|Title|java.io.FilePermission access denied for tomcat catalina.policy
|Date|26-Oct-2006 06:28:00 EEST
|[Bug criticality]|LightBug
|Browser version|Firefox
|[Bug status]|ClosedBug
|[PageProvider] used|
|Servlet Container|Tomcat 4.1.30
|Operating System|Mac OSX
|Java version|1.4.2

I normally run Tomcat with the SecurityManager and strict security policies
implemented in catalina.policy. I followed the instructions for merging the
jspwiki.policy entries into catalina.policy and moved the jspwiki.jks keystore.

While researching this I was running Tomcat with security debug enabled
by using -Djava.security.debug=access,failure

No matter what changes I made to catalina.policy (except granting everything
AllPermissions) caused a java.io.FilePermission when com.ecyrd.jspwiki.auth.PolicyLoader used f.exists() for catalina.polic in
the PolicyLoader.isSecurityPolicyConfigured() method.

From reviewing this method it is really only there to provide debug
information and isn't critical to running JSPWiki with JAAS.

To overcome this problem I wrapped the methods which were triggering
the java.io.FilePermission access denied exceptions with a try/catch
for a SecurityPermission. Then logged the security exception as a warning.

Once I applied the above patch using the security debug output I was
able to quickly tune the permission in my catalina.policy to get JSPWiki
working with Container Manager Security and JAAS.

The patch for PolicyLoader.java is attached.


Adding name of bug submitter.

--Glenn Nielsen, 01-Nov-2006
There is nothing attached ?!
\\Is this bug still occuring after 2.5.26:
2007-02-24  Andrew Jaquith <andrew AT freshcookies DOT org>

       * 2.5.26
       * Major enhancement: replaced JSPWiki's dependency on the global,
       JVM-wide security policy with a "local policy" that is always 
       read from WEB-INF/jspwiki.policy. If you have a JVM-wide policy,
       the local policy will supplement it. The practical upshot of this
       change is that the most common configuration challenge that most
       first-time admins face (why won't any pages display?) is gone,
       and gone forever. No more fiddling with the java.security.policy
       property! The syntax for the local policy is exactly the same
       as what it's always been; but now it Just Works instead of
       Mostly Works.


Or is this a duplicate of [BugJspwiki.policyIgnoredWhenUsingSecurityManager] ?

--HarryMetske, 21-Mar-2007


Harry, this issue still exists, and was not closed by the 2.5 revisions. But it is indeed a duplicate of the other bug, so we should close it.

--Andrew Jaquith, 28-Mar-2007

Bug closed, duplicate...