Path: csiph.com!1.us.feeder.erje.net!3.eu.feeder.erje.net!feeder.erje.net!news.mb-net.net!open-news-network.org!aioe.org!bofh.it!news.nic.it!robomod From: alban.espie-guillon@ow2.org Newsgroups: linux.debian.maint.java Subject: Re: tomcat9 access denied /var/lib/tomcat9/conf/web.xml Date: Thu, 29 Dec 2022 12:00:01 +0100 Message-ID: References: X-Original-To: Emmanuel Bourg , debian-java@lists.debian.org X-Mailbox-Line: From debian-java-request@lists.debian.org Thu Dec 29 10:54:12 2022 Old-Return-Path: X-Amavis-Spam-Status: No, score=-2.548 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, BODY_8BITS=1.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.148, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no autolearn_force=no X-Policyd-Weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 CL_IP_EQ_HELO_IP=-2 (check from: .ow2. - helo: .smtp-auth2.xsalto. - helo-domain: .xsalto.) FROM/MX_MATCHES_NOT_HELO(DOMAIN)=0; rate: -3.5 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailing-List: archive/latest/23139 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/8aba31de-d9de-9d3a-32bf-e68d8ed4109a@ow2.org Approved: robomod@news.nic.it Lines: 75 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Thu, 29 Dec 2022 11:37:34 +0100 X-Original-Message-ID: <8aba31de-d9de-9d3a-32bf-e68d8ed4109a@ow2.org> X-Original-References: Xref: csiph.com linux.debian.maint.java:12496 Hi Emmanuel, I added the rule and restarted tomcat but the error remains. Regards, On 12/27/22 10:21 PM, Emmanuel Bourg wrote: > Hi Alban, > > Did you try this rule: > > grant codeBase "file:/etc/tomcat9/-" { >   permission java.security.AllPermission; > }; > > Emmanuel Bourg > > > Le 22/12/2022 à 11:05, Alban Espié-Guillon a écrit : > > Hello, > > > > I'm very new to tomcat, forgive me if I did not found my answer > > elsewhere, i'm currently out of of ideas. > > > > I'm trying to setup a standalone tomcat9 (9.0.31-1~deb10u7) on Debian > > 11, with security manager enabled. > > > > I'm seeing in catalina logs the following stacktrace (full stacktrace > > provided in attachment): > > > > 37 21-Dec-2022 16:12:04.587 SEVERE [main] > > org.apache.tomcat.util.descriptor.web.WebXmlParser.parseWebXml Parse > > error in application web.xml file at [file:/var/lib/tomcat9/conf/web.xml] > > 38     java.security.AccessControlException: access denied > > ("java.lang.RuntimePermission" > > "accessClassInPackage.org.apache.tomcat.util.buf") > > > > Disabling the security manager makes it disappear, but I don't > > understand why tomcat has an issue reading > > /var/lib/tomcat9/conf/web.xml, which is a simlink to > > /etc/tomcat9/web.xml, and I did not edit the file as you see: > > > > # ll /etc/tomcat9/web.xml > > -rw-r----- 1 root tomcat 169K Feb  5  2020 /etc/tomcat9/web.xml > > > > I tried to add the following policy in case of it could help: > > > > grant codeBase "file:/var/lib/tomcat9/conf/web.xml" { > >          permission java.security.AllPermission; > > }; > > > > But the error was still logged. > > > > I tried to report the issue to users@tomcat.apache.org and I got the > > following answser: > > > >  >The security manager is deprecated in newer versions of Java. If you > > are new to Tomcat, whatever problem using the security manager is > > intended to solve, I'd strongly encourage you to find an alternative > > solution. > > > >  >The codebase refers to the JAR trying to read the file, not the file > > the JAR is trying to read. > > > >  >I suspect the Debian distribution hasn't updated the catalina.policy > > file to take account of the way Debian redistributes the Tomcat files > > around the file system. If you really do want to use the security > > manager, you'll need to take that up with the Debian folks. > > > >  >Mark > > > > >