You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-user@ws.apache.org by Steeve Gilbert <St...@canammanac.com> on 2001/08/10 17:49:16 UTC
Security with Tomcat and Soap
I've been using Soap with Tomcat and now I want to add the security
features of Tomcat. The server starts fine except fort weird little error
message:
XXX resource not found !!! /org/apache/tomcat/resources/web.dtd
sun.misc.Launcher$AppClassLoader
XmlMapper: Can't find resource for entity: -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN --> http://java.sun.com/j2ee/dtds/web-app_2_2.dtd
"/org/apache
/tomcat/resources/web.dtd"
But the server works anyway. I can browse the web page ok ben if I go to
the Soap Admin screen (or i do other soap related stuff) I get this
error...
java.security.AccessControlException: access denied (java.io.FilePermission C:\Program Files\jakarta-tomcat-3.2.3\webapps\soap\WEB-INF\classes read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:195)
at java.security.AccessController.checkPermission(AccessController.java:403)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkRead(SecurityManager.java:873)
at java.io.File.isDirectory(File.java:566)
Then I tought adding the following lines to the tomcat.policy could help me
but it doesn't.
grant codeBase "file:${tomcat.home}/webapps/soap/-" {
permission java.security.AllPermission;
};
Can someone help me?
Steeve...
Re: Security with Tomcat and Soap
Posted by Rich Catlett <ri...@more.net>.
In general it's a really bad idea to give all permissions to anything
except maybe to the jdk, or else you might as well not have security
running any way. To fix your problem here is a sample start script to
use when starting up tomcat, you'll have to change as approiate as you
use a windows box. You should be able to figure out how to turn it into
a .bat file. The important part though is the TOMCAT_OPTS line for
debugging security. Comment out the first line and uncomment the
second. Then startup tomcat, and try to run your app. You can then go
to the tomcat.outfile in the log directory and search through it for the
word denied, it will show up every time tomcat or your application tried
to do something it did not have permission, according to the
tomcat.policy file, to do. Then once you find a denied you will want to
scroll down to find the codebase that attempted to do the action, this
will be listed after the stack trace that follows the denied. Then you
will need to find that codebase in the policy file or create that
codebase in the policy file, and then add the approiate permission, such
as in the case of this e-mail
permission java.io.FilePermission "C:\Program
Files\jakarta-tomcat-3.2.3\webapps\soap\WEB-INF\classes\-", "read";
good luck.
#!/bin/sh
unset CLASSPATH
TOMCAT_HOME=/usr/local/soap
BINDIR=${TOMCAT_HOME}/bin
JAVA_HOME=/usr/j2se
PATH=${JAVA_HOME}/../bin:${PATH}
TOMCAT_OPTS=-server
#TOMCAT_OPTS="-server -Djava.security.debug=access,failure"
export TOMCAT_HOME JAVA_HOME PATH CLASSPATH TOMCAT_OPTS
TOMCAT_USER=tomcat
TOMCAT_OPTIONS=-security
case $1 in
'start')
echo "Starting Tomcat with the following options: ${TOMCAT_OPTIONS}"
su ${TOMCAT_USER} -c "${BINDIR}/startup.sh ${TOMCAT_OPTIONS}"
;;
'stop')
su ${TOMCAT_USER} -c ${BINDIR}/shutdown.sh
;;
*)
echo "usage: ${TOMCAT_HOME}/tomcat {start|stop} {TOMCAT_OPTIONS}"
;;
esac
Rich Catlett
Steeve Gilbert wrote:
>I've been using Soap with Tomcat and now I want to add the security
>features of Tomcat. The server starts fine except fort weird little error
>message:
>
>XXX resource not found !!! /org/apache/tomcat/resources/web.dtd
>sun.misc.Launcher$AppClassLoader
>XmlMapper: Can't find resource for entity: -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN --> http://java.sun.com/j2ee/dtds/web-app_2_2.dtd
>"/org/apache
>/tomcat/resources/web.dtd"
>
>But the server works anyway. I can browse the web page ok ben if I go to
>the Soap Admin screen (or i do other soap related stuff) I get this
>error...
>
>java.security.AccessControlException: access denied (java.io.FilePermission C:\Program Files\jakarta-tomcat-3.2.3\webapps\soap\WEB-INF\classes read)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:195)
> at java.security.AccessController.checkPermission(AccessController.java:403)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:873)
> at java.io.File.isDirectory(File.java:566)
>
>Then I tought adding the following lines to the tomcat.policy could help me
>but it doesn't.
>
>grant codeBase "file:${tomcat.home}/webapps/soap/-" {
> permission java.security.AllPermission;
>};
>
>Can someone help me?
>
>Steeve...
>
>
Re: Security with Tomcat and Soap
Posted by Rich Catlett <ri...@more.net>.
In general it's a really bad idea to give all permissions to anything
except maybe to the jdk, or else you might as well not have security
running any way. To fix your problem here is a sample start script to
use when starting up tomcat, you'll have to change as approiate as you
use a windows box. You should be able to figure out how to turn it into
a .bat file. The important part though is the TOMCAT_OPTS line for
debugging security. Comment out the first line and uncomment the
second. Then startup tomcat, and try to run your app. You can then go
to the tomcat.outfile in the log directory and search through it for the
word denied, it will show up every time tomcat or your application tried
to do something it did not have permission, according to the
tomcat.policy file, to do. Then once you find a denied you will want to
scroll down to find the codebase that attempted to do the action, this
will be listed after the stack trace that follows the denied. Then you
will need to find that codebase in the policy file or create that
codebase in the policy file, and then add the approiate permission, such
as in the case of this e-mail
permission java.io.FilePermission "C:\Program
Files\jakarta-tomcat-3.2.3\webapps\soap\WEB-INF\classes\-", "read";
good luck.
#!/bin/sh
unset CLASSPATH
TOMCAT_HOME=/usr/local/soap
BINDIR=${TOMCAT_HOME}/bin
JAVA_HOME=/usr/j2se
PATH=${JAVA_HOME}/../bin:${PATH}
TOMCAT_OPTS=-server
#TOMCAT_OPTS="-server -Djava.security.debug=access,failure"
export TOMCAT_HOME JAVA_HOME PATH CLASSPATH TOMCAT_OPTS
TOMCAT_USER=tomcat
TOMCAT_OPTIONS=-security
case $1 in
'start')
echo "Starting Tomcat with the following options: ${TOMCAT_OPTIONS}"
su ${TOMCAT_USER} -c "${BINDIR}/startup.sh ${TOMCAT_OPTIONS}"
;;
'stop')
su ${TOMCAT_USER} -c ${BINDIR}/shutdown.sh
;;
*)
echo "usage: ${TOMCAT_HOME}/tomcat {start|stop} {TOMCAT_OPTIONS}"
;;
esac
Rich Catlett
Steeve Gilbert wrote:
>I've been using Soap with Tomcat and now I want to add the security
>features of Tomcat. The server starts fine except fort weird little error
>message:
>
>XXX resource not found !!! /org/apache/tomcat/resources/web.dtd
>sun.misc.Launcher$AppClassLoader
>XmlMapper: Can't find resource for entity: -//Sun Microsystems, Inc.//DTD Web Application 2.2//EN --> http://java.sun.com/j2ee/dtds/web-app_2_2.dtd
>"/org/apache
>/tomcat/resources/web.dtd"
>
>But the server works anyway. I can browse the web page ok ben if I go to
>the Soap Admin screen (or i do other soap related stuff) I get this
>error...
>
>java.security.AccessControlException: access denied (java.io.FilePermission C:\Program Files\jakarta-tomcat-3.2.3\webapps\soap\WEB-INF\classes read)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:195)
> at java.security.AccessController.checkPermission(AccessController.java:403)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:873)
> at java.io.File.isDirectory(File.java:566)
>
>Then I tought adding the following lines to the tomcat.policy could help me
>but it doesn't.
>
>grant codeBase "file:${tomcat.home}/webapps/soap/-" {
> permission java.security.AllPermission;
>};
>
>Can someone help me?
>
>Steeve...
>
>