Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #12493

tomcat9 access denied /var/lib/tomcat9/conf/web.xml

From Alban Espié-Guillon <alban.espie-guillon@ow2.org>
Newsgroups linux.debian.maint.java
Subject tomcat9 access denied /var/lib/tomcat9/conf/web.xml
Date 2022-12-22 11:40 +0100
Message-ID <FFr9v-cnRl-3@gated-at.bofh.it> (permalink)
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hello,

I'm very new to tomcat, forgive me if I did not found my answer 
elsewhere, i'm currently out of of ideas.

I'm trying to setup a standalone tomcat9 (9.0.31-1~deb10u7) on Debian 
11, with security manager enabled.

I'm seeing in catalina logs the following stacktrace (full stacktrace 
provided in attachment):

37 21-Dec-2022 16:12:04.587 SEVERE [main] 
org.apache.tomcat.util.descriptor.web.WebXmlParser.parseWebXml Parse 
error in application web.xml file at [file:/var/lib/tomcat9/conf/web.xml]
38     java.security.AccessControlException: access denied 
("java.lang.RuntimePermission" 
"accessClassInPackage.org.apache.tomcat.util.buf")

Disabling the security manager makes it disappear, but I don't 
understand why tomcat has an issue reading 
/var/lib/tomcat9/conf/web.xml, which is a simlink to 
/etc/tomcat9/web.xml, and I did not edit the file as you see:

# ll /etc/tomcat9/web.xml
-rw-r----- 1 root tomcat 169K Feb  5  2020 /etc/tomcat9/web.xml

I tried to add the following policy in case of it could help:

grant codeBase "file:/var/lib/tomcat9/conf/web.xml" {
         permission java.security.AllPermission;
};

But the error was still logged.

I tried to report the issue to users@tomcat.apache.org and I got the 
following answser:

 >The security manager is deprecated in newer versions of Java. If you 
are new to Tomcat, whatever problem using the security manager is 
intended to solve, I'd strongly encourage you to find an alternative 
solution.

 >The codebase refers to the JAR trying to read the file, not the file 
the JAR is trying to read.

 >I suspect the Debian distribution hasn't updated the catalina.policy 
file to take account of the way Debian redistributes the Tomcat files 
around the file system. If you really do want to use the security 
manager, you'll need to take that up with the Debian folks.

 >Mark

-- 
Alban Espié-Guillon
OW2 System Administrator

Back to linux.debian.maint.java | Previous | NextNext in thread | Find similar

Thread

tomcat9 access denied /var/lib/tomcat9/conf/web.xml Alban Espié-Guillon <alban.espie-guillon@ow2.org> - 2022-12-22 11:40 +0100
  Re: tomcat9 access denied /var/lib/tomcat9/conf/web.xml Emmanuel Bourg <ebourg@apache.org> - 2022-12-27 22:30 +0100
    Re: tomcat9 access denied /var/lib/tomcat9/conf/web.xml alban.espie-guillon@ow2.org - 2022-12-29 12:00 +0100

csiph-web