axis and tomcat security manager

---

• From: none <""tim\"@(none)">
• Date: Tue, 18 Apr 2006 20:10:04 +0000

---

I'm trying to run a web service using tomcat with its security manager enabled. I have it running fine, except now i wish to add a call to an executable in the web service. Normally i would give the axis webapp read and execute permissions in the catalina.policy file to the executable in question. However this is not working correctly and still throwing a security exception.

I have been running with the jvm arg -Djava.security.debug=access to give me some more information but its not being to helpful.

If grant all permissions to every class then all is fine (as expected) for example
grant{
permission java.security.AllPermission;
};

the following statements do not work and throws the same security exception:
grant codeBase "file:/usr/local/jakarta-tomcat-5.5.4/webapps/axis/WEB-INF/lib/axis.jar"{
permission java.security.AllPermission;
};

grant codeBase "file:/usr/local/jakarta-tomcat-5.5.4/webapps/axis/-"{
permission java.security.AllPermission;
};
and even
grant codeBase "file:/-"{
permission java.security.AllPermission;
};



Any help/ideas would great.

Thanks in advance.

Tim

The thrown exception is shown below:

java.security.AccessControlException: access denied (java.io.FilePermission /usr/bin/quota execute)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkExec(SecurityManager.java:779)
at java.lang.ProcessBuilder.start(ProcessBuilder.java:447)
at java.lang.Runtime.exec(Runtime.java:591)
at java.lang.Runtime.exec(Runtime.java:429)
at java.lang.Runtime.exec(Runtime.java:326)
at Quota.getUsage(Quota.java:12) <!-- my class in axis webapp
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:397)
at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:186)
at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:453)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:271)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:157)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:50)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:136)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:825)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:731)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:526)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
.

---

• Prev by Date: Re: Overwrite Default Constructor ?
• Next by Date: Re: Overwrite Default Constructor ?
• Previous by thread: Point between 2 points
• Next by thread: Client-Side Encryption and Studio Creator
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: System.Security.SecurityException was unhandled ... assembly actually has the permission in question. ... Try and find the sorce of the security permission error, ... setting was done on both versions 1.1 and 2.0 .NET framework. ... When I execute the application I received and error message. ... (microsoft.public.dotnet.security) Re: Cannot read a Security Log from ASP.net web service ... it's a very bad idea to grant that permission to the ASPNET ... Here's the error I get after adding the ASPNET account to the Admin group: ... Cannot open log Security on machine .. ... > a web form that calls a web service. ... (microsoft.public.dotnet.framework.aspnet.security) RPC over HTTPS Question (2 rpcproxydlll files) ... Right at the bottom of the page is ... Only one of which was given permission to execute in the web service ... (microsoft.public.exchange.admin) xslt file with c# script. ... I meant it seems like the web service does NOT have the ... permission to execute the c# code. ... >I got the following error message ... >It seems like the web service does have the permission to ... (microsoft.public.dotnet.security) Re: Changing Special Permissions programmatically??? ... "properties" just cause the issuance of security-related APIs. ... familiarize yourself with the security APIs, security tokens, and all that stuff. ... it is not clear there is any "execute only" option available for files. ... I need to set the Traverse Folder/Execute File permission, ... (microsoft.public.vc.mfc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

coding.derkeiler.com  > Archive  > Java  > comp.lang.java.programmer  > 2006-04