You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@jspwiki.apache.org by luca80 <lu...@eng.it> on 2008/07/29 16:37:02 UTC
JONAS - Policy problem
Hi All,
I have a problem with JONAS that isn't reading the JSPWiki policy file.
I'm using JSPWiki 2.6.2, JONAS 4.8.6 with Tomcat 5.5.17.
I tried also JSPWiki 2.6.2 in Tomcat 5.5.26, without Jonas, and it works. Is
there any setting that I'm missing? Is there any known problems with Jonas?
All I did is this:
I simply moved some permissions from Authenticated group to a new Group
called Test. I added some users to this group and when I log in as a user of
this group I can see the differences in the permissions in Tomcat, but not
in Jonas.
In Tomcat I modified this files:
userdatabase.xml
groupdatabase.xml
jspwiki.policy
jspwiki.properties
In Jonas I had to add the classes defined in jspwiki.jaas in the jaas.config
of Jonas.
I see that there is also a java.policy in the conf dir of Jonas, is that the
problem?
Thanks for any suggestion,
Luca.
--
View this message in context: http://www.nabble.com/JONAS---Policy-problem-tp18713683p18713683.html
Sent from the JspWiki - User mailing list archive at Nabble.com.
Re: JONAS - Policy problem
Posted by luca80 <lu...@eng.it>.
Hi Craig,
I did what you suggested to me, but I'm stucked loading a resource, Am I
missing some other permission?
I granted all permission to all directories except that of my application.
The policy file look like this:
grant codeBase "file:/C:/tmp/JONAS_4_8_6/bin/-" { permission
java.security.AllPermission; };
... granting all to all other dirs ...
grant codeBase
"file:/C:/tmp/JONAS_4_8_6/work/webapps/jonas/single/jonasAdmin/-" {
permission java.security.AllPermission; };
grant codeBase
"file:/C:/tmp/JONAS_4_8_6/work/webapps/jonas/single/JSPWiki/-" {
permission java.util.PropertyPermission "*", "read, write";
permission java.io.FilePermission "C:\\tmp\\JONAS_4_8_6\\-", "read, write,
delete";
};
But I get an exception from this code:
url = m_engine.getServletContext().getResource( "/WEB-INF/web.xml" );
which returns null instead of the URL of web.xml.
If I give all permission to all, this code work well. What kind of
permission I'm missing?
I tried also:
grant codeBase "file:/C:/Programmi/Java/-" { permission
java.security.AllPermission;};
because the ServletContext is a standard Java class, but it did't work.
Any idea?
Craig L Russell wrote:
>
> ...
> For starters, you can grant Jonas all permissions by explicitly
> putting the jonas jar file(s) into their own security domain, e.g.
> grant <jonas jar> { permission java.security.AllPermission;}
>
> You will quickly find that simple stuff like your application reading
> java properties will trigger a security exception. So you add stuff to
> the general grant.
> ...
>
--
View this message in context: http://www.nabble.com/JONAS---Policy-problem-tp18713683p18750110.html
Sent from the JspWiki - User mailing list archive at Nabble.com.
Re: JONAS - Policy problem
Posted by Craig L Russell <Cr...@Sun.COM>.
Hi Luca,
I've just been through the security gauntlet myself, and I can tell
you it's an interesting but tough challenge to get an application to
run with security enabled.
For starters, you can grant Jonas all permissions by explicitly
putting the jonas jar file(s) into their own security domain, e.g.
grant <jonas jar> { permission java.security.AllPermission;}
You will quickly find that simple stuff like your application reading
java properties will trigger a security exception. So you add stuff to
the general grant. My application seemed to need a bunch of things
just to get to the interesting parts:
// All classes in the classpath
grant {
// c3p0 seems to require PropertyPermission of write (don't know why)
permission java.util.PropertyPermission "*", "read, write";
permission java.io.FilePermission "${user.home}${/}.maven/
repository${/}-", "read";
permission java.io.FilePermission "${jdo.tck.basedir}${/}target$
{/}-", "read, write";
// bug in security? needed for Derby to create tck2/target/database/
derby/../../logs
permission java.io.FilePermission "${jdo.tck.basedir}${/}-",
"read, write, delete";
// needed for JNDI FSContext
permission java.io.FilePermission "${/}", "read";
permission java.lang.RuntimePermission "createClassLoader";
permission java.io.FilePermission "${user.dir}${/}-", "read";
And there is the requirement to wrap all calls to privileged
operations in the doPrivileged block:
public static Method getPublicPutMethodForResultClass(final Class
resultClass)
{
return (Method)AccessController.doPrivileged(new
PrivilegedAction()
{
public Object run()
{
try {
return resultClass.getMethod("put",
classArrayObjectObject);
} catch (NoSuchMethodException ex) {
return null;
}
}
});
}
And the java reference material that I've found useful:
http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc6.html
Good luck,
Craig
On Jul 29, 2008, at 8:56 AM, luca80 wrote:
>
> I found that Jonas reads his own policy file which, by default, is
> like this:
>
> grant {
> // Allow everything for now
> permission java.security.AllPermission;
> };
>
> So it allow every permission to all and this is a problem, because it
> overrides the JSPWiki permissions that I try to add in the same file.
> I tried to comment the default Jonas permission, but, in this way,
> even
> Jonas can't run! >-(
>
> Anyone can help me?
>
> Thanks,
> Luca
>
>
> luca80 wrote:
>>
>> Hi All,
>> I have a problem with JONAS that isn't reading the JSPWiki policy
>> file.
>>
>> I'm using JSPWiki 2.6.2, JONAS 4.8.6 with Tomcat 5.5.17.
>>
>> I tried also JSPWiki 2.6.2 in Tomcat 5.5.26, without Jonas, and it
>> works.
>> Is there any setting that I'm missing? Is there any known problems
>> with
>> Jonas?
>>
>> All I did is this:
>> I simply moved some permissions from Authenticated group to a new
>> Group
>> called Test. I added some users to this group and when I log in as
>> a user
>> of this group I can see the differences in the permissions in
>> Tomcat, but
>> not in Jonas.
>>
>> In Tomcat I modified this files:
>> userdatabase.xml
>> groupdatabase.xml
>> jspwiki.policy
>> jspwiki.properties
>>
>> In Jonas I had to add the classes defined in jspwiki.jaas in the
>> jaas.config of Jonas.
>> I see that there is also a java.policy in the conf dir of Jonas, is
>> that
>> the problem?
>>
>> Thanks for any suggestion,
>> Luca.
>>
>
> --
> View this message in context: http://www.nabble.com/JONAS---Policy-problem-tp18713683p18715483.html
> Sent from the JspWiki - User mailing list archive at Nabble.com.
>
Craig L Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!
Re: JONAS - Policy problem
Posted by luca80 <lu...@eng.it>.
I found that Jonas reads his own policy file which, by default, is like this:
grant {
// Allow everything for now
permission java.security.AllPermission;
};
So it allow every permission to all and this is a problem, because it
overrides the JSPWiki permissions that I try to add in the same file.
I tried to comment the default Jonas permission, but, in this way, even
Jonas can't run! >-(
Anyone can help me?
Thanks,
Luca
luca80 wrote:
>
> Hi All,
> I have a problem with JONAS that isn't reading the JSPWiki policy file.
>
> I'm using JSPWiki 2.6.2, JONAS 4.8.6 with Tomcat 5.5.17.
>
> I tried also JSPWiki 2.6.2 in Tomcat 5.5.26, without Jonas, and it works.
> Is there any setting that I'm missing? Is there any known problems with
> Jonas?
>
> All I did is this:
> I simply moved some permissions from Authenticated group to a new Group
> called Test. I added some users to this group and when I log in as a user
> of this group I can see the differences in the permissions in Tomcat, but
> not in Jonas.
>
> In Tomcat I modified this files:
> userdatabase.xml
> groupdatabase.xml
> jspwiki.policy
> jspwiki.properties
>
> In Jonas I had to add the classes defined in jspwiki.jaas in the
> jaas.config of Jonas.
> I see that there is also a java.policy in the conf dir of Jonas, is that
> the problem?
>
> Thanks for any suggestion,
> Luca.
>
--
View this message in context: http://www.nabble.com/JONAS---Policy-problem-tp18713683p18715483.html
Sent from the JspWiki - User mailing list archive at Nabble.com.