Mark,
On 9.2.2014 2:36, Ognjen Blagojevic wrote:
I also tried to test my production webapps, which also use DBCP2.
However I get a lot of AccessControlExceptions, which I resolved one by
one. Now I am stucked with particularly stubborn FilePermission problem.
If I resolve that one, and other following exceptions I will report the
results of testing here.
I got one of my production webapps working (for the most part) with
security manager in 8.0.1 and 8.0.3.
In 8.0.1, I needed to add the following configuration to catalina.policy
(sensitive parts removed):
grant codeBase "file:${catalina.base}/webapps/(context)/-" {
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.util.PropertyPermission
"com.sun.faces.SerializationProvider", "read";
permission java.lang.RuntimePermission "getClassLoader";
permission java.util.PropertyPermission
"com.sun.faces.InjectionProvider", "read";
permission java.io.FilePermission
"file:(...)\\WEB-INF\\lib\\(...)!\\META-INF\\-", "read";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.catalina.util";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.compiler";
permission java.lang.RuntimePermission "createClassLoader";
permission java.util.PropertyPermission "openjpa.properties", "read";
permission java.util.PropertyPermission
"javax.persistence.properties", "read";
permission java.util.PropertyPermission "openjpa.slice.properties",
"read";
permission java.util.PropertyPermission
"javax.mail.Session.Factory", "read";
permission java.net.SocketPermission "(mailserver)", "resolve";
permission java.net.SocketPermission "(mailserver):(port)",
"connect,resolve";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.dbcp.dbcp2";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.dbcp.pool2";
permission java.net.SocketPermission "(dbserver)", "resolve";
permission java.net.SocketPermission "(dbserver):(port)",
"connect,resolve";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.dbcp.pool2.impl";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission javax.management.MBeanPermission
"org.apache.tomcat.dbcp.pool2.impl.GenericObjectPool#-[Catalina:class=javax.sql.DataSource,context=/(context),host=localhost,name=\"(jndiname)\",pool=connections,type=DataSource]",
"registerMBean";
};
In 8.0.3, I was able to remove following permissions from the above list:
// permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.dbcp.dbcp2";
// permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.dbcp.pool2";
// permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.dbcp.pool2.impl";
// permission javax.management.MBeanPermission
"org.apache.tomcat.dbcp.pool2.impl.GenericObjectPool#-[Catalina:class=javax.sql.DataSource,context=/(context),host=localhost,name=\"(jndiname)\",pool=connections,type=DataSource]",
"registerMBean";
// permission javax.management.MBeanServerPermission "createMBeanServer";
HTH,
Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
