https://issues.apache.org/bugzilla/show_bug.cgi?id=50854
Summary: Additional catalina.policy entries for when Security
Manager enabled, for session display functionality
Product: Tomcat 7
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Manager
AssignedTo: dev@tomcat.apache.org
ReportedBy: ne...@metawerx.net
When running under a security manager, in 7.0.x (and also around 6.0.29+), the
Sessions List options in the Tomcat Manager may display an error under certain
conditions.
CONDITION 1:
APR enabled, catalina.base == catalina.home:
- Encountered exception org.apache.jasper.JasperException:
javax.servlet.ServletException: java.lang.NoClassDefFoundError:
org/apache/catalina/ha/session/DeltaSession
This permission is required:
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.ha.*";
CONDITION 2:
Regardless of APR, if catalina.base != catalina.home and catalina.home is the
location of the webapps/manager application, this error displays:
FAIL - Encountered exception org.apache.jasper.JasperException: An exception
occurred processing JSP page /WEB-INF/jsp/sessionsList.jsp at line 99
96: <tbody>
97: <% Iterator iter = activeSessions.iterator();
98: while (iter.hasNext()) {
99: Session currentSession = (Session) iter.next();
100: String currentSessionId =
JspHelper.escapeXml(currentSession.getId());
101: %>
102: <tr>
This is because the policy file assumes there is a per-instance webapps/manager
application in catalina.base, as opposed to a shared one in catalina.home.
Suggested fix, in catalina.policy, replace ...
// The Manager application needs access to the following packages to support
the
// session display functionality
grant codeBase "file:${catalina.base}/webapps/manager/-" {
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.manager";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.manager.util";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.ha.*";
};
... with ...
// The Manager application needs access to the following packages to support
the
// session display functionality
grant codeBase "file:${catalina.home}/webapps/manager/-" {
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.manager";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.manager.util";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.ha.*";
};
// If using a per instance webapps directory, i.e. ${catalina.base}/webapps,
// then the following permission will need to be uncommented
// grant codeBase "file:${catalina.base}/webapps/manager/-" {
// permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina";
// permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.manager";
// permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.manager.util";
// permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.ha.*";
// };
* In the above, I've used the same commented-out approach as the one for the
"file:${catalina.base}/lib/-" permissions for consistency, but the
catalina.base permissions could also be left uncommented if most installations
copy the default webapps folder into each instance and use it from there, to
make larger deployments easier.
Best Regards,
Neale Rudd
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
