Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Who is not granted???

1 view
Skip to first unread message

EdUarDo

unread,
Mar 18, 2004, 7:46:03 AM3/18/04
to
Hi,
How could I know which class has access denied to some permission when I get an access denied exception?

Christophe Vanfleteren

unread,
Mar 18, 2004, 8:00:47 AM3/18/04
to
EdUarDo wrote:

What are you trying to, and in what environment (applets, java
webstart, ...).

Do you have a policy file, is the applet signed, is a securitymanager
running, ...?

In other words, give more information.

--
Kind regards,
Christophe Vanfleteren

Andrew Thompson

unread,
Mar 18, 2004, 8:06:27 AM3/18/04
to
On Thu, 18 Mar 2004 13:46:03 +0100, EdUarDo wrote:

> How could I know which class has access denied
> to some permission when I get an access denied exception?

The Stacktrace is usually helpful in that regard

Exception.printStackTrace()* is your friend

* inherets it from
Throwable.printStackTrace()

--
Andrew Thompson
* http://www.PhySci.org/ Open-source software suite
* http://www.PhySci.org/codes/ Web & IT Help
* http://www.1point1C.org/ Science & Technology

EdUarDo

unread,
Mar 18, 2004, 10:42:44 AM3/18/04
to
Christophe Vanfleteren wrote:
> EdUarDo wrote:
>
>
>>Hi,
>>How could I know which class has access denied to some permission when I
>>get an access denied exception?
>
>
> What are you trying to, and in what environment (applets, java
> webstart, ...).
>
> Do you have a policy file, is the applet signed, is a securitymanager
> running, ...?
>
> In other words, give more information.
>

Sorry, It's a web application, using Tomcat 5.0.18, J2SDK1.4.2_02. I have
a policy file where I think I've granted permission to whole application,
but I get a permission exception anyway.

Of course, there is a SecutityManager because I've start Tomcat with -security
parameter at command line.

EdUarDo

unread,
Mar 18, 2004, 10:48:53 AM3/18/04
to
Andrew Thompson wrote:
> On Thu, 18 Mar 2004 13:46:03 +0100, EdUarDo wrote:
>
>
>>How could I know which class has access denied
>>to some permission when I get an access denied exception?
>
>
> The Stacktrace is usually helpful in that regard
>
> Exception.printStackTrace()* is your friend
>
> * inherets it from
> Throwable.printStackTrace()
>

The stack trace is:


java.security.AccessControlException: access denied (java.io.FilePermission
/home/eduardoyp/Aplicaciones/jakarta-tomcat-5.0.18/webapps/smulti/WEB-INF/classes/net/sf/cglib/MethodProxy$Generator.class
read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
at java.security.AccessController.checkPermission(AccessController.java:401)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
at java.lang.SecurityManager.checkRead(SecurityManager.java:863)
at java.io.File.exists(File.java:678)
at org.apache.naming.resources.FileDirContext.file(FileDirContext.java:873)
at org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:255)
at org.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java:334)
at org.apache.catalina.loader.WebappClassLoader.findResourceInternal(WebappClassLoader.java:1750)
at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1618)
at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900)
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350)
at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:302)
at net.sf.cglib.MetaClass.addMembers(MetaClass.java:119)
at net.sf.cglib.MetaClass.<init>(MetaClass.java:104)
at es.bancoval.bfci18n.support.database.TgrDescriptionMetaClass13.<init>(<generated>)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
at net.sf.cglib.MetaClass.getInstance(MetaClass.java:259)
at net.sf.hibernate.util.ReflectHelper.getMetaClass(ReflectHelper.java:319)
at net.sf.hibernate.persister.AbstractEntityPersister.<init>(AbstractEntityPersister.java:589)
at net.sf.hibernate.persister.EntityPersister.<init>(EntityPersister.java:665)
at net.sf.hibernate.persister.PersisterFactory.create(PersisterFactory.java:29)
at net.sf.hibernate.impl.SessionFactoryImpl.<init>(SessionFactoryImpl.java:207)
at net.sf.hibernate.cfg.Configuration.buildSessionFactory(Configuration.java:627)
at es.bancoval.bfci18n.support.database.DBBasicManager.<init>(DBBasicManager.java:23)
at es.bancoval.bfci18n.support.commands.GetProjects.execute(GetProjects.java:19)
at es.bancoval.bfci18n.support.controller.Helper.getProjects(Helper.java:455)
at es.bancoval.bfci18n.support.controller.MultiController.service(MultiController.java:74)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at sun.reflect.GeneratedMethodAccessor64.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:284)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:306)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:200)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:278)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:97)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:183)
at es.bfc.base.filter.AuthenticateFilter.doFilter(AuthenticateFilter.java:115)
at es.bfc.base.filter.AbstractFilter.doFilter(AbstractFilter.java:71)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:284)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:306)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:256)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:97)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:183)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:257)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:700)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:584)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Thread.java:534)

The problem is that I've granted with java.security.AllPermission several libraries like
hibernate, es.bancoval.*, es.bfc.*, org.apache.*, etc... Thus I'd like to know which is the class
which is not granted...

Andrew Thompson

unread,
Mar 18, 2004, 11:33:30 AM3/18/04
to
On Thu, 18 Mar 2004 16:48:53 +0100, EdUarDo wrote:
> Andrew Thompson wrote:
>> On Thu, 18 Mar 2004 13:46:03 +0100, EdUarDo wrote:
..
>>>How could I know which class has access denied..?
..

>> The Stacktrace is usually helpful in that regard
..

> java.security.AccessControlException: access denied (java.io.FilePermission
> /home/eduardoyp/Aplicaciones/jakarta-tomcat-5.0.18/webapps/smulti/WEB-INF/classes/net/sf/cglib/MethodProxy$Generator.class
> read)

If I am reading this correctly (I have made mistakes)

net.sf.cglib.MethodProxy$Generator

..cannot be read

> The problem is that I've granted with java.security.AllPermission several libraries like
> hibernate, es.bancoval.*, es.bfc.*, org.apache.*, etc... Thus I'd like to know which is the class
> which is not granted...

See above.

Michael Amling

unread,
Mar 18, 2004, 11:39:30 AM3/18/04
to
EdUarDo wrote:
> The stack trace is:
>
> java.security.AccessControlException: access denied
> (java.io.FilePermission
> /home/eduardoyp/Aplicaciones/jakarta-tomcat-5.0.18/webapps/smulti/WEB-INF/classes/net/sf/cglib/MethodProxy$Generator.class
> read)
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
>
> at
> java.security.AccessController.checkPermission(AccessController.java:401)
> at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:863)
> at java.io.File.exists(File.java:678)
> at
> org.apache.naming.resources.FileDirContext.file(FileDirContext.java:873)
> ...

It looks like org.apache.naming.resources.FileDirContext.file issues
the call to File.exists, and File.exists calls the SecurityManager, and
the SecurityManager throws an AccessControlException rather than returns.

>
> The problem is that I've granted with java.security.AllPermission
> several libraries like
> hibernate, es.bancoval.*, es.bfc.*, org.apache.*, etc... Thus I'd like
> to know which is the class
> which is not granted...

--Mike Amling

EdUarDo

unread,
Mar 18, 2004, 11:57:33 AM3/18/04
to
Andrew Thompson wrote:
> On Thu, 18 Mar 2004 16:48:53 +0100, EdUarDo wrote:
>
>>Andrew Thompson wrote:
>>
>>>On Thu, 18 Mar 2004 13:46:03 +0100, EdUarDo wrote:
>
> ..
>
>>>>How could I know which class has access denied..?
>
> ..
>
>>>The Stacktrace is usually helpful in that regard
>
> ..
>
>>java.security.AccessControlException: access denied (java.io.FilePermission
>>/home/eduardoyp/Aplicaciones/jakarta-tomcat-5.0.18/webapps/smulti/WEB-INF/classes/net/sf/cglib/MethodProxy$Generator.class
>>read)
>
>
> If I am reading this correctly (I have made mistakes)
>
> net.sf.cglib.MethodProxy$Generator
>
> ..cannot be read

yes, I know read stack traces, but in my policy file I've granted java.security.AllPermission to
any application running in my Tomcat... so why I got this Exception?

EdUarDo

unread,
Mar 18, 2004, 12:01:39 PM3/18/04
to
Michael Amling wrote:
> EdUarDo wrote:
>
>> The stack trace is:
>>
>> java.security.AccessControlException: access denied
>> (java.io.FilePermission
>> /home/eduardoyp/Aplicaciones/jakarta-tomcat-5.0.18/webapps/smulti/WEB-INF/classes/net/sf/cglib/MethodProxy$Generator.class
>> read)
>> at
>> java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
>>
>> at
>> java.security.AccessController.checkPermission(AccessController.java:401)
>> at
>> java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
>> at java.lang.SecurityManager.checkRead(SecurityManager.java:863)
>> at java.io.File.exists(File.java:678)
>> at
>> org.apache.naming.resources.FileDirContext.file(FileDirContext.java:873)
>
> > ...
>
> It looks like org.apache.naming.resources.FileDirContext.file issues
> the call to File.exists, and File.exists calls the SecurityManager, and
> the SecurityManager throws an AccessControlException rather than returns.

I thought so, but in my policy file I have:

grant codeBase "file:${catalina.home}/common/-" {
permission java.security.AllPermission;
};

and at .....common/lib is the naming-resources.jar, so it might work, or I'm in a mistake?

EdUarDo

unread,
Mar 18, 2004, 12:03:02 PM3/18/04
to
I'm sorry if I'm expressing a bit hard, but I'm not speak english very well...

EdUarDo

unread,
Mar 18, 2004, 12:12:27 PM3/18/04
to
> I thought so, but in my policy file I have:
>
> grant codeBase "file:${catalina.home}/common/-" {
> permission java.security.AllPermission;
> };
>
> and at .....common/lib is the naming-resources.jar, so it might work, or
> I'm in a mistake?

well, instead of codeBase "file:${catalina.home}/common/-"...
I'm specified codeBase "file:${catalina.home}/common/lib/naming-resources.jar"
and it has worked!. Why it doesn't work with first statement???

EdUarDo

unread,
Mar 18, 2004, 12:26:17 PM3/18/04
to

I'm sorry again. I tested it without -security argument for Tomcat...

Andrew Thompson

unread,
Mar 18, 2004, 1:38:15 PM3/18/04
to
On Thu, 18 Mar 2004 18:03:02 +0100, EdUarDo wrote:

> I'm sorry if I'm expressing a bit hard, but I'm not speak english very well...

You speak English enough, but you leave
out important details.

No mention at first of policy files.

[ I read your English OK,
I not read your mind! ;-) ]

William Brogden

unread,
Mar 18, 2004, 5:14:37 PM3/18/04
to

"EdUarDo" <edu...@pesima.com> wrote in message
news:c3ckdt$26fh5i$1...@ID-202343.news.uni-berlin.de...

I just went through this trying to get a JavaSpaces connection working. It
turned out
that
1. Tomcat 5.0.19 did NOT handle policy correctly when on port 80 even though
it worked with port 8080 !!
2. Reverting back to Tomcat 4.1.30 worked whn my policy file specified the
application path.
grant codeBase "file:${catalina.home}/webapps/javaspace/WEB-INF/classes/-" {
permission java.security.AllPermission;
};


----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---

EdUarDo

unread,
Mar 22, 2004, 5:04:11 AM3/22/04
to
> I just went through this trying to get a JavaSpaces connection working. It
> turned out
> that
> 1. Tomcat 5.0.19 did NOT handle policy correctly when on port 80 even though
> it worked with port 8080 !!
> 2. Reverting back to Tomcat 4.1.30 worked whn my policy file specified the
> application path.
> grant codeBase "file:${catalina.home}/webapps/javaspace/WEB-INF/classes/-" {
> permission java.security.AllPermission;
> };

Hi again :), I've managed to get my security working... I've tried the same configuration
on Tomcat 4.1.30 and it works fine!!, moreover it has pointed that there were some security
exceptions that Tomcat 5 don't told me.

0 new messages