Bug#697888: catalina.policy is enforced *after* symlink traversal
Sergio Gelato
Sergio.Gelato at astro.su.se
Thu Jan 10 22:10:14 UTC 2013
Package: tomcat6-user
Version: 6.0.35-1+squeeze2
(This may affect the tomcat7 packages as well.)
While testing tomcat6 with a security manager I found that the default
catalina.policy in /usr/share/tomcat6/skel/conf/ resulted in an access
control failure trying to read the property
org.apache.tomcat.util.http.FastHttpDateFormat.CACHE_SIZE
Very similar symptoms have been reported on the tomcat-user mailing list, see
http://tomcat.10.n6.nabble.com/Server-starts-but-fails-to-get-any-reqs-td3697010.html
Upon investigation I discovered that my problem had to do with
/usr/share/tomcat6/lib/tomcat-coyote.jar being a symbolic
link into another directory (/usr/share/java) that is not
granted any special permissions by the default catalina.policy.
Adding
grant codeBase "file:/usr/share/java/tomcat-coyote-6.0.35.jar" {
permission java.security.AllPermission;
};
was enough to get over this particular hurdle (and on to the next symlinked
jar that triggers an AccessControlException).
More information about the pkg-java-maintainers
mailing list