'RE: ClassLoader/Security Manager Question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    RE: ClassLoader/Security Manager Question
From:       "George Sexton" <gsexton () mhsoftware ! com>
Date:       2006-01-21 5:27:59
Message-ID: 20060121052759.C70916635F () mail ! mhsoftware ! com
[Download RAW message or body]

Thanks for your help. With the debugging tip you gave me, I was able to
figure it out.

It turns out that the problem was Class B trying to reference class A?

grant codeBase "file:Z:/CDAILY/WEB-INF/classes/-" {
        permission java.lang.RuntimePermission "accessDeclaredMembers";
        permission java.lang.RuntimePermission
"accessClassInPackage.com.MHSoftware.db.*";
};

Now all I have to figure out is how to handle the grant to the codebase when
I have a hundred jars...

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
  

> -----Original Message-----
> From: Larry Isaacs [mailto:Larry.Isaacs@sas.com] 
> Sent: Friday, January 20, 2006 4:37 PM
> To: Tomcat Users List
> Subject: RE: ClassLoader/Security Manager Question
> 
> For reasons that are difficult to predict or calculate,
> some other protection domain (i.e. codeBase) for somebody
> in the stack may be missing this permission.  I've given
> up trying to figure these out after the obvious doesn't
> fix it.
> 
> Try adding:
> 
>  -Djava.security.debug=access,failure
> 
> to your Tomcat startup arguments.  Hopefully you can capture
> the output around the point of failure.  There will be a lot
> of output.
> 
> Look for "access denied".  That will give you the missing
> permission.  Not to far below that you can find the domain
> that failed, which will give you the codeBase missing the
> permission.  It is not unusual to see something unexpected.
> Somewhere below that you can see the permissions that this
> domain does currently have.  This is where you might find that
> a permission you tried to grant has a typo, so it doesn't serve
> its purpose.  Give it a try and see if anything turns up.
> 
> Cheers,
> Larry
> 
> > -----Original Message-----
> > From: George Sexton [mailto:gsexton@mhsoftware.com] 
> > Sent: Friday, January 20, 2006 3:46 PM
> > To: 'Tomcat Users List'
> > Subject: ClassLoader/Security Manager Question
> > 
> > I'm trying to get my app to run under the security manager 
> > and I'm hitting some problems. 
> > 
> > I have class B, derived from class A, in Jar B in the 
> > WEB-INF/lib directory
> > 
> > Class A is in Jar A in the shared/lib directory.
> > 
> > I created an entry in the catalina.policy file:
> > 
> > grant codeBase "file:${catalina.base}/shared/-" {
> >         permission java.lang.RuntimePermission 
> > "accessClassInPackage.*";
> >         permission java.security.AllPermission; };
> > 
> > When a method defined in Class A uses reflection to get the 
> > constructors for Class B, the following error message happens:
> > 
> > 01/20/2006 13:24:36 java.security.AccessControlException: 
> > access denied (java.lang.RuntimePermission 
> > accessDeclaredMembers) at 
> > java.security.AccessControlContext.checkPermission(AccessContr
> > olContext.java
> > :264)
> > at 
> > java.security.AccessController.checkPermission(AccessControlle
> > r.java:427)
> > at 
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> > at 
> > 
> java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
> > at java.lang.Class.checkMemberAccess(Class.java:2125)
> > at java.lang.Class.getDeclaredConstructor(Class.java:1952)
> > 
> > I've done some research and it seems like what I'm trying to 
> > do should work if I specify accessClassInPackage. I've tried 
> > explicitly setting the class A package in the 
> > accessClassInPackage statement but I'm not making any headway.
> > 
> > I would rather not put Jar A in WEB-INF/lib because I have 
> > something like 100 contexts that all use that jar and I'm 
> > already hitting issues with PermGenSpace. I also can't put 
> > Jar B in shared/lib because of design (or lack thereof).
> > 
> > Does anyone have any ideas (other than the obvious one of 
> > putting Jar A in WEB-INF/lib)?
> > 
> > George Sexton
> > MH Software, Inc.
> > http://www.mhsoftware.com/
> > Voice: 303 438 9585
> >  
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> > 
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic