[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xindice-users
Subject:    Re: Tomcat permissions issue when trying to load xindice configuration
From:       Natalia Shilenkova <nshilenkova () gmail ! com>
Date:       2009-06-05 2:25:42
Message-ID: 14DD75B0-7835-4989-95F0-60C6C0637A4C () gmail ! com
[Download RAW message or body]


On Jun 3, 2009, at 11:09 PM, prasub wrote:
> __________
> OS: Linux Mint 6 (Felicia) - I suppose, it is built on Ubuntu 8.10
> Tomcat version: Tomcat 6.0.18-ubuntu3.1 (from package manager)
> __________
>
> I usually issue the following command to restart the Tomcat Webserver.
>
> mymachine@localhost /etc/init.d $  sudo ./tomcat6 restart
>
> A grep on my tomcat6 for the security word yielded the following  
> result:
> _____________
> mylogin@mymachine /etc/init.d $ more tomcat6 | grep -i security
> # Use the Java security manager? (yes/no)
> TOMCAT6_SECURITY=yes
> if [ "$TOMCAT6_SECURITY" = "yes" ]; then
> 	JAVA_OPTS="$JAVA_OPTS -Djava.security.manager
> -Djava.security.policy=$POLICY_CACHE"
> _____________
>
> I guess, I should be turning off security with the option "no". But  
> then, is
> this the best way or do you recommend a better approach to let  
> xindice run
> with proper permissions? If you suggest an alternative approach, can  
> you
> please list out the steps to enable permissions for xindice. I  
> think, it
> will be very useful to me as well as for someone else.
>
> In fact there is an earlier discussion in this forum (i think so) that
> touches the same issue. Except that, it didn't end up with how  
> exactly the
> person (who had a similar issue with some earlier version of Tomcat)  
> cleaned
> up/disabled the "security" word in his Tomcat startup script.
>

That's what I think your options are:

1. Run Xindice under Jetty. Jetty is a servlet container that's  
included with Xindice distribution and can be started with "xindiced  
start" command.

2. Turn off Tomcat's security manager. That option has security  
implications, however, and  would affect other applications deployed  
under Tomcat.

3. Add new section to the security policy file to grant all  
permissions to Xindice:
grant codeBase "file:${catalina.home}/webapps/xindice/-" {
     permission java.security.AllPermission;
};

4.  Add new section to the security policy file that grants only the  
permissions that are required to run Xindice. This is the part of it:
grant codeBase "file:${catalina.home}/webapps/xindice/-" {
     permission java.util.PropertyPermission "xindice.home", "read";
     permission java.util.PropertyPermission "xindice.db.home", "read";
     permission java.util.PropertyPermission "xindice.configuration",  
"read";
     permission java.util.PropertyPermission  
"org.xmldb.common.xml.queries.XPathQueryFactory", "write";
     permission java.lang.RuntimePermission "shutdownHooks";
     permission java.lang.RuntimePermission "getClassLoader";
     permission java.lang.RuntimePermission "setContextClassLoader";
     permission java.io.FilePermission "<<ALL FILES>>",  
"read,write,delete";
};
This is not finished (was taking a bit longer than I thought :)), and  
"<<ALL FILES>>" token has to be replaced with database location... But  
you can get the picture.

The best approach, as always, depends on circumstances.

Regards,
Natalia


[prev in list] [next in list] [prev in thread] [next in thread]