2018-03-23 1:32 GMT+03:00 Christopher Schultz <ch...@christopherschultz.net>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Konstantin,
>
> Thanks for the reply.
>
> On 3/22/18 6:12 PM, Konstantin Kolinko wrote:
>> 2018-03-23 0:39 GMT+03:00 Christopher Schultz
>> <ch...@christopherschultz.net>:
>>> All,
>>>
>>> I'm working on getting my application working under a
>>> SecurityManager. It's actually been a little less painful than I
>>> thought it would be.
>>>
>>> I'm using Solr for some index searching. I'm using SolrJ for the
>>> library to communicate via HTTP to a localhost Solr server. When
>>> using this grant:
>>>
>>> grant { permission "java.util.PropertyPermission"
>>> "solr.httpclient.builder.factory", "read"; permission
>>> "java.net.SocketPermission", "localhost:8983",
>>> "resolve,connect"; }
>>>
>>> My application can can contact Solr without any errors.
>>>
>>> If I change the "grant" to include a codeBase to restrict those
>>> connections to the Solr library, I get a AccessControlException:
>>> access denied to the system property. Here is the modified
>>> grant:
>>>
>>>
>>> grant codeBase
>>> "file:${catalina.base}${file.separator}webapps${file.separator}myapp$
> {fi
>>>
>>>
> le.separator}WEB-INF${file.separator}lib${file.separator}solr-solrj-7.2.
>>> 1.jar" { permission "java.util.PropertyPermission"
>>> "solr.httpclient.builder.factory", "read"; permission
>>> "java.net.SocketPermission" "localhost:8983", "resolve,connect";
>>> };
>>>
>>> I have verified that the file exists under the path specified
>>> above. I tried both ${file.separator} and '/' as the file
>>> separator. I also tried "jar:/path/to/jar!/-" as the codeBase. No
>>> luck.
>>
>> 1) The "grant" clause uses an URL, with '/'.
>>
>> ${file.separator} is used in file paths for a file system: in
>> java.io.FilePermission
>
> Thanks for pointing that out. I tried both ways and it did not make a
> difference.
>
>>> These grants are added to the end of the stock catalina.policy
>>> file that ships with Tomcat.
>>>
>>> What am I missing, here?
>>
>> 2) Tomcat version=? ;)
>
> 8.5.29, but this is a JVM security policy problem and should not be
> affected by the Tomcat version.
>
>> See "Troubleshooting" recipe here:
>>
>> http://tomcat.apache.org/tomcat-8.5-doc/security-manager-howto.html#Tr
> oubleshooting
>>
>> You need to know the actual permission that failed.
>
> It's java.util.PropertyPermission to "read" the system property
> "solr.httpclient.builder.factory". Specifying no codeBase allows the
> code to execute.
>
>> You need to know java.security.CodeSource.getLocation() for all
>> classes in stacktrace up to the failing point (starting from the
>> nearest AccessController.doPrivileged()).
>
> Umm... how in the word do I determine that?
>
>> All those CodeSources should have that permission. If you missed
>> one, you will fail.
>
> So I'm going to assume that there are no doPrivileged() calls anywhere
> in the call stack. Does that mean that I have two options:
>
> 1. Grant the privilege to the whole JVM (as I have confirmed does work)
>
> 2. Add a doPrivileged() call somewhere that eventually attempts to
> read this system property?
Reads of a system property are usually wrapped in doPrivileged().
E.g. see java.io.PrintWriter constructor in Java 8u162:
lineSeparator = java.security.AccessController.doPrivileged(
new sun.security.action.GetPropertyAction("line.separator"));
The code above assumes that sun.* classes cannot be accessed by untrusted code.
(In case of Tomcat this is true thanks to "package.access" setting in
catalina.properties.)
>
> I also attempted to give the permission to me web application as a
> whole like this:
>
> grant codeBase
> "file:${catalina.base}/webapps/mywebapp/WEB-INF/classes/-" {
> // same privileges
> };
The above grants permission to "WEB-INF/classes" directory, The
libraries are in "lib". There are also JSPs.
Example in catalina.policy:
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.base}/webapps/examples/-" {
// permission java.net.SocketPermission
"dbhost.mycompany.com:5432", "connect";
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
