Titlejspwiki fails with security manager in container
Date24-Jan-2007 23:56:47 EET
Bug criticalityBadBug
Browser versionfirefox 1..07
Bug statusClosedBug
PageProvider usedRCSFileProvider
Servlet Containertomcat 5.5.20
Operating SystemFedora Core 5, 2.6.18-1.2239.fc5
Java versionJdk 1.6.0

I have turned on the security manager in tomcat. Beyond the grants in the jspwiki.policy, I had to add:

grant signedBy "jspwiki" {
    permission java.util.PropertyPermission       "user.dir", "read,write";
    permission java.util.PropertyPermission       "java.io.tmpdir", "read,write";

Now, I get a page from tomcat with an exception dump (I'll try to attach). It seems that com.ecyrd.jspwiki.WikiSession.invalidate(WikiSession.java:551) adds to the JAAS subjects principal. I added

permission javax.security.auth.AuthPermission "modifyPrincipals";

but to no avail. My knowledge with Java access control is sorely lacking, but I guess that calls to AccessController.doPriviledged are missing.

JSPWiki doesn't run with a Java security manager just yet. We haven't fully enumerated all of the Java permissions JSPWiki needs. Stay tuned, but in the meantime you will need to run JSPWiki without a security manager.

--Andrew Jaquith, 29-Jan-2007

Assuming fixed since we now use a local security policy .

Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
stack.txt 10.9 kB 1 24-Jan-2007 23:57
« This page (revision-4) was last changed on 19-Feb-2008 14:30 by HarryMetske