Title | jspwiki fails with security manager in container |
Date | 24-Jan-2007 23:56:47 EET |
Version | 2.4.87 |
Submitter | 82.136.101.83 |
Bug criticality | BadBug |
Browser version | firefox 1..07 |
Bug status | ClosedBug |
PageProvider used | RCSFileProvider |
Servlet Container | tomcat 5.5.20 |
Operating System | Fedora Core 5, 2.6.18-1.2239.fc5 |
URL | http://localhost/mini/Wiki.jsp?page=Main![]() |
Java version | Jdk 1.6.0 |
I have turned on the security manager in tomcat. Beyond the grants in the jspwiki.policy, I had to add:
grant signedBy "jspwiki" { permission java.util.PropertyPermission "user.dir", "read,write"; permission java.util.PropertyPermission "java.io.tmpdir", "read,write"; };
Now, I get a page from tomcat with an exception dump (I'll try to attach). It seems that com.ecyrd.jspwiki.WikiSession.invalidate(WikiSession.java:551) adds to the JAAS subjects principal. I added
permission javax.security.auth.AuthPermission "modifyPrincipals";
but to no avail. My knowledge with Java access control is sorely lacking, but I guess that calls to AccessController.doPriviledged are missing.
JSPWiki doesn't run with a Java security manager just yet. We haven't fully enumerated all of the Java permissions JSPWiki needs. Stay tuned, but in the meantime you will need to run JSPWiki without a security manager.
--Andrew Jaquith, 29-Jan-2007
Assuming fixed since we now use a local security policy .
Add new attachment
Only authorized users are allowed to upload new attachments.