Bug#545674: codeBase param does not seem to be evaluated properly (or the jar location are wrong)

Thu, 10 Sep 2009 05:13:11 -0700 

The workaround with turning off the security manager via command line
options or by granting all privileges to all code bases (mentioned by
Heikki) seems to work.
Still, since the /manager dies with a specific security exception I
tried adding a policy file for the manager only. Unfortunately the app
goes down with the same exception. My manager policy file looks like
that:

//location of the webapp
grant codeBase "file:/usr/share/tomcat6-admin/manager/-" {
    permission java.security.AllPermission;
};

and to be sure (since the org.apache.catalina.ManagerServlet is
located in the catalina.jar and is not a part of the webapp):

//location of the library
grant codeBase "file:/usr/share/tomcat6/lib/catalina.jar" {
    permission java.security.AllPermission;
};

The latter should not be even necessary since 03catalina.policy
already contains:

grant codeBase "file:${catalina.home}/lib/-" {
        permission java.security.AllPermission;
};

which should enable all privileges for the manager app (it's part of
the core catalina codebase).

Unless I'm missing something it looks like the "codeBase" parameter
does not get evaluated properly (that would somehow explain why our
own webapps suddenly stopped working even though the had full
privileges enabled (AllPermissions)).

I have enabled java security debugging (add -Djava.security.debug=all
to JAVA_OPTS in /etc/defaults/tomcat6) to see if I can get more
information. After that gazillions of entries gets logged to
/var/log/daemon.log, there are many failures (during startup) like:

policy: evaluate codesources:#012#011
Policy CodeSource: (file:/usr/lib/jvm/java-6-openjdk/ext/* <no signer certificat
es>)#012#011Active CodeSource: (file:/usr/share/maven-repo/javax/servlet/servlet
-api/2.5/servlet-api-2.5.jar <no signer certificates>)
Sep 10 13:10:07 ohiolink2 jsvc.exec[9163]: policy: evaluation (codesource) faile
d

What's interesting is that is seems to be using the servlet-api from
maven-repo and not the one from /usr/share/java/servlet-api-2.5.jar.
After the request to the /manager I get (only very tiny part shown):

2policy: evaluation (codesource/princip
als) passed#012access: access denied (java.util.PropertyPermission catalina.base
 read)#012java.lang.Exception: Stack trace#012#011at java.lang.Thread.dumpStack(
Thread.java:1223)#012#011at java.security.AccessControlContext.checkPermission(A
ccessControlContext.java:332)#012#011at java.security.AccessController.checkPerm
ission(AccessController.java:553)#012#011at java.lang.SecurityManager.checkPermi
ssion(SecurityManager.java:549)#012#011at java.lang.SecurityManager.checkPropert
yAccess(SecurityManager.java:1302)#012#011at java.lang.System.getProperty(System
.java:669)#012#011at org.apache.catalina.manager.ManagerServlet.init(ManagerServ
let.java:487)#012#011at org.apache.catalina.manager.HTMLManagerServlet.init(HTML
ManagerServlet.java:646)#012#011at javax.servlet.GenericServlet.init(GenericServ
let.java:212)#012#011at
Sep 10 13:10:07 ohiolink2 jsvc.exec[9163]: sun.reflect.NativeMethodAccessorImpl.
invoke0(Native Method)#012#011at sun.reflect.NativeMethodAccessorImpl.invoke(Nat
iveMethodAccessorImpl.java:57)#012#011at sun.reflect.DelegatingMethodAccessorImp
l.invoke(DelegatingMethodAccessorImpl.java:43)#012#011at java.lang.reflect.Metho
d.invoke(Method.java:616)#012#011at org.apache.catalina.security.SecurityUtil$1.
run(SecurityUtil.java:269)#012#011at java.security.AccessController.doPrivileged
(Native Method)#012#011at javax.security.auth.Subject.doAsPrivileged(Subject.jav
a:537)#012#011at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.
java:301)#012#011at org.apache.catalina.security.SecurityUtil.doAsPrivilege(Secu
rityUtil.java:162)#012#011at org.apache.catalina.security.SecurityUtil.doAsPrivi
lege(SecurityUtil.java:115)#012#011at org.apache.catalina.core.StandardWrapper.l
oadServlet(StandardWrapper.java:1167)#012#011at org.apache.catalina.core.Standar
dWrapper.allocate(StandardWrapper.java:809)#012#011at org.apache.catalina.core.S
tandardWrapperValve.invoke(StandardWrapperValve.java:129)#012#011at org.apache.c
atalina.core.StandardCon
Sep 10 13:10:07 ohiolink2 jsvc.exec[9163]: textValve.invoke(StandardContextValve
.java:191)#012#011at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525)#012#011at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)#012#011at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)#012#011at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)#012#011at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)#012#011at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)#012#011at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)#012#011at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)#012#011at
java.lang.Thread.run(Thread.java:636)#012policy:
getPermissions:#012#011PD CodeSource:
(file:/usr/share/maven-repo/javax/servlet/servlet-api/2.5/servlet-api-2.5.jar
<no signer certificates>)#012#011PD ClassLoader:
org.apache.catalina.loader.standardclassloa...@3f77b3cd#012#011pd
Principals: <no principals>


The start/request manager/stop log is about 150 megs. I can send it
over if that's any help.

-- 

Cheers,
Jakub



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to