run jease with tomcat security

[mohammad ghasemy]

Hi Maik
I test Jease with tomcat security but my Jease Site and Cms not work!
My Guess was about db4o directory so i add grant access to catalina.policy file but still not work!
what is the main problem?

--
GNU-LINUX IS THE BEST O.S.

[Maik Jablonski]

Hi,

> I test Jease with tomcat security but my Jease Site and Cms not work!
> My Guess was about db4o directory so i add grant access to catalina.policy
> file but still not work!
> what is the main problem?

there might be several issues with Tomcat default security policies
which comes to my mind:

- File access (outside of webapp)
- Reflection
- Access to Java-Compiler
- ...

I've only a litte experience with Tomcat security, so please note that
I'm not a big expert in this area...

To debug this I would recommend to start Tomcat the following way:

export CATALINA_OPTS="-Djava.security.debug=access,failure"
bin/catalina.sh run -security 2>security.log

Now you can acess the "security.log" and see where security violations
are thrown... the first one I encountered was:

access: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
java.lang.Exception: Stack trace
at java.lang.Thread.dumpStack(Thread.java:1223)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:383)
at java.security.AccessController.checkPermission(AccessController.java:553)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:125)
at jfix.util.Reflections.init(Reflections.java:212)
at jease.Names.<clinit>(Names.java:24)
at jease.cmf.web.servlet.JeaseServletListener.contextInitialized(JeaseServletListener.java:33)

So this one is about using Reflection to initialize the
jease.Names-class. But I'm sure there are more to come.

If you get to a working catalina.policy, please let us know and post it.

Cheers, Maik

[mohammad ghasemy]

On Mon, Jun 6, 2011 at 1:07 PM, Maik Jablonski <maik.ja...@jease.org> wrote:

Hi,

> I test Jease with tomcat security but my Jease Site and Cms not work!
> My Guess was about db4o directory so i add grant access to catalina.policy
> file but still not work!
> what is the main problem?

there might be several issues with Tomcat default security policies
which comes to my mind:

- File access (outside of webapp)
- Reflection
- Access to Java-Compiler
- ...

I've only a litte experience with Tomcat security, so please note that
I'm not a big expert in this area...

To debug this I would recommend to start Tomcat the following way:

export CATALINA_OPTS="-Djava.security.debug=access,failure"
bin/catalina.sh run -security 2>security.log

Now you can acess the "security.log" and see where security violations
are thrown... the first one I encountered was:

thanks a lot, i don't think about this way ;

Yes, this is a  best way to find main cause of this problem.

access: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
java.lang.Exception: Stack trace
       at java.lang.Thread.dumpStack(Thread.java:1223)
       at java.security.AccessControlContext.checkPermission(AccessControlContext.java:383)
       at java.security.AccessController.checkPermission(AccessController.java:553)
       at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
       at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:125)
       at jfix.util.Reflections.init(Reflections.java:212)
       at jease.Names.<clinit>(Names.java:24)
       at jease.cmf.web.servlet.JeaseServletListener.contextInitialized(JeaseServletListener.java:33)

So this one is about using Reflection to initialize the
jease.Names-class. But I'm sure there are more to come.

If you get to a working catalina.policy, please let us know and post it.

 of course report all thing that can be useful for other.

Cheers, Maik

thanks
regards
Mohammad