|Title|jspwiki fails with security manager in container
|Date|24-Jan-2007 23:56:47 EET
|[Bug criticality]|BadBug
|Browser version|firefox 1..07
|[Bug status]|ClosedBug
|[PageProvider] used|RCSFileProvider
|Servlet Container|tomcat 5.5.20
|Operating System|Fedora Core 5, 2.6.18-1.2239.fc5
|Java version|Jdk 1.6.0

I have turned on the security manager in tomcat.  Beyond the grants in the jspwiki.policy, I had to add:

grant signedBy "jspwiki" {
    permission java.util.PropertyPermission       "user.dir", "read,write";
    permission java.util.PropertyPermission       "java.io.tmpdir", "read,write";

Now, I get a page from tomcat with an exception dump (I'll try to attach).
It seems that com.ecyrd.jspwiki.WikiSession.invalidate(WikiSession.java:551) adds to the JAAS subjects principal.  I added

permission javax.security.auth.AuthPermission "modifyPrincipals";

but to no avail. My knowledge with Java access control is sorely lacking, but I guess that calls to AccessController.doPriviledged are missing.


JSPWiki doesn't run with a Java security manager just yet. We haven't fully enumerated all of the Java permissions JSPWiki needs. Stay tuned, but in the meantime you will need to run JSPWiki without a security manager.

--Andrew Jaquith, 29-Jan-2007

Assuming fixed since we now use a local security policy .