The default catalina.policies file does not work. It forgets to grant privileges to the classes in common/lib. Or rather, it is there, but it doesn't work.
I'm not sure how to correctly fix this, I'm currently working around it by also adding the following to /opt/tomcat/conf/catalina.policy: ======================================= grant codeBase "file:/usr/share/tomcat/lib/-" { permission java.security.AllPermission; }; ======================================= This problem prevents tomcat from starting up when using the security manager.
Reassign bug back to bug-wranglers the hardened team does not handle apache or java fluff addons.
Whoever handles this "fluff", would you just fix it already? Btw, without the security manager some arb webapp can just execute System.exit and down comes the server - viewed from that perspective this is not fluff, and quite frankly, it's not a stupid bloody add on that is there for convenience - it's a must have! And the "hardened" team sounds just like the people that should be handling this. Anyway, I've already given the solution as well, all that I'm not sure about is what I should be using instead of the full path, something like ${catalina.lib} or what? Or should catalina actually be following symlinks - which would make more sense?
I'm re-assigning back to bug-wranglers as this is currently just rotting with the Java team.
solar, this honestly looks like something for the hardened team -- granted it's not a core hardened package, but it's still MORE related to you guys than anyone else.
Jaco, can you include some errors please.
Jaco, if you are able, can you also try the ebuild I submitted in Bug 35350. It's tomcat 5 so you can use the latest jdk (woohoo!). The install has been greatly cleaned up.
It just doesn't do anything: # /etc/init.d/tomcat start * Starting Tomcat... Using Security Manager [ ok ] # cat catalina.log Jan 5, 2004 4:46:43 AM org.apache.commons.digester.Digester getParser SEVERE: Digester.getParser: java.security.AccessControlException: access denied (java.io.FilePermission /opt/blackdown-jdk-1.4.1/jre/lib/xerces.properties read) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at java.lang.SecurityManager.checkRead(SecurityManager.java:887) at java.io.File.exists(File.java:677) at org.apache.xerces.util.SecuritySupport12$5.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at org.apache.xerces.util.SecuritySupport12.getFileExists(Unknown Source) at org.apache.xerces.util.ObjectFactory.createObject(Unknown Source) at org.apache.xerces.util.ObjectFactory.createObject(Unknown Source) at org.apache.xerces.parsers.SAXParser.<init>(Unknown Source) at org.apache.xerces.parsers.SAXParser.<init>(Unknown Source) at org.apache.xerces.jaxp.SAXParserImpl.<init>(Unknown Source) at org.apache.xerces.jaxp.SAXParserFactoryImpl.newSAXParser(Unknown Source) at org.apache.commons.digester.Digester.getParser(Digester.java:692) at org.apache.commons.digester.Digester.getXMLReader(Digester.java:908) at org.apache.commons.digester.Digester.parse(Digester.java:1543) at org.apache.catalina.startup.Catalina.start(Catalina.java:449) at org.apache.catalina.startup.Catalina.execute(Catalina.java:400) at org.apache.catalina.startup.Catalina.process(Catalina.java:180) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203) Catalina.start: java.lang.NullPointerException java.lang.NullPointerException at org.apache.commons.digester.Digester.getXMLReader(Digester.java:908) at org.apache.commons.digester.Digester.parse(Digester.java:1543) at org.apache.catalina.startup.Catalina.start(Catalina.java:449) at org.apache.catalina.startup.Catalina.execute(Catalina.java:400) at org.apache.catalina.startup.Catalina.process(Catalina.java:180) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:203) # I can't recall how I found that the problem was with the /usr/share/tomcat/lib/- but as soon as I add the lines mentioned earlier everything works fine. No, I cannot try the newer ebuild (well, not on this server at least). Will download the required files and try on a non-critical machine at home. Will let you know as soon as I have results. Might take a couple of days as I've got lots of other work atm. My suspision on the problem is that the actual file/directory gets resolved, for example /opt/tomcat/common/lib/some/path/to/some/file gets resolved to /usr/share/tomcat/lib/some/path/to/some/file because /opt/tomcat/common/lib is a symlink to /usr/share/tomcat/lib (this is actually the case). This then gets checked against the permissions instead of the orriginal filename. This might be correct, it all depends on how you look at it :). There is two solutions to this problem as far as I'm concerned. Hack the source (not cool, but probably the more correct way, to check against the orriginal names, not the resolved names). Hack the catalina.policies file to anticipate the resolved names. Actually there is a third. Swap the symlink around. Install the entire app under /opt/tomcat and then create symlinks from the other locations if you really need it, for example, instead of installing the stuff under /usr/share/tomcat/lib, install it under /opt/tomcat/common/lib and then symlink /usr/share/tomcat/lib -> /opt/tomcat/common/lib (I personally can't see how this is required).
Should be taken care of in the new tomcat's.
Sorry, tomcat 5 has the same problem
Jaco, it's been 5 months and no other bug reports have been opened about this. Can you help us out a little, and open a new bug using all the proper procedures, etc. I know it's a pain, but it will really help us expedite a fix. Thank you!
No problem. It'll only happen tomorrow morning though.
