spring / log4j security permission

N

none

Hi, i'm trying to solve a security permission issue when running a
spring application in tomcat (v5.5.4) with the security manager turned
on. I'm not sure if the root cause is log4j or spring, and i'm also
confused why either would need such a permission.
Any ideas/help would be great.

I can solve the issue by with an addition to the policy as below for all
files in my web context as its needed for .jars and .jsp files:

permission java.lang.RuntimePermission "defineClassInPackage.java.lang";

Below is part of my security log.

Thanks,

Tim

access: access allowed (java.io.FilePermission
/usr/local/jakarta-tomcat-5.5.4/common/classes/org/apache/log4j/LayoutBeanInfo.class
read)
access: access allowed (java.io.FilePermission
/usr/local/jakarta-tomcat-5.5.4/server/classes/org/apache/log4j/LayoutBeanInfo.class
read)
access: access denied (java.lang.RuntimePermission
defineClassInPackage.java.lang)
java.lang.Exception: Stack trace
at java.lang.Thread.dumpStack(Thread.java:1206)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:313)
at
java.security.AccessController.checkPermission(AccessController.java:546)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at
java.lang.SecurityManager.checkPackageDefinition(SecurityManager.java:1580)
at
org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:834)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1299)
at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1181)
at java.beans.Introspector.instantiate(Introspector.java:1460)
at
java.beans.Introspector.findExplicitBeanInfo(Introspector.java:410)
at java.beans.Introspector.<init>(Introspector.java:359)
at java.beans.Introspector.getBeanInfo(Introspector.java:159)
at java.beans.Introspector.getBeanInfo(Introspector.java:220)
at java.beans.Introspector.<init>(Introspector.java:368)
at java.beans.Introspector.getBeanInfo(Introspector.java:159)
at java.beans.Introspector.getBeanInfo(Introspector.java:220)
at java.beans.Introspector.<init>(Introspector.java:368)
at java.beans.Introspector.getBeanInfo(Introspector.java:159)
at
org.apache.log4j.config.PropertySetter.introspect(PropertySetter.java:66)
at
org.apache.log4j.config.PropertySetter.getPropertyDescriptor(PropertySetter.java:234)
at
org.apache.log4j.config.PropertySetter.setProperty(PropertySetter.java:146)
at
org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:120)
at
org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:87)
at
org.apache.log4j.PropertyConfigurator.parseAppender(PropertyConfigurator.java:640)
at
org.apache.log4j.PropertyConfigurator.parseCategory(PropertyConfigurator.java:603)
at
org.apache.log4j.PropertyConfigurator.configureRootCategory(PropertyConfigurator.java:500)
at
org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:406)
at
org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:307)
at
org.apache.log4j.PropertyWatchdog.doOnChange(PropertyConfigurator.java:673)
at
org.apache.log4j.helpers.FileWatchdog.checkAndConfigure(FileWatchdog.java:80)
at
org.apache.log4j.helpers.FileWatchdog.<init>(FileWatchdog.java:49)
at
org.apache.log4j.PropertyWatchdog.<init>(PropertyConfigurator.java:665)
at
org.apache.log4j.PropertyConfigurator.configureAndWatch(PropertyConfigurator.java:373)
at
org.springframework.util.Log4jConfigurer.initLogging(Log4jConfigurer.java:64)
at
org.springframework.web.util.Log4jWebConfigurer.initLogging(Log4jWebConfigurer.java:97)
at
org.springframework.web.util.Log4jConfigListener.contextInitialized(Log4jConfigListener.java:44)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3631)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4065)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:755)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:121)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:737)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:590)
at
org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1079)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1011)
at
org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1003)
at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:437)
at
org.apache.catalina.core.StandardService.start(StandardService.java:450)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:2010)
at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:589)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)
access: access allowed (java.security.SecurityPermission getPolicy)
access: access allowed (java.io.FilePermission
/home/tim/temp/tempcontext/WEB-INF/lib/spring.jar read)
access: domain that failed ProtectionDomain
(file:/home/tim/temp/tempcontext/WEB-INF/lib/spring.jar <no signer
certificates>)
WebappClassLoader
delegate: false
repositories:
/WEB-INF/classes/
----------> Parent Classloader:
org.apache.catalina.loader.StandardClassLoader@145d068

<no principals>
java.security.Permissions@b8bef7 (
(java.net.SocketPermission localhost:3306 connect,resolve)
(java.net.SocketPermission *:25 connect,resolve)
(java.net.SocketPermission *:80 connect,resolve)
(java.net.SocketPermission localhost:3306 connect,resolve)
 
?

=?ISO-8859-1?Q?Arne_Vajh=F8j?=

none said:
Hi, i'm trying to solve a security permission issue when running a
spring application in tomcat (v5.5.4) with the security manager turned
on. I'm not sure if the root cause is log4j or spring, and i'm also
confused why either would need such a permission.
Any ideas/help would be great.

I can solve the issue by with an addition to the policy as below for all
files in my web context as its needed for .jars and .jsp files:

permission java.lang.RuntimePermission "defineClassInPackage.java.lang";

Below is part of my security log.
Click to expand...

http://java.sun.com/developer/JDCTechTips/2001/tt0130.html

has an explanation of what it means.

Arne
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem with Log4J and TomCat 0
Tomcat: Strange error 2
Tomcat - Error loading WebappClassLoader 0
MYFaces in tomcat 5.x 1
Tomcat 5 - Severe error UnsupportedClassVersionError 1
class loading problem 1
Security problem in Tomcat 5.5 0
Error: Jsp Servlet unavailable (Tomcat 4.1.3) 0

Members online

No members online now.
Total: 31 (members: 0, guests: 31)
Robots: 333

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,007
Latest member
obedient dusk

Latest Threads

Top