Thanks for your help. With the debugging tip you gave me, I was able to
figure it out.
It turns out that the problem was Class B trying to reference class A?
grant codeBase "file:Z:/CDAILY/WEB-INF/classes/-" {
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission
"accessClassInPackage.com.MHSoftware.db.*";
};
Now all I have to figure out is how to handle the grant to the codebase when
I have a hundred jars...
George Sexton
MH Software, Inc.
http://www.mhsoftware.com/
Voice: 303 438 9585
> -----Original Message-----
> From: Larry Isaacs [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 20, 2006 4:37 PM
> To: Tomcat Users List
> Subject: RE: ClassLoader/Security Manager Question
>
> For reasons that are difficult to predict or calculate,
> some other protection domain (i.e. codeBase) for somebody
> in the stack may be missing this permission. I've given
> up trying to figure these out after the obvious doesn't
> fix it.
>
> Try adding:
>
> -Djava.security.debug=access,failure
>
> to your Tomcat startup arguments. Hopefully you can capture
> the output around the point of failure. There will be a lot
> of output.
>
> Look for "access denied". That will give you the missing
> permission. Not to far below that you can find the domain
> that failed, which will give you the codeBase missing the
> permission. It is not unusual to see something unexpected.
> Somewhere below that you can see the permissions that this
> domain does currently have. This is where you might find that
> a permission you tried to grant has a typo, so it doesn't serve
> its purpose. Give it a try and see if anything turns up.
>
> Cheers,
> Larry
>
> > -----Original Message-----
> > From: George Sexton [mailto:[EMAIL PROTECTED]
> > Sent: Friday, January 20, 2006 3:46 PM
> > To: 'Tomcat Users List'
> > Subject: ClassLoader/Security Manager Question
> >
> > I'm trying to get my app to run under the security manager
> > and I'm hitting some problems.
> >
> > I have class B, derived from class A, in Jar B in the
> > WEB-INF/lib directory
> >
> > Class A is in Jar A in the shared/lib directory.
> >
> > I created an entry in the catalina.policy file:
> >
> > grant codeBase "file:${catalina.base}/shared/-" {
> > permission java.lang.RuntimePermission
> > "accessClassInPackage.*";
> > permission java.security.AllPermission; };
> >
> > When a method defined in Class A uses reflection to get the
> > constructors for Class B, the following error message happens:
> >
> > 01/20/2006 13:24:36 java.security.AccessControlException:
> > access denied (java.lang.RuntimePermission
> > accessDeclaredMembers) at
> > java.security.AccessControlContext.checkPermission(AccessContr
> > olContext.java
> > :264)
> > at
> > java.security.AccessController.checkPermission(AccessControlle
> > r.java:427)
> > at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> > at
> >
> java.lang.SecurityManager.checkMemberAccess(SecurityManager.java:1662)
> > at java.lang.Class.checkMemberAccess(Class.java:2125)
> > at java.lang.Class.getDeclaredConstructor(Class.java:1952)
> >
> > I've done some research and it seems like what I'm trying to
> > do should work if I specify accessClassInPackage. I've tried
> > explicitly setting the class A package in the
> > accessClassInPackage statement but I'm not making any headway.
> >
> > I would rather not put Jar A in WEB-INF/lib because I have
> > something like 100 contexts that all use that jar and I'm
> > already hitting issues with PermGenSpace. I also can't put
> > Jar B in shared/lib because of design (or lack thereof).
> >
> > Does anyone have any ideas (other than the obvious one of
> > putting Jar A in WEB-INF/lib)?
> >
> > George Sexton
> > MH Software, Inc.
> > http://www.mhsoftware.com/
> > Voice: 303 438 9585
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
