https://issues.apache.org/bugzilla/show_bug.cgi?id=52460
Bug #: 52460
Summary: Unable to run signed .war files with security manager
Product: Tomcat 7
Version: 7.0.23
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Servlet & JSP API
AssignedTo: dev@tomcat.apache.org
ReportedBy: thomas.t...@oenb.at
Classification: Unclassified
Hi,
I stumbled upon an issue when trying to run Tomcat 7.0.23 (presumably all
Tomcat versions) with a security manager.
I managed without any problems to create a servlet, pack it into a .war
containing a signed .jar file and run it with a security manager.
According to the final Java Servlet Specification (November 2009) the
application directory structure of a .war the /WEB-INF/classes/ directory shall
contain the application's .class files. /WEB-INF/lib/*.jar shall contain
servlets, beans, static resources as well as other resources that are useful to
the Web application.
So in my understanding the .war shall contain my application code under
/WEB-INF/classes/ while utility code shall be placed under /WEB-INF/lib/.
Here is the problem:
If I use this recommended way of files placement, it is impossible to run the
application with a security manager properly. As the .class files reside under
/WEB-INF/classes I can only sign the .war file. But this signature is not
reflected in the security manager. Although the .war file (and also the .class
files) is signed, the security manager is not provided with this information,
making it impossible to create custom policies in catalina.policy.
Is using signed jars the only way of running servlets with a security manager?
Is this a JVM or a Tomcat bug?
Thomas
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
