-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Konstantin,
Thanks for the reply.
On 3/22/18 6:12 PM, Konstantin Kolinko wrote:
> 2018-03-23 0:39 GMT+03:00 Christopher Schultz
> <ch...@christopherschultz.net>:
>> All,
>>
>> I'm working on getting my application working under a
>> SecurityManager. It's actually been a little less painful than I
>> thought it would be.
>>
>> I'm using Solr for some index searching. I'm using SolrJ for the
>> library to communicate via HTTP to a localhost Solr server. When
>> using this grant:
>>
>> grant { permission "java.util.PropertyPermission"
>> "solr.httpclient.builder.factory", "read"; permission
>> "java.net.SocketPermission", "localhost:8983",
>> "resolve,connect"; }
>>
>> My application can can contact Solr without any errors.
>>
>> If I change the "grant" to include a codeBase to restrict those
>> connections to the Solr library, I get a AccessControlException:
>> access denied to the system property. Here is the modified
>> grant:
>>
>>
>> grant codeBase
>> "file:${catalina.base}${file.separator}webapps${file.separator}myapp$
{fi
>>
>>
le.separator}WEB-INF${file.separator}lib${file.separator}solr-solrj-7.2.
>> 1.jar" { permission "java.util.PropertyPermission"
>> "solr.httpclient.builder.factory", "read"; permission
>> "java.net.SocketPermission" "localhost:8983", "resolve,connect";
>> };
>>
>> I have verified that the file exists under the path specified
>> above. I tried both ${file.separator} and '/' as the file
>> separator. I also tried "jar:/path/to/jar!/-" as the codeBase. No
>> luck.
>
> 1) The "grant" clause uses an URL, with '/'.
>
> ${file.separator} is used in file paths for a file system: in
> java.io.FilePermission
Thanks for pointing that out. I tried both ways and it did not make a
difference.
>> These grants are added to the end of the stock catalina.policy
>> file that ships with Tomcat.
>>
>> What am I missing, here?
>
> 2) Tomcat version=? ;)
8.5.29, but this is a JVM security policy problem and should not be
affected by the Tomcat version.
> See "Troubleshooting" recipe here:
>
> http://tomcat.apache.org/tomcat-8.5-doc/security-manager-howto.html#Tr
oubleshooting
>
> You need to know the actual permission that failed.
It's java.util.PropertyPermission to "read" the system property
"solr.httpclient.builder.factory". Specifying no codeBase allows the
code to execute.
> You need to know java.security.CodeSource.getLocation() for all
> classes in stacktrace up to the failing point (starting from the
> nearest AccessController.doPrivileged()).
Umm... how in the word do I determine that?
> All those CodeSources should have that permission. If you missed
> one, you will fail.
So I'm going to assume that there are no doPrivileged() calls anywhere
in the call stack. Does that mean that I have two options:
1. Grant the privilege to the whole JVM (as I have confirmed does work)
2. Add a doPrivileged() call somewhere that eventually attempts to
read this system property?
I also attempted to give the permission to me web application as a
whole like this:
grant codeBase
"file:${catalina.base}/webapps/mywebapp/WEB-INF/classes/-" {
// same privileges
};
And this does not work, either.
Do I have to put everything in doPrivileged() calls in order to
actually access the permissions I'm trying to grant using the "grant
codeBase" in my policy? THAT is going to be ... inconvenient. :(
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlq0Lv4dHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjLDRAArruXzHe0C5Ra2tfw
NngUE9/lKmnh5XoefF+M8iaUxA6X3GICMxCJtO7tdK/thMj7VAmmTGNoxTXoQXAL
HYR7ERuVbUzvcgys08Mu3rxd/r8T4Fhy3LWO/7WhSiRAnEAQjan/Q07NqD98O9jf
Etvcw6I2iLdO7bGt00/O/lwTHfYiWZQK542RgoU4SV5JsC0V9rr/eOgr5M/mnYqY
C6Lqi9f1ewJNe//oxMBztN5gDxW8SnXt7XS8R9I39GA5f1Mnd5Q4Ex53h3CiSkgF
27WW/yA9D7lE+zIEwUdnNq3kSGLrArgclPtAarl5JuzxNpiOLU6jtG1Tp3N4PKum
HpORNTTJYVC/+TrblBk9zsLQjoHh8Aut+VlrmKVfzIDkET1p+xRWDSp/7kZnOUAY
eZGSXSJYNwqGahCjMWj3R6QR6x+IQre4Y+kauDFisoKqLO9gjakBOwBvIuAGFeOE
YjrZRZ4sndiAVji/5tcAWCJjS4NMGQ0uqswzZyhSEaJTXa3GWceaEmfULPLZ2CQr
n1UKxNlBcHk84M0ktXif6TxP6547oDoyB80+OxkgUsh1SeNqs5MyJ4JcKWjkfOUu
4efV40XpDlUPwcOev/PHlqSjqyz+pTY6iiDJjkahfgjKT7ICloSe+5SsqlzBJqYA
/CcgxZGu0IPUuwmm6XXmMaglj6s=
=j0wy
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
