Hi Alban,
Did you try this rule:
grant codeBase "file:/etc/tomcat9/-" {
permission java.security.AllPermission;
};
Emmanuel Bourg
Le 22/12/2022 à 11:05, Alban Espié-Guillon a écrit :
Hello,
I'm very new to tomcat, forgive me if I did not found my answer
elsewhere, i'm currently out of of ideas.
I'm trying to setup a standalone tomcat9 (9.0.31-1~deb10u7) on Debian
11, with security manager enabled.
I'm seeing in catalina logs the following stacktrace (full stacktrace
provided in attachment):
37 21-Dec-2022 16:12:04.587 SEVERE [main]
org.apache.tomcat.util.descriptor.web.WebXmlParser.parseWebXml Parse
error in application web.xml file at [file:/var/lib/tomcat9/conf/web.xml]
38 java.security.AccessControlException: access denied
("java.lang.RuntimePermission"
"accessClassInPackage.org.apache.tomcat.util.buf")
Disabling the security manager makes it disappear, but I don't
understand why tomcat has an issue reading
/var/lib/tomcat9/conf/web.xml, which is a simlink to
/etc/tomcat9/web.xml, and I did not edit the file as you see:
# ll /etc/tomcat9/web.xml
-rw-r----- 1 root tomcat 169K Feb 5 2020 /etc/tomcat9/web.xml
I tried to add the following policy in case of it could help:
grant codeBase "file:/var/lib/tomcat9/conf/web.xml" {
permission java.security.AllPermission;
};
But the error was still logged.
I tried to report the issue to us...@tomcat.apache.org and I got the
following answser:
>The security manager is deprecated in newer versions of Java. If you
are new to Tomcat, whatever problem using the security manager is
intended to solve, I'd strongly encourage you to find an alternative
solution.
>The codebase refers to the JAR trying to read the file, not the file
the JAR is trying to read.
>I suspect the Debian distribution hasn't updated the catalina.policy
file to take account of the way Debian redistributes the Tomcat files
around the file system. If you really do want to use the security
manager, you'll need to take that up with the Debian folks.
>Mark
