|Title|jspwiki fails with security manager in container
|Date|24-Jan-2007 23:56:47 EET
|Version|2.4.87
|Submitter|82.136.101.83
|[Bug criticality]|BadBug
|Browser version|firefox 1..07
|[Bug status]|ClosedBug
|[PageProvider] used|RCSFileProvider
|Servlet Container|tomcat 5.5.20
|Operating System|Fedora Core 5, 2.6.18-1.2239.fc5
|URL|http://localhost/mini/Wiki.jsp?page=Main
|Java version|Jdk 1.6.0

I have turned on the security manager in tomcat.  Beyond the grants in the jspwiki.policy, I had to add:

{{{
grant signedBy "jspwiki" {
    permission java.util.PropertyPermission       "user.dir", "read,write";
    permission java.util.PropertyPermission       "java.io.tmpdir", "read,write";
};
}}}

Now, I get a page from tomcat with an exception dump (I'll try to attach).
It seems that com.ecyrd.jspwiki.WikiSession.invalidate(WikiSession.java:551) adds to the JAAS subjects principal.  I added

{{{
permission javax.security.auth.AuthPermission "modifyPrincipals";
}}}

but to no avail. My knowledge with Java access control is sorely lacking, but I guess that calls to AccessController.doPriviledged are missing.



----

JSPWiki doesn't run with a Java security manager just yet. We haven't fully enumerated all of the Java permissions JSPWiki needs. Stay tuned, but in the meantime you will need to run JSPWiki without a security manager.

--Andrew Jaquith, 29-Jan-2007

----
Assuming fixed since we now use a local security policy .