You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Steve Major <st...@themajorshome.com> on 2011/10/21 19:21:27 UTC
SSI SecurityException
Hello folks,
I have a new Tomcat install, version 7.0.21 running on OS X 10.6.8 server (not using Apple's install of Tomcat, BTW), and Java 1.6.0. I've successfully setup a SSI Filter before with Tomcat 6.0 a few years ago with the help of this list, but I'm just stuck right now.
I've uncommented the SSI Filters as described in: http://tomcat.apache.org/tomcat-7.0-doc/ssi-howto.html and enabled all files to be parsed with *
I've made my app privileged with <Context antiResourceLocking="false" privileged="true" > based on the Manager app since it's already privileged. The META-INF directory in my app is where the context.xml is stored with this.
I'm using the Filters because I'd like it to find ssi directives within .jsp files. When I launch Tomcat I see this in my logs:
SEVERE: Exception starting filter ssi
java.lang.SecurityException: Restricted class org.apache.catalina.ssi.SSIFilter
at org.apache.catalina.core.DefaultInstanceManager.checkAccess(DefaultInstanceManager.java:432)
at org.apache.catalina.core.DefaultInstanceManager.checkAccess(DefaultInstanceManager.java:421)
at org.apache.catalina.core.DefaultInstanceManager.loadClassMaybePrivileged(DefaultInstanceManager.java:399)
at org.apache.catalina.core.DefaultInstanceManager.newInstance(DefaultInstanceManager.java:118)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:252)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:372)
at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:98)
at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4584)
at org.apache.catalina.core.StandardContext$2.call(StandardContext.java:5262)
at org.apache.catalina.core.StandardContext$2.call(StandardContext.java:5257)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:680)
As as test, I tried using the Servlet instead of the Filter and that worked - at least the ssi include was shown, although Tomcat then didn't process the .jsp which I would expect.
I'm sure this is the way I configured it on version 6, but I may have missed something when I made my notes on that install.
Any direction would be appreciated.
-Steve
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSI SecurityException
Posted by Steve Major <st...@themajorshome.com>.
Thanks, I figured that out shortly before getting your reply.
Moving the filter and mapping into the app's web.xml has eliminated the error from the logs, however, the ssi still won't display a result.
By this I mean if I insert: Today is <!--#echo var="DATE_LOCAL" --> into my .jsp, when I view the page I only see "Today is".
My previous experience with Apache's SSI suggests if it wasn't enabled correctly, I'd see "Today is <!--#echo var="DATE_LOCAL" -->" on my page because it just would assume that directive is text.
Assuming Tomcat follows the same, it would tell me that it is parsing it and for whatever reason not outputting a result. I could be wrong.
Thank you again for your time.
-Steve
On Oct 21, 2011, at 3:01 PM, Konstantin Kolinko wrote:
>> Should I copy it from the conf directory in its entirety or just a subsection of the file?
>
> Only definition of the filter and its mapping.
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSI SecurityException
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/10/21 Steve Major <st...@themajorshome.com>:
> Hello, thank you for replying!
>
> Yes, that is the location I uncommented it since that is what their instructions say. I'm only deploying a single webapp, so I do not mind it being global.
So every webapp will load that filter and thus every webapp has to be
privileged....
> Should I copy it from the conf directory in its entirety or just a subsection of the file?
Only definition of the filter and its mapping.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSI SecurityException
Posted by Steve Major <st...@themajorshome.com>.
Hello, thank you for replying!
Yes, that is the location I uncommented it since that is what their instructions say. I'm only deploying a single webapp, so I do not mind it being global. I do see how it would be tidier in the future, if I deploy more, to do it on a per-app basis. If this is contributing to my current problem, I have no issues doing as you suggest.
Should I copy it from the conf directory in its entirety or just a subsection of the file?
Thank you again.
-Steve
On Oct 21, 2011, at 2:27 PM, Konstantin Kolinko wrote:
> 2011/10/21 Steve Major <st...@themajorshome.com>:
>> Hello folks,
>>
>> I have a new Tomcat install, version 7.0.21 running on OS X 10.6.8 server (not using Apple's install of Tomcat, BTW), and Java 1.6.0. I've successfully setup a SSI Filter before with Tomcat 6.0 a few years ago with the help of this list, but I'm just stuck right now.
>>
>> I've uncommented the SSI Filters as described in: http://tomcat.apache.org/tomcat-7.0-doc/ssi-howto.html and enabled all files to be parsed with *
>
> Where did you uncomment it?
>
> You should not have modified conf/web.xml, because it applies to all
> webapps. You should copy it into your webapp only.
>
>
> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSI SecurityException
Posted by Konstantin Kolinko <kn...@gmail.com>.
2011/10/21 Steve Major <st...@themajorshome.com>:
> Hello folks,
>
> I have a new Tomcat install, version 7.0.21 running on OS X 10.6.8 server (not using Apple's install of Tomcat, BTW), and Java 1.6.0. I've successfully setup a SSI Filter before with Tomcat 6.0 a few years ago with the help of this list, but I'm just stuck right now.
>
> I've uncommented the SSI Filters as described in: http://tomcat.apache.org/tomcat-7.0-doc/ssi-howto.html and enabled all files to be parsed with *
Where did you uncomment it?
You should not have modified conf/web.xml, because it applies to all
webapps. You should copy it into your webapp only.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org