Hi Huges,

The standard Tomcat 5.5 policy file includes:

grant codeBase "file:${catalina.home}/common/-" {
        permission java.security.AllPermission;
};

which grants permission to the common/endorsed jars.

It is possible for code to programmatically grant itself some
extra permissions, such as permission to use "getClassLoader",
an not impose this permission on any of the classes involved
in the calling of this code.  In the absence of this programmatic
handling of permissions, all callers must have the permission,
i.e. all classes in the stack above where the permission check
occurs must have the permission.  It is likely that you have a
servlet, filter, listener, or some other class in your webapp
that is involved in calling ojdbc.jar.  Since it wasn't
being granted the getClassLoader permission, it was causing
the exception once permission was granted to ojdbc.jar.

Cheers,
Larry

> -----Original Message-----
> From: Hugues Ferland [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, February 07, 2007 3:30 PM
> To: Tomcat Users List
> Subject: RE: Tomcat policy file, advice and clarification please
> 
> Hi Larry,
> 
> Thank you very much!
> 
> That was it. I'm not sure I understand well what the context 
> of a checkPermission is made of...  hum... Is it that  it 
> uses the context from the web apps to "checkPermission"...? 
> But then why is checkPermission for my jar in common/endorsed 
> succeed for "getClassLoader" but fail for SocketPermission? I 
> did not find anything for that in Tomcat's policies files.
> 
> Thanks again for your help!
> 
> Hugues
> 
> 
> Larry Isaacs <[EMAIL PROTECTED]> wrote: It is likely that 
> some other class in your webapp is on the stack when the 
> permission check occurs and it causing the check to fail.  
> You could try ".../WEB-INF/-" to expand the grant to the 
> entire webapp and see what happens.
> 
> To diagnose this kind of exception, you can add the following 
> system property to your Tomcat startup:
> 
>     -Djava.security.debug=access,failure
> 
> In the volumes of log output created, search for "access 
> denied".  A little beyond where you find this, look for 
> "domain that failed".  That will tell you what is missing the 
> required permission.  Note that some permission failures are 
> normal and won't cause a problem.
> 
> Cheers,
> Larry
> 
> > -----Original Message-----
> > From: Hugues Ferland [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, February 06, 2007 5:30 PM
> > To: users@tomcat.apache.org
> > Subject: Tomcat policy file, advice and clarification please
> > 
> > Hi,
> > 
> > I have a Tomcat 5.5 installation on Debian Linux with Java 1.6.
> > 
> > I have a web application that create its own connection to 
> an Oracle 
> > database. The ojdbc14.jar is included in the WEB-INF/lib 
> directory of 
> > the web application.
> > 
> > Now with the default configuration with security enabled, a 
> > SecurityException "java.lang.RuntimePermission getClassLoader" is 
> > thrown.
> > 
> > I tried to apply a security policy to ojdbc14.jar with grant 
> > AllPermission, but without success. This is what I added to
> > /etc/tomcat5.5/policy.d/50user.policy:
> > 
> > grant codeBase "file:/
> > application>/WEB-INF/lib/ojdbc.jar" {
> >    permission java.security.AllPermission; }
> > 
> > This did not work. One particularity of the web application 
> is that I 
> > do not deploy it with a war file. I created it using a context xml 
> > file in ${catalina.home}/conf/Catalina/localhost/.xml.
> > 
> > Also the docBase point outside the ${catalina.home}.
> > 
> > Of course, I'd like to know what I'm doing wrong... I looked on 
> > google, tomcat-docs, and other places without any luck...
> > Maybe somebody could point me in the right direction? Or better yet 
> > tell me what is wrong :)
> > 
> > Thanks,
> > 
> > Hugues
> > 
> >    
> > ---------------------------------
> > All new Yahoo! Mail
> > ---------------------------------
> > Get news delivered. Enjoy RSS feeds right on your Mail page.
> > 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To 
> unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 
>               
> ---------------------------------
> All new Yahoo! Mail
> ---------------------------------
> Get news delivered. Enjoy RSS feeds right on your Mail page.
> 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to