2_2.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN',
'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
org/apache/struts/resources/web-app_2_3.dtd'
resolveEntity('-//Apache Software Foundation//DTD Struts Configuration
1.0//EN', 'http://jakarta.apache.org/struts/dtds/struts-config_1_0.dtd')
Resolving to alternate DTD
'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
org/apache/struts/resources/struts-config_1_0.dtd'
New org.apache.struts.action.ActionForward
Set org.apache.struts.action.ActionForward properties
Call
org.apache.struts.tiles.ActionComponentServlet.addForward(ActionForward[
failure])
Pop org.apache.struts.action.ActionForward
New org.apache.struts.action.ActionMapping
Set org.apache.struts.action.ActionMapping properties
Call
org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
path=/tiles-admin/reload,
type=org.apache.struts.tiles.actions.ReloadDefinitionsAction])
Pop org.apache.struts.action.ActionMapping
New org.apache.struts.action.ActionMapping
Set org.apache.struts.action.ActionMapping properties
Call
org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
path=/tiles-admin/view,
type=org.apache.struts.tiles.actions.ViewDefinitionsAction])
Pop org.apache.struts.action.ActionMapping
New org.apache.struts.action.ActionMapping
Set org.apache.struts.action.ActionMapping properties
Call
org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
path=/test, type=org.apache.struts.actions.ForwardAction])
Pop org.apache.struts.action.ActionMapping
New org.apache.struts.action.ActionMapping
Set org.apache.struts.action.ActionMapping properties
Call
org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
path=/home, type=org.apache.struts.actions.ForwardAction])
Pop org.apache.struts.action.ActionMapping
New org.apache.struts.action.ActionMapping
Set org.apache.struts.action.ActionMapping properties
Call
org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
path=/trends, type=org.apache.struts.actions.ForwardAction])
Pop org.apache.struts.action.ActionMapping
New org.apache.struts.action.ActionMapping
Set org.apache.struts.action.ActionMapping properties
Call
org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
path=/productlijn, type=org.apache.struts.actions.ForwardAction])
Pop org.apache.struts.action.ActionMapping
New org.apache.struts.action.ActionMapping
Set org.apache.struts.action.ActionMapping properties
Call
org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
path=/prijzen, type=org.apache.struts.actions.ForwardAction])
Pop org.apache.struts.action.ActionMapping
New org.apache.struts.action.ActionMapping
Set org.apache.struts.action.ActionMapping properties
Call
org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
path=/contact, type=org.apache.struts.actions.ForwardAction])
Pop org.apache.struts.action.ActionMapping
register('-//Apache Software Foundation//DTD Struts Configuration
1.0//EN',
'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
org/apache/struts/resources/struts-config_1_0.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN',
'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
org/apache/struts/resources/web-app_2_2.dtd'
register('-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN',
'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
org/apache/struts/resources/web-app_2_3.dtd'
resolveEntity('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN',
'http://java.sun.com/j2ee/dtds/web-app_2_2.dtd')
Resolving to alternate DTD
'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
org/apache/struts/resources/web-app_2_2.dtd'
Call
org.apache.struts.tiles.ActionComponentServlet.addServletMapping(action/
java.lang.String,*.do/java.lang.String)
java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessDeclaredMembers) at
java.security.AccessControlContext.checkPermission(AccessControlContext.
java:270)
at
java.security.AccessController.checkPermission(AccessController.java:401
)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at
java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
at java.lang.Class.checkMemberAccess(Class.java:1401)
at java.lang.Class.getDeclaredMethods(Class.java:1101)
at
org.apache.commons.beanutils.MappedPropertyDescriptor$1.run(MappedProper
tyDescriptor.java:381)
at java.security.AccessController.doPrivileged(Native Method) at
org.apache.commons.beanutils.MappedPropertyDescriptor.getPublicDeclaredM
ethods(MappedPropertyDescriptor.java:378)
at
org.apache.commons.beanutils.MappedPropertyDescriptor.internalFindMethod
(MappedPropertyDescriptor.java:448)
at
org.apache.commons.beanutils.MappedPropertyDescriptor.findMethod(MappedP
ropertyDescriptor.java:522)
at
org.apache.commons.beanutils.MappedPropertyDescriptor.<init>(MappedPrope
rtyDescriptor.java:149)
at
org.apache.commons.beanutils.PropertyUtils.getPropertyDescriptor(Propert
yUtils.java:886)
at
org.apache.commons.beanutils.BeanUtils.setProperty(BeanUtils.java:846)
at org.apache.commons.beanutils.BeanUtils.populate(BeanUtils.java:726)
at
org.apache.struts.tiles.DefinitionsFactoryConfig.populate(DefinitionsFac
toryConfig.java:355)
at
org.apache.struts.tiles.DefinitionsUtil.populateDefinitionsFactoryConfig
(DefinitionsUtil.java:391)
at
org.apache.struts.tiles.DefinitionsUtil.readFactoryConfig(DefinitionsUti
l.java:410)
at
org.apache.struts.tiles.DefinitionsUtil.createDefinitionsFactory(Definit
ionsUtil.java:213)
at
org.apache.struts.tiles.DefinitionsUtil.createDefinitionsFactory(Definit
ionsUtil.java:248)
at
org.apache.struts.tiles.ActionComponentServlet.initComponentDefinitionsM
apping(ActionComponentServlet.java:136)
at
org.apache.struts.tiles.ActionComponentServlet.init(ActionComponentServl
et.java:109)
at javax.servlet.GenericServlet.init(GenericServlet.java:258)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.jav
a:916)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:808)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.j
ava:3266)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:3395
)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1123)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:614)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1123)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:343)
at
org.apache.catalina.core.StandardService.start(StandardService.java:388)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:506)
at org.apache.catalina.startup.Catalina.start(Catalina.java:781)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:681)
at org.apache.catalina.startup.Catalina.process(Catalina.java:179)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)
Ajp13Connector[8009] Opening server socket on host IP address 127.0.0.1
Ajp13Connector[8009] Starting background thread Ajp13Processor[8009][0]
Starting background thread Ajp13Processor[8009][1] Starting background
thread Ajp13Processor[8009][2] Starting background thread
Ajp13Processor[8009][3] Starting background thread
Ajp13Processor[8009][4] Starting background thread
Met vriendelijke groet,
Marcel Overdijk
[beanutils] Re: sequrity problem with accessing files
Posted by robert burrell donkin <ro...@blueyonder.co.uk>.
please remember to prefix with the name of the component.
- robert
On Thursday, May 15, 2003, at 08:00 AM, Marcel Overdijk wrote:
> Hello,
>
> I'm having a sequrity problem with accessing files. I received the below
> information from Robert.
>
> Which do I have to change ?
>
> ---------------
>
> your ISP is running a security manager with a restricted security
> policy.
> this policy is preventing dynamic discovery of properties through
> reflection. this prevents beanutils from working correctly.
>
> IMHO there is no real security reason why your ISP should have this
> policy
> (for non-applets). i would suggest that you learn about security
> managers
> and use this information to education your ISP and to lobby for a change
>
> to a less restrictive security policy for servlets.
>
> - robert
>
> ---------------
>
> Starting service Tomcat-Apache13
> Apache Tomcat/4.0.3
> WebappLoader[]: Deploying class repositories to work directory
> /var/tomcat4/work/defaulthost/_
> StandardManager[]: Seeding random number generator class
> java.security.SecureRandom
> StandardManager[]: Seeding of random number generator has been completed
> ContextConfig[]: Missing application web.xml, using defaults only
> ContextConfig[]: Added certificates -> request attribute Valve
> StandardWrapper[:default]: Loading container servlet default
> StandardWrapper[:invoker]: Loading container servlet invoker
> register('-//Apache Software Foundation//DTD Struts Configuration
> 1.0//EN',
> 'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
> org/apache/struts/resources/struts-config_1_0.dtd'
> register('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN',
> 'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
> org/apache/struts/resources/web-app_2_2.dtd'
> register('-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN',
> 'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
> org/apache/struts/resources/web-app_2_3.dtd'
> resolveEntity('-//Apache Software Foundation//DTD Struts Configuration
> 1.0//EN', 'http://jakarta.apache.org/struts/dtds/struts-config_1_0.dtd')
> Resolving to alternate DTD
> 'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
> org/apache/struts/resources/struts-config_1_0.dtd'
> New org.apache.struts.action.ActionForward
> Set org.apache.struts.action.ActionForward properties
> Call
> org.apache.struts.tiles.ActionComponentServlet.addForward(ActionForward[
> failure])
> Pop org.apache.struts.action.ActionForward
> New org.apache.struts.action.ActionMapping
> Set org.apache.struts.action.ActionMapping properties
> Call
> org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
> path=/tiles-admin/reload,
> type=org.apache.struts.tiles.actions.ReloadDefinitionsAction])
> Pop org.apache.struts.action.ActionMapping
> New org.apache.struts.action.ActionMapping
> Set org.apache.struts.action.ActionMapping properties
> Call
> org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
> path=/tiles-admin/view,
> type=org.apache.struts.tiles.actions.ViewDefinitionsAction])
> Pop org.apache.struts.action.ActionMapping
> New org.apache.struts.action.ActionMapping
> Set org.apache.struts.action.ActionMapping properties
> Call
> org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
> path=/test, type=org.apache.struts.actions.ForwardAction])
> Pop org.apache.struts.action.ActionMapping
> New org.apache.struts.action.ActionMapping
> Set org.apache.struts.action.ActionMapping properties
> Call
> org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
> path=/home, type=org.apache.struts.actions.ForwardAction])
> Pop org.apache.struts.action.ActionMapping
> New org.apache.struts.action.ActionMapping
> Set org.apache.struts.action.ActionMapping properties
> Call
> org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
> path=/trends, type=org.apache.struts.actions.ForwardAction])
> Pop org.apache.struts.action.ActionMapping
> New org.apache.struts.action.ActionMapping
> Set org.apache.struts.action.ActionMapping properties
> Call
> org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
> path=/productlijn, type=org.apache.struts.actions.ForwardAction])
> Pop org.apache.struts.action.ActionMapping
> New org.apache.struts.action.ActionMapping
> Set org.apache.struts.action.ActionMapping properties
> Call
> org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
> path=/prijzen, type=org.apache.struts.actions.ForwardAction])
> Pop org.apache.struts.action.ActionMapping
> New org.apache.struts.action.ActionMapping
> Set org.apache.struts.action.ActionMapping properties
> Call
> org.apache.struts.tiles.ActionComponentServlet.addMapping(ActionMapping[
> path=/contact, type=org.apache.struts.actions.ForwardAction])
> Pop org.apache.struts.action.ActionMapping
> register('-//Apache Software Foundation//DTD Struts Configuration
> 1.0//EN',
> 'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
> org/apache/struts/resources/struts-config_1_0.dtd'
> register('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN',
> 'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
> org/apache/struts/resources/web-app_2_2.dtd'
> register('-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN',
> 'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
> org/apache/struts/resources/web-app_2_3.dtd'
> resolveEntity('-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN',
> 'http://java.sun.com/j2ee/dtds/web-app_2_2.dtd')
> Resolving to alternate DTD
> 'jar:file:/home/virtual/site46/fst/var/www/html/WEB-INF/lib/struts.jar!/
> org/apache/struts/resources/web-app_2_2.dtd'
> Call
> org.apache.struts.tiles.ActionComponentServlet.addServletMapping(action/
> java.lang.String,*.do/java.lang.String)
> java.security.AccessControlException: access denied
> (java.lang.RuntimePermission accessDeclaredMembers) at
> java.security.AccessControlContext.checkPermission(AccessControlContext.
> java:270)
> at
> java.security.AccessController.checkPermission(AccessController.java:401
> )
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
> at
> java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
> at java.lang.Class.checkMemberAccess(Class.java:1401)
> at java.lang.Class.getDeclaredMethods(Class.java:1101)
> at
> org.apache.commons.beanutils.MappedPropertyDescriptor$1.run(MappedProper
> tyDescriptor.java:381)
> at java.security.AccessController.doPrivileged(Native Method) at
> org.apache.commons.beanutils.MappedPropertyDescriptor.getPublicDeclaredM
> ethods(MappedPropertyDescriptor.java:378)
> at
> org.apache.commons.beanutils.MappedPropertyDescriptor.internalFindMethod
> (MappedPropertyDescriptor.java:448)
> at
> org.apache.commons.beanutils.MappedPropertyDescriptor.findMethod(MappedP
> ropertyDescriptor.java:522)
> at
> org.apache.commons.beanutils.MappedPropertyDescriptor.<init>(MappedPrope
> rtyDescriptor.java:149)
> at
> org.apache.commons.beanutils.PropertyUtils.getPropertyDescriptor(Propert
> yUtils.java:886)
> at
> org.apache.commons.beanutils.BeanUtils.setProperty(BeanUtils.java:846)
> at org.apache.commons.beanutils.BeanUtils.populate(BeanUtils.java:726)
> at
> org.apache.struts.tiles.DefinitionsFactoryConfig.populate(DefinitionsFac
> toryConfig.java:355)
> at
> org.apache.struts.tiles.DefinitionsUtil.populateDefinitionsFactoryConfig
> (DefinitionsUtil.java:391)
> at
> org.apache.struts.tiles.DefinitionsUtil.readFactoryConfig(DefinitionsUti
> l.java:410)
> at
> org.apache.struts.tiles.DefinitionsUtil.createDefinitionsFactory(Definit
> ionsUtil.java:213)
> at
> org.apache.struts.tiles.DefinitionsUtil.createDefinitionsFactory(Definit
> ionsUtil.java:248)
> at
> org.apache.struts.tiles.ActionComponentServlet.initComponentDefinitionsM
> apping(ActionComponentServlet.java:136)
> at
> org.apache.struts.tiles.ActionComponentServlet.init(ActionComponentServl
> et.java:109)
> at javax.servlet.GenericServlet.init(GenericServlet.java:258)
> at
> org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.jav
> a:916)
> at
> org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:808)
> at
> org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.j
> ava:3266)
> at
> org.apache.catalina.core.StandardContext.start(StandardContext.java:3395
> )
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1123)
> at org.apache.catalina.core.StandardHost.start(StandardHost.java:614)
> at
> org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1123)
> at
> org.apache.catalina.core.StandardEngine.start(StandardEngine.java:343)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:388)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:506)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:781)
> at org.apache.catalina.startup.Catalina.execute(Catalina.java:681)
> at org.apache.catalina.startup.Catalina.process(Catalina.java:179)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
> a:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
> Impl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:324)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243)
> Ajp13Connector[8009] Opening server socket on host IP address 127.0.0.1
> Ajp13Connector[8009] Starting background thread Ajp13Processor[8009][0]
> Starting background thread Ajp13Processor[8009][1] Starting background
> thread Ajp13Processor[8009][2] Starting background thread
> Ajp13Processor[8009][3] Starting background thread
> Ajp13Processor[8009][4] Starting background thread
>
>
>
> Met vriendelijke groet,
>
>
> Marcel Overdijk
>
>
>
>
>