Re: Tomcat Security Permission Issue

Wed, 08 Aug 2012 16:05:42 -0700 

2012/8/9 bogdan ivascu <ivascu.bogdan...@gmail.com>:
> System: ubuntu server 11.10
>               tomcat6 ( installed from apt-get not downloaded ).
>
> Starting without -security enabled all works fine. Starting tomcat with
> -security enabled gives the following:
>
> SEVERE: Exception starting filter app
> org.apache.tapestry5.ioc.internal.OperationException: Error building
> service proxy for service 'RegistryStartup' (at
> org.apache.tapestry5.ioc.internal.services.RegistryStartup(Logger, List)
> (at RegistryStartup.java:36) via
> org.apache.tapestry5.ioc.services.TapestryIOCModule.bind(ServiceBinder) (at
> TapestryIOCModule.java:49)): Unable to locate class file for
> 'java.lang.Runnable' in class loader WebappClassLoader
>   context:
>   delegate: false
>   repositories:
>     /WEB-INF/classes/
> ----------> Parent Classloader:
> org.apache.catalina.loader.StandardClassLoader@4d911540
> .
>         at
> org.apache.tapestry5.ioc.internal.OperationTrackerImpl.logAndRethrow(OperationTrackerImpl.java:121)
>          ...
>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
> Caused by: java.lang.RuntimeException: Error building service proxy for
> service 'RegistryStartup' (at
> org.apache.tapestry5.ioc.internal.services.RegistryStartup(Logger, List)
> (at RegistryStartup.java:36) via
> org.apache.tapestry5.ioc.services.TapestryIOCModule.bind(ServiceBinder) (at
> TapestryIOCModule.java:49)): Unable to locate class file for
> 'java.lang.Runnable' in class loader WebappClassLoader
>   context:
>   delegate: false
>   repositories:
>     /WEB-INF/classes/
> ----------> Parent Classloader:
> org.apache.catalina.loader.StandardClassLoader@4d911540
> .
>         at
> org.apache.tapestry5.ioc.internal.ModuleImpl$4.invoke(ModuleImpl.java:327)
>         at
> org.apache.tapestry5.ioc.internal.OperationTrackerImpl.invoke(OperationTrackerImpl.java:74)
>         ... 44 more
> Caused by: java.lang.RuntimeException: Unable to locate class file for
> 'java.lang.Runnable' in class loader WebappClassLoader
>   context:
>   delegate: false
>   repositories:
>     /WEB-INF/classes/
> ----------> Parent Classloader:
> org.apache.catalina.loader.StandardClassLoader@4d911540
> .
> ...
>         at
> org.apache.tapestry5.ioc.internal.ModuleImpl$4.invoke(ModuleImpl.java:311)
>         ... 45 more
>
> Below my webapp.policy file:
>
> grant {
>     // Required for JNDI lookup of named JDBC DataSource's and
>     // javamail named MimePart DataSource used to send mail
>     permission java.util.PropertyPermission "java.home", "read";
>     permission java.util.PropertyPermission "java.naming.*", "read";
>     permission java.util.PropertyPermission "javax.sql.*", "read";
>
>     // OS Specific properties to allow read access
>     permission java.util.PropertyPermission "os.name", "read";
>     permission java.util.PropertyPermission "os.version", "read";
>     permission java.util.PropertyPermission "os.arch", "read";
>     permission java.util.PropertyPermission "file.separator", "read";
>     permission java.util.PropertyPermission "path.separator", "read";
>     permission java.util.PropertyPermission "line.separator", "read";
>
>     // JVM properties to allow read access
>     permission java.util.PropertyPermission "java.version", "read";
>     permission java.util.PropertyPermission "java.vendor", "read";
>     permission java.util.PropertyPermission "java.vendor.url", "read";
>     permission java.util.PropertyPermission "java.class.version", "read";
>     permission java.util.PropertyPermission "java.specification.version",
> "read";
>     permission java.util.PropertyPermission "java.specification.vendor",
> "read";
>     permission java.util.PropertyPermission "java.specification.name",
> "read";
>
>     permission java.util.PropertyPermission
> "java.vm.specification.version", "read";
>     permission java.util.PropertyPermission "java.vm.specification.vendor",
> "read";
>     permission java.util.PropertyPermission "java.vm.specification.name",
> "read";
>     permission java.util.PropertyPermission "java.vm.version", "read";
>     permission java.util.PropertyPermission "java.vm.vendor", "read";
>     permission java.util.PropertyPermission "java.vm.name", "read";
>
>     // Required for OpenJMX
>     permission java.lang.RuntimePermission "getAttribute";
>
>     // Allow read of JAXP compliant XML parser debug
>     permission java.util.PropertyPermission "jaxp.debug", "read";
>
>     // Precompiled JSPs need access to this package.
>     permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.jasper.runtime";
>     permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.jasper.runtime.*";
>
>     // Example JSPs need those to work properly
>     permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.jasper.el";
>     permission java.lang.RuntimePermission "accessDeclaredMembers";
>
>     // Precompiled JSPs need access to this system property.
>     permission java.util.PropertyPermission
> "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
>
>     // java.io.tmpdir should be usable as a temporary file directory
>     permission java.util.PropertyPermission "java.io.tmpdir", "read";
>     permission java.io.FilePermission "${java.io.tmpdir}/-",
> "read,write,delete";
>
>    //TAPESTRY SPECIFIC PERMISSIONS
>    permission java.util.PropertyPermission "tapestry.*","read";
>   // permission java.io.FilePermission
> "/var/lib/tomcat6/webapps/ROOT/WEB-INF/lib/*", "read";
>    permission java.io.FilePermission
> "/var/lib/tomcat6/webapps/ROOT/WEB-INF/-", "read";
>    permission java.lang.RuntimePermission "getenv.*";
>    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
>    permission java.lang.RuntimePermission  "getClassLoader";
>    permission java.util.PropertyPermission "javassist-write-dir", "read";
>    permission java.lang.RuntimePermission "getProtectionDomain";
>    permission java.lang.RuntimePermission "createClassLoader";
>
>
>
> I cannot figure out what permission the system is missing.
>

1. This one: java.security.AllPermission ?

Even if it is a joke, you may try adding it to your configuration to
see whether it helps.

2. Nobody knows how old is your version of Tomcat 6.0.x from apt-get
is. You'd better try with one from tomcat.apache.org.

3. The error is likely not in the place when the exception happens,
but some place earlier.

You should look into your logs carefully.

Maybe enable fine logging and compare what differs between successful
and unsuccessful starts.

Maybe enable SecurityManager logging (as mentioned in Tomcat docs) to
look at what permission request was denied.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to