DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15352>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15352 Security violation while accessing web application with servlets Summary: Security violation while accessing web application with servlets Product: Tomcat 4 Version: 4.0.6 Final Platform: PC OS/Version: Windows NT/2K Status: NEW Severity: Normal Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] I found this bug while using Tomcat 4.0.6 LE JDK 1.4 on Windows 2000 and Solaris Sparc with JDK 1.4.1_01. I am getting the following Security violation when I try to access my web application that has a servlet that accesses HttpServletRequest.getParameter ("currentPage") and this is what is throwing the exception. java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util) at java.security.AccessControlContext.checkPermission(AccessControlContext.java :272) at java.security.AccessController.checkPermission(AccessController.java:399) at java.lang.SecurityManager.checkPermission(SecurityManager.java:545) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1501) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoader .java:1056) at org.apache.catalina.loader.StandardClassLoader.loadClass(StandardClassLoader .java:992) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:313) at org.apache.catalina.connector.HttpRequestBase.parseParameters(HttpRequestBas e.java:615) at org.apache.catalina.connector.HttpRequestBase.getParameter(HttpRequestBase.j ava:691) at org.apache.catalina.connector.RequestFacade.getParameter(RequestFacade.java: 160) at com.clickndone.billerdirect.BDRouter.doPost(BDRouter.java:141) at com.clickndone.billerdirect.BDRouter.doGet(BDRouter.java:106) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application FilterChain.java:247) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilter Chain.java:98) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain .java:176) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh ain.java:172) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja va:243) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja va:190) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:2347) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:180 ) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherValve. java:170) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:170 ) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:468) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 64) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java :174) at org.apache.catalina.core.StandardPipeline.invokeNext(StandardPipeline.java:5 66) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:472) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:943) at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java: 1027) at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1125 ) at java.lang.Thread.run(Thread.java:484) I have granted the following extra permissions: grant { permission java.net.SocketPermission "LDP2KSEN0066:1024-65535", "connect, resolve"; permission java.util.PropertyPermission "https.proxyHost", "write"; permission java.util.PropertyPermission "https.proxyPort", "write"; permission java.util.PropertyPermission "java.security.policy", "write"; permission java.util.PropertyPermission "propertiesDirectory", "read"; permission java.lang.RuntimePermission "getClassLoader"; permission java.io.FilePermission "C:\\Program Files\\Click-n-DoneServerSuite\\common\\properties\\-", "read, write"; permission java.io.FilePermission "C:\\Program Files\\Click-n-DoneServerSuite\\WebApplications\\BillerListWebApp\\CNDBiller List.txt", "read, write"; permission java.io.FilePermission "C:\\Program Files\\Click-n-DoneServerSuite\\logs\\-", "read, write"; permission java.io.FilePermission "C:\\Tomcat_JDK1.3.1\\-", "read"; }; If I access another web application (which has only JSPs), there is no problem. Also after that if I access the first web-app also, there is no problem. I also have no problem if I use Tomcat 4.0.2 LE JDK 1.4. Solution: I received help from Jeanfrancois Arcand [[EMAIL PROTECTED]]. I added the following permissions to catalina.policy in the section that grants permissions to all web applications. // Required for sevlets and JSP's permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util.*"; permission java.lang.RuntimePermission "defineClassInPackage.org.apache.catalina.util"; permission java.lang.RuntimePermission "defineClassInPackage.org.apache.catalina.util.*"; This solved the problem. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
