Okay, using this blanket statement:
grant {
permission java.net.SocketPermission "localhost", "resolve";
permission java.net.SocketPermission "127.0.0.1:3306",
"connect,resolve";
};
The webapp works when tomcat is started normally. This is acceptable
while the machine is being used as a development server, but when it
goes live, I'd like the grant statement to be appropriately strict.
Anyone have suggestions for what to set as the codeBase?
I have tried, with no success:
codeBase "file:${catalina.home}/webapps/-"
codeBase "file:${catalina.home}/webapps/ROOT/-"
codeBase "file:${catalina.home}/common/lib/-"
codeBase "file:${catalina.home}/common/lib/mysql-connector-blah.jar"
codeBase "jar:file:${catalina.home}/common/lib/mysql-connector-blah.jar!/-"
On 7/20/06, Cameron Currie <[EMAIL PROTECTED]> wrote:
I haven't gotten it working yet, but I think David may be on the right
track. Here's what I did:
I changed my file at '/etc/tomcat5/policy.d/03catalina.policy' to
properly point to my connector.jar and also changed the permissions to
include:
permission java.net.SocketPermission "localhost", "connect,resolve";
permission java.net.SocketPermission "localhost:3306", "connect,resolve";
Alas, this did not work. I googled for information on Tomcat's
security manager and found this message (possibly from this very
mailing list?):
http://marc2.theaimsgroup.com/?l=tomcat-user&m=109912397815989&w=2
I also read through the tomcat security manager documentation. I found
a debug option to pass to tomcat (-Djava.security.debug=all). In order
to use it I started tomcat with startup.sh (as opposed to the
/etc/init.d/ script).
I saw no debugging information. But our webapps worked!
I assume starting tomcat this way does not start up the security
manager. Hopefully I can get the policy properly configured so that I
don't have to manually start up tomcat!
On 7/20/06, David Smith <[EMAIL PROTECTED]> wrote:
> java.security.AccessControlException indicates you are running tomcat
> with the security manager. You'll need to edit your catalina.policy
> file to allow this connection. The policy file itself has a number of
> examples, here's just one modified to your situation below:
>
> grant codebase
> "jar:file:${catalina.home}/common/lib/mysql-connector-java-3.14.jar!/-" {
> permission java.net.SocketPermission "127.0.0.1:3306", "connect" ;
> }
>
> --David
>
> Bob Hall wrote:
>
> >Cameron,
> >
> >You wrote:
> >
> >
> >
> >>I have a newly installed and configured Ubuntu
> >>server running
> >>Tomcat5.5 and Mysql 5.0. This server was created in
> >>an attempt to
> >>migrate from a Red Hat server in a similar
> >>configuration, running the
> >>exact same webapp. Most of the
> >>configuration/classpath differences
> >>between the two platforms have been ironed out.
> >>
> >>The Problem:
> >>
> >>When our webapp trys to connect to the database on
> >>localhost, an exception
> >>
> >>'java.security.AccessControlException: access denied
> >>(java.net.SocketPermission localhost resolve)'
> >>
> >>is generated.
> >>
> >>
> >>
> >
> >Looks like the OS is unable to resolve localhost.
> >Does the ubuntu server have the following in its
> >/ect/hosts file?
> >
> >127.0.0.1 localhost
> >
> >-Bob
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Tired of spam? Yahoo! Mail has the best spam protection around
> >http://mail.yahoo.com
> >
> >---------------------------------------------------------------------
> >To start a new topic, e-mail: users@tomcat.apache.org
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
--
Cameron Currie
[EMAIL PROTECTED]
--
Cameron Currie
[EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
