[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-user
Subject: RE: ClassLoader/Security Manager Question
From: "George Sexton" <gsexton () mhsoftware ! com>
Date: 2006-01-21 5:27:59
Message-ID: 20060121052759.C70916635F () mail ! mhsoftware ! com
[Download RAW message or body]
Thanks for your help. With the debugging tip you gave me, I was able to
figure it out.
It turns out that the problem was Class B trying to reference class A?
grant codeBase "file:Z:/CDAILY/WEB-INF/classes/-" {
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission
"accessClassInPackage.com.MHSoftware.db.*";
};
Now all I have to figure out is how to handle the grant to the codebase when
I have a hundred jars...
George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
> -----Original Message-----
> From: Larry Isaacs [mailto:Larry.Isaacs@sas.com]
> Sent: Friday, January 20, 2006 4:37 PM
> To: Tomcat Users List
> Subject: RE: ClassLoader/Security Manager Question
>
> For reasons that are difficult to predict or calculate,
> some other protection domain (i.e. codeBase) for somebody
> in the stack may be missing this permission. I've given
> up trying to figure these out after the obvious doesn't
> fix it.
>
> Try adding:
>
> -Djava.security.debug=access,failure
>
> to your Tomcat startup arguments. Hopefully you can capture
> the output around the point of failure. There will be a lot
> of output.
>
> Look for "access denied". That will give you the missing
> permission. Not to far below that you can find the domain
> that failed, which will give you the codeBase missing the
> permission. It is not unusual to see something unexpected.
> Somewhere below that you can see the permissions that this
> domain does currently have. This is where you might find that
> a permission you tried to grant has a typo, so it doesn't serve
> its purpose. Give it a try and see if anything turns up.
>
> Cheers,
> Larry
>
> > -----Original Message-----
> > From: George Sexton [mailto:gsexton@mhsoftware.com]
> > Sent: Friday, January 20, 2006 3:46 PM
> > To: 'Tomcat Users List'
> > Subject: ClassLoader/Security Manager Question
> >
> > I'm trying to get my app to run under the security manager
> > and I'm hitting some problems.
> >
> > I have class B, derived from class A, in Jar B in the
> > WEB-INF/lib directory
> >
> > Class A is in Jar A in the shared/lib directory.
> >
> > I created an entry in the catalina.policy file:
> >
> > grant codeBase "file:${catalina.base}/shared/-" {
> > permission java.lang.RuntimePermission
> > "accessClassInPackage.*";
> > permission java.security.AllPermission; };
> >
> > When a method defined in Class A uses reflection to get the
> > constructors for Class B, the following error message happens:
> >
> > 01/20/2006 13:24:36 java.security.AccessControlException:
> > access denied (java.lang.RuntimePermission
> > accessDeclaredMembers) at
> > java.security.AccessControlContext.checkPermission(AccessContr
> > olContext.java
> > :264)
> > at
> > java.security.AccessController.checkPermission(AccessControlle
> > r.java:427)
> > at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> > at
> >
> java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
> > at java.lang.Class.checkMemberAccess(Class.java:2125)
> > at java.lang.Class.getDeclaredConstructor(Class.java:1952)
> >
> > I've done some research and it seems like what I'm trying to
> > do should work if I specify accessClassInPackage. I've tried
> > explicitly setting the class A package in the
> > accessClassInPackage statement but I'm not making any headway.
> >
> > I would rather not put Jar A in WEB-INF/lib because I have
> > something like 100 contexts that all use that jar and I'm
> > already hitting issues with PermGenSpace. I also can't put
> > Jar B in shared/lib because of design (or lack thereof).
> >
> > Does anyone have any ideas (other than the obvious one of
> > putting Jar A in WEB-INF/lib)?
> >
> > George Sexton
> > MH Software, Inc.
> > http://www.mhsoftware.com/
> > Voice: 303 438 9585
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic