ClassLoader/Security Manager Question

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ClassLoader/Security Manager Question

George Sexton-2
I'm trying to get my app to run under the security manager and I'm hitting
some problems.

I have class B, derived from class A, in Jar B in the WEB-INF/lib directory

Class A is in Jar A in the shared/lib directory.

I created an entry in the catalina.policy file:

grant codeBase "file:${catalina.base}/shared/-" {
        permission java.lang.RuntimePermission "accessClassInPackage.*";
        permission java.security.AllPermission;
};

When a method defined in Class A uses reflection to get the constructors for
Class B, the following error message happens:

01/20/2006 13:24:36 java.security.AccessControlException: access denied
(java.lang.RuntimePermission accessDeclaredMembers)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java
:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
at java.lang.Class.checkMemberAccess(Class.java:2125)
at java.lang.Class.getDeclaredConstructor(Class.java:1952)

I've done some research and it seems like what I'm trying to do should work
if I specify accessClassInPackage. I've tried explicitly setting the class A
package in the accessClassInPackage statement but I'm not making any
headway.

I would rather not put Jar A in WEB-INF/lib because I have something like
100 contexts that all use that jar and I'm already hitting issues with
PermGenSpace. I also can't put Jar B in shared/lib because of design (or
lack thereof).

Does anyone have any ideas (other than the obvious one of putting Jar A in
WEB-INF/lib)?

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
 


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: ClassLoader/Security Manager Question

Larry Isaacs
For reasons that are difficult to predict or calculate,
some other protection domain (i.e. codeBase) for somebody
in the stack may be missing this permission.  I've given
up trying to figure these out after the obvious doesn't
fix it.

Try adding:

 -Djava.security.debug=access,failure

to your Tomcat startup arguments.  Hopefully you can capture
the output around the point of failure.  There will be a lot
of output.

Look for "access denied".  That will give you the missing
permission.  Not to far below that you can find the domain
that failed, which will give you the codeBase missing the
permission.  It is not unusual to see something unexpected.
Somewhere below that you can see the permissions that this
domain does currently have.  This is where you might find that
a permission you tried to grant has a typo, so it doesn't serve
its purpose.  Give it a try and see if anything turns up.

Cheers,
Larry

> -----Original Message-----
> From: George Sexton [mailto:[hidden email]]
> Sent: Friday, January 20, 2006 3:46 PM
> To: 'Tomcat Users List'
> Subject: ClassLoader/Security Manager Question
>
> I'm trying to get my app to run under the security manager
> and I'm hitting some problems.
>
> I have class B, derived from class A, in Jar B in the
> WEB-INF/lib directory
>
> Class A is in Jar A in the shared/lib directory.
>
> I created an entry in the catalina.policy file:
>
> grant codeBase "file:${catalina.base}/shared/-" {
>         permission java.lang.RuntimePermission
> "accessClassInPackage.*";
>         permission java.security.AllPermission; };
>
> When a method defined in Class A uses reflection to get the
> constructors for Class B, the following error message happens:
>
> 01/20/2006 13:24:36 java.security.AccessControlException:
> access denied (java.lang.RuntimePermission
> accessDeclaredMembers) at
> java.security.AccessControlContext.checkPermission(AccessContr
> olContext.java
> :264)
> at
> java.security.AccessController.checkPermission(AccessControlle
> r.java:427)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at
> java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
> at java.lang.Class.checkMemberAccess(Class.java:2125)
> at java.lang.Class.getDeclaredConstructor(Class.java:1952)
>
> I've done some research and it seems like what I'm trying to
> do should work if I specify accessClassInPackage. I've tried
> explicitly setting the class A package in the
> accessClassInPackage statement but I'm not making any headway.
>
> I would rather not put Jar A in WEB-INF/lib because I have
> something like 100 contexts that all use that jar and I'm
> already hitting issues with PermGenSpace. I also can't put
> Jar B in shared/lib because of design (or lack thereof).
>
> Does anyone have any ideas (other than the obvious one of
> putting Jar A in WEB-INF/lib)?
>
> George Sexton
> MH Software, Inc.
> http://www.mhsoftware.com/
> Voice: 303 438 9585
>  
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: ClassLoader/Security Manager Question

George Sexton-2
Thanks for your help. With the debugging tip you gave me, I was able to
figure it out.

It turns out that the problem was Class B trying to reference class A?

grant codeBase "file:Z:/CDAILY/WEB-INF/classes/-" {
        permission java.lang.RuntimePermission "accessDeclaredMembers";
        permission java.lang.RuntimePermission
"accessClassInPackage.com.MHSoftware.db.*";
};

Now all I have to figure out is how to handle the grant to the codebase when
I have a hundred jars...

George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
 

> -----Original Message-----
> From: Larry Isaacs [mailto:[hidden email]]
> Sent: Friday, January 20, 2006 4:37 PM
> To: Tomcat Users List
> Subject: RE: ClassLoader/Security Manager Question
>
> For reasons that are difficult to predict or calculate,
> some other protection domain (i.e. codeBase) for somebody
> in the stack may be missing this permission.  I've given
> up trying to figure these out after the obvious doesn't
> fix it.
>
> Try adding:
>
>  -Djava.security.debug=access,failure
>
> to your Tomcat startup arguments.  Hopefully you can capture
> the output around the point of failure.  There will be a lot
> of output.
>
> Look for "access denied".  That will give you the missing
> permission.  Not to far below that you can find the domain
> that failed, which will give you the codeBase missing the
> permission.  It is not unusual to see something unexpected.
> Somewhere below that you can see the permissions that this
> domain does currently have.  This is where you might find that
> a permission you tried to grant has a typo, so it doesn't serve
> its purpose.  Give it a try and see if anything turns up.
>
> Cheers,
> Larry
>
> > -----Original Message-----
> > From: George Sexton [mailto:[hidden email]]
> > Sent: Friday, January 20, 2006 3:46 PM
> > To: 'Tomcat Users List'
> > Subject: ClassLoader/Security Manager Question
> >
> > I'm trying to get my app to run under the security manager
> > and I'm hitting some problems.
> >
> > I have class B, derived from class A, in Jar B in the
> > WEB-INF/lib directory
> >
> > Class A is in Jar A in the shared/lib directory.
> >
> > I created an entry in the catalina.policy file:
> >
> > grant codeBase "file:${catalina.base}/shared/-" {
> >         permission java.lang.RuntimePermission
> > "accessClassInPackage.*";
> >         permission java.security.AllPermission; };
> >
> > When a method defined in Class A uses reflection to get the
> > constructors for Class B, the following error message happens:
> >
> > 01/20/2006 13:24:36 java.security.AccessControlException:
> > access denied (java.lang.RuntimePermission
> > accessDeclaredMembers) at
> > java.security.AccessControlContext.checkPermission(AccessContr
> > olContext.java
> > :264)
> > at
> > java.security.AccessController.checkPermission(AccessControlle
> > r.java:427)
> > at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> > at
> >
> java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
> > at java.lang.Class.checkMemberAccess(Class.java:2125)
> > at java.lang.Class.getDeclaredConstructor(Class.java:1952)
> >
> > I've done some research and it seems like what I'm trying to
> > do should work if I specify accessClassInPackage. I've tried
> > explicitly setting the class A package in the
> > accessClassInPackage statement but I'm not making any headway.
> >
> > I would rather not put Jar A in WEB-INF/lib because I have
> > something like 100 contexts that all use that jar and I'm
> > already hitting issues with PermGenSpace. I also can't put
> > Jar B in shared/lib because of design (or lack thereof).
> >
> > Does anyone have any ideas (other than the obvious one of
> > putting Jar A in WEB-INF/lib)?
> >
> > George Sexton
> > MH Software, Inc.
> > http://www.mhsoftware.com/
> > Voice: 303 438 9585
> >  
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]