Titlejava.io.FilePermission access denied for tomcat catalina.policy
Date26-Oct-2006 06:28:00 EEST
Bug criticalityLightBug
Browser versionFirefox
Bug statusClosedBug
PageProvider used
Servlet ContainerTomcat 4.1.30
Operating SystemMac OSX
Java version1.4.2

I normally run Tomcat with the SecurityManager and strict security policies implemented in catalina.policy. I followed the instructions for merging the jspwiki.policy entries into catalina.policy and moved the jspwiki.jks keystore.

While researching this I was running Tomcat with security debug enabled by using -Djava.security.debug=access,failure

No matter what changes I made to catalina.policy (except granting everything AllPermissions) caused a java.io.FilePermission when com.ecyrd.jspwiki.auth.PolicyLoader used f.exists() for catalina.polic in the PolicyLoader.isSecurityPolicyConfigured() method.

From reviewing this method it is really only there to provide debug information and isn't critical to running JSPWiki with JAAS.

To overcome this problem I wrapped the methods which were triggering the java.io.FilePermission access denied exceptions with a try/catch for a SecurityPermission. Then logged the security exception as a warning.

Once I applied the above patch using the security debug output I was able to quickly tune the permission in my catalina.policy to get JSPWiki working with Container Manager Security and JAAS.

The patch for PolicyLoader.java is attached.

Adding name of bug submitter.

--Glenn Nielsen, 01-Nov-2006

There is nothing attached ?!
Is this bug still occuring after 2.5.26:
2007-02-24  Andrew Jaquith <andrew AT freshcookies DOT org>

       * 2.5.26
       * Major enhancement: replaced JSPWiki's dependency on the global,
       JVM-wide security policy with a "local policy" that is always 
       read from WEB-INF/jspwiki.policy. If you have a JVM-wide policy,
       the local policy will supplement it. The practical upshot of this
       change is that the most common configuration challenge that most
       first-time admins face (why won't any pages display?) is gone,
       and gone forever. No more fiddling with the java.security.policy
       property! The syntax for the local policy is exactly the same
       as what it's always been; but now it Just Works instead of
       Mostly Works.

Or is this a duplicate of BugJspwiki.policyIgnoredWhenUsingSecurityManager ?

--HarryMetske, 21-Mar-2007

Harry, this issue still exists, and was not closed by the 2.5 revisions. But it is indeed a duplicate of the other bug, so we should close it.

--Andrew Jaquith, 28-Mar-2007

Bug closed, duplicate...


Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 29-Mar-2007 22:20 by HarryMetske