DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43983>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43983 Summary: codeBase of a webapp changes if antiResourceLocking is active - Security policy fails Product: Tomcat 6 Version: 6.0.14 Platform: Sun OS/Version: Windows Vista Status: NEW Severity: normal Priority: P2 Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] I'm using Tomcat 6.0.14 with the "security" option in order to assign different permissions to several webapps running within the Tomcat security sandbox. However, I've encountered the following effect when I activate the antiResourceLocking flag in the context.xml file of my webapp: As this flag causes the server to copy all the files of my webapp to the temp directory at runtime, the codeBase for the webapp also changes - but the SecurityManager doesn't recognise that it has changed. Consequently, the permissions for the specific webapp that I defined in catalina.policy actually don't apply and I get an "access denied" exception. I have searched the web, the security FAQ and newsgroups for a hint or a workaround, but with no success. Neither the Tomcat Users Mailing List could help. With the help of the java.security.debug=all option I came to the workaround to simply set the codeBase in the catalina.policy file to the new location within the temp directory: grant codeBase "file:${catalina.home}/temp/1-foo/-" { /* list of assigned permissions */ }; With this workaround everything works fine. However, the numeric prefix (e.g. "1-") of the webapp copied to the temp folder eventually changes, for instance when I redeploy the webapp or when I clear the temp directory. As a result, I always have to keep the catalina.policy file up-to-date with the current prefix of the webapp, otherwise the permissions fail. I ask myself if there is a more elegant way to fix this problem, maybe by an internal mapping of the original codeBase of the webapp in ${catalina.home}/webapps/ to the ${catalina.home}/temp/ directory which then would be transparent for the SecurityManager? If there's no easy way to fix it, at least a hint should be placed in the Tomcat Security FAQ that if antiResourceLocking is active, the codeBase of the webapp has to be adapted within the catalina.policy file. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
