| Title | jspwiki fails with security manager in container |
| Date | 24-Jan-2007 23:56:47 EET |
| Version | 2.4.87 |
| Submitter | 82.136.101.83 |
| Bug criticality | BadBug |
| Browser version | firefox 1..07 |
| Bug status | ClosedBug |
| PageProvider used | RCSFileProvider |
| Servlet Container | tomcat 5.5.20 |
| Operating System | Fedora Core 5, 2.6.18-1.2239.fc5 |
| URL | http://localhost/mini/Wiki.jsp?page=Main |
| Java version | Jdk 1.6.0 |
I have turned on the security manager in tomcat. Beyond the grants in the jspwiki.policy, I had to add:
grant signedBy "jspwiki" {
permission java.util.PropertyPermission "user.dir", "read,write";
permission java.util.PropertyPermission "java.io.tmpdir", "read,write";
};
Now, I get a page from tomcat with an exception dump (I'll try to attach). It seems that com.ecyrd.jspwiki.WikiSession.invalidate(WikiSession.java:551) adds to the JAAS subjects principal. I added
permission javax.security.auth.AuthPermission "modifyPrincipals";
but to no avail. My knowledge with Java access control is sorely lacking, but I guess that calls to AccessController.doPriviledged are missing.
JSPWiki doesn't run with a Java security manager just yet. We haven't fully enumerated all of the Java permissions JSPWiki needs. Stay tuned, but in the meantime you will need to run JSPWiki without a security manager.
--Andrew Jaquith, 29-Jan-2007
Assuming fixed since we now use a local security policy .
Add new attachment
Only authorized users are allowed to upload new attachments.
List of attachments
JSPWiki
- Features
- Download
- Documentation
- Templates
- Plugins
- Provider
- Filters
- Support
- FAQ
- Irc Channel
- Mailing List
- Weblog
- Applications
- Getting Involved
- JSPWIKI Testers
Development
Internet Search