I'm trying to setup a tomcat6 server, and I'm trying to match another setup someone else established. However, my deployment (default Ubuntu install) uses a policy.d/
directory structure, and the established server just uses a catalina.policy
file. I've tried setting every entry in policy.d to match the given catalina.policy, but I still get the following stacktrace on boot (from localhost log).
I have two questions, then. First, how do I get tomcat to use a single poilcy file, rather than the directory structure presented by policy.d/
? Secondly, why, when I specify all files to use the same policy, do I still get the stack trace below?
Stack trace:
SEVERE: Servlet /myapp threw load() exception
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.jasper)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:342)
at java.security.AccessController.checkPermission(AccessController.java:553)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291)
at java.lang.ClassLoader.loadClass(ClassLoader.java:264)
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1314)
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1245)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332)
at org.apache.jasper.servlet.JspServlet.init(JspServlet.java:100)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:537)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:115)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1166)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:992)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4058)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:4367)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:123)
at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:769)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:978)
at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:941)
at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:499)
at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1201)
at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:318)
at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
at org.apache.catalina.core.StandardService.start(StandardService.java:516)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:616)
at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:177)
Policy.d
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the logging API
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission "java.util.logging.config.class", "read";
permission java.util.PropertyPermission "java.util.logging.config.file", "read";
permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
permission java.util.PropertyPermission "catalina.base", "read";
permission java.util.logging.LoggingPermission "control";
permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
permission java.lang.RuntimePermission "getClassLoader";
// To enable per context logging configuration, permit read access to the appropriate file.
// Be sure that the logging configuration is secure before enabling such access
// eg for the examples web application:
// permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
};
// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.naming.*", "read";
permission java.util.PropertyPermission "javax.sql.*", "read";
// OS Specific properties to allow read access
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
// JVM properties to allow read access
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
// Required for OpenJMX
permission java.lang.RuntimePermission "getAttribute";
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
// Precompiled JSPs need access to this package.
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
// Precompiled JSPs need access to this system property.
permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
};
Ok first thing: Do you really need to use a Java Security Policy? The simplest solution by far is to disable this in tomcat's startup script:
in /etc/init.d/tomcat6 replace
with
Assuming you must use the security manager, and you must match an existing installation, I would suggest un-installing tomcat6, downloading it from the web, and running the whole directory out of /opt or /usr/local. This will mean you have to track security updates yourself, but at least all the files are in same place and it will be easier to get help with configuration.
OK, now lets try to work with what you have. If you have a custom policy file, this should be the ONLY file in policy.d, or at least add your permissions to "50local.policy" which is intended to override all the other files. Alternatively you can change the the path in to the security policy in /etc/init.d/tomcat6
You should also add "-Djava.security.debug=failure" to the security section like so:
This will give you much more helpful error messages, often telling you exactly what permissions to add to the policy to avoid the error.
Note: If using TOMCAT with Eclipse, double click on TOMCAT in the server tab and un-check 'Use Security'
I have never liked how Ubuntu scatters the Tomcat files all over the place. Rather, I prefer to download the Tomcat binary distribution and set up a custom configuration, which I believe is simpler, more flexible and easier to maintain. I've explained how to do this in a couple of blog entries on my site at http://www.brianshowalter.com.
I would also question whether it's really necessary to use the Java security policy. In certain cases, yes, it provides valuable additional security for applications that handle sensitive data, but I suspect that in many cases the additional complexity and need to get the configuration just right isn't worth the extra time and effort.