Bug#697888: catalina.policy is enforced *after* symlink traversal

Sergio Gelato Sergio.Gelato at astro.su.se
Thu Jan 10 22:10:14 UTC 2013


Package: tomcat6-user
Version: 6.0.35-1+squeeze2

(This may affect the tomcat7 packages as well.)

While testing tomcat6 with a security manager I found that the default
catalina.policy in /usr/share/tomcat6/skel/conf/ resulted in an access
control failure trying to read the property
org.apache.tomcat.util.http.FastHttpDateFormat.CACHE_SIZE

Very similar symptoms have been reported on the tomcat-user mailing list, see
http://tomcat.10.n6.nabble.com/Server-starts-but-fails-to-get-any-reqs-td3697010.html

Upon investigation I discovered that my problem had to do with 
/usr/share/tomcat6/lib/tomcat-coyote.jar being a symbolic
link into another directory (/usr/share/java) that is not
granted any special permissions by the default catalina.policy.
Adding 
	grant codeBase "file:/usr/share/java/tomcat-coyote-6.0.35.jar" {
		permission java.security.AllPermission;
	};
was enough to get over this particular hurdle (and on to the next symlinked
jar that triggers an AccessControlException).



More information about the pkg-java-maintainers mailing list