问题
For our Kunagi Java web application we have a signed kunagi.jar file which contains our classes together with classes from embedded Tomcat 6. This runs perfectly when calling java -jar kunagi.jar.
But when starting it with Java WebStart, I get an exception while embedded Tomcat is starting:
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.deploy)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
at java.security.AccessController.checkPermission(AccessController.java:553)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291)
at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
at net.sourceforge.jnlp.runtime.JNLPClassLoader.loadClass(JNLPClassLoader.java:1018)
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2444)
at java.lang.Class.getMethod0(Class.java:2687)
at java.lang.Class.getMethod(Class.java:1620)
at org.apache.catalina.startup.SetPublicIdRule.begin(WebRuleSet.java:639)
at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276)
... 33 more
Of course kunagi.jar is signed, otherwise it wouldn't even start. It seams Java WebStart enables Java Security globally, which somehow embedded Tomcat "inherits" and fails to initialize.
Here is the JNLP file:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://kunagi.org/webstart" href="kunagi.jnlp">
<information>
<title>Kunagi</title>
<vendor>Kunagi Team</vendor>
<homepage href="http://kunagi.org"/>
<description>SCRUM Tool</description>
<description kind="short">SCRUM Tool</description>
<offline-allowed/>
</information>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se"/>
<jar href="kunagi.jar" main="true" />
</resources>
<application-desc name="Kunagi" main-class="katokorbo.Katokorbo"/>
<update check="always"/>
</jnlp>
Is there a way to disable security checks for Tomcat inside of Java WebStart? Or how can I configure embedded Tomcat to permit access to org.apache.catalina...?
回答1:
@Witek: Tomcat doesn't turn the SecurityManager on: the JVM must be started with a SecurityManager enabled and a policy file in place. Tomcat launches long after the SecurityManager is in place.
回答2:
Tomcat implements Security Manager access rules in various places. The associated policy definitions are found in tomcat/conf/catalina.policy.
It is not be a bug in Tomcat if a) the Security Manager is turned on, and b) the required policy file is not applied.
Of course Tomcat contains code in various packages, and of course it would be normal for it to use classes from those packages.
UPDATE: I don't have a problem running your JNLP application in my sandbox. Tomcat starts up successfully, with some exceptions that are unrelated to the one you describe. I would try removing any previously downloaded files & try to clear any certs from your cache.
I'd also suggest an upgrade to a recent version of Tomcat 6.0.
回答3:
The solution would be to digitally sign the jars that ask for a permission that requires trust. Anything which is unsigned and requires no trust will need to be moved to an extension JNLP.
回答4:
Tomcat appears to have used its permissions to modify global state (here the package.access security property). Signed jars may be run in processes shared by untrusted code. You don't really want to mix the two more than necessary. So it doesn't look as if Tomcat, in the from it is being used here, is appropriate for WebStart.
(The Oracle JRE does have a security checking trace feature - -Djava.security.debug=all, IIRC).
回答5:
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.deploy)
Whenever you get an AccessControlException, the part in brackets is the permission that you need to grant in your .policy file, or, as you are using JWS, in the deployment descriptor.
回答6:
To be fair, this seems like a bug in Tomcat, and you should probably report it. It shouldn't be trying to fetch the methods of a class in another package, since that will always fail under a security manager.
Until such time as the bug can be fixed, however, can't you avoid having the "WebRuleSet" thingie called? I don't know what it actually is, but it seems like something that would be called because of your Tomcat configuration. Is it not something that you can remove from the config?
回答7:
you can edit your policy file. for example, you'd security issue when you deploy admin war, you will have to edit catalina.policy located in tomcat conf directory to have low entry like below to solve this issue.
grant codeBase "file:${catalina.base}/webapps/admin/-" {
permission java.security.AllPermission;
};
回答8:
I have solved my problem as follows:
Disable security manager after WebStart started my application. First line in my main() method:
System.setSecurityManager(null);
Tell Tomcat to use the default class loader:
context.setLoader(new WebappLoader(getClass().getClassLoader()));
Now Tomcat runs within WebStart :-D
来源:https://stackoverflow.com/questions/9831063/accesscontrolexception-when-starting-embedded-tomcat-from-java-webstart