Path: csiph.com!aioe.org!bofh.it!news.nic.it!robomod From: Emmanuel Bourg Newsgroups: linux.debian.maint.java Subject: Re: tomcat9 access denied /var/lib/tomcat9/conf/web.xml Date: Tue, 27 Dec 2022 22:30:01 +0100 Message-ID: References: X-Original-To: =?UTF-8?Q?Alban_Espi=c3=a9-Guillon?= , debian-java@lists.debian.org X-Mailbox-Line: From debian-java-request@lists.debian.org Tue Dec 27 21:21:34 2022 Old-Return-Path: X-Amavis-Spam-Status: No, score=-11.649 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, BODY_8BITS=1.5, LDO_WHITELIST=-5, NICE_REPLY_A=-1.148, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no X-Policyd-Weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 CL_IP_EQ_HELO_IP=-2 (check from: .apache. - helo: .mxout1-ec2-va.apache. - helo-domain: .apache.) FROM/MX_MATCHES_HELO(DOMAIN)=-2; rate: -5.5 Authentication-Results: apache.org; auth=none MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0 Content-Language: fr, en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Mailing-List: archive/latest/23138 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/b89c4b03-299e-4ac0-5ed1-3d7eec2699f4@apache.org Approved: robomod@news.nic.it Lines: 64 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Tue, 27 Dec 2022 22:21:07 +0100 X-Original-Message-ID: X-Original-References: Xref: csiph.com linux.debian.maint.java:12495 Hi Alban, Did you try this rule: grant codeBase "file:/etc/tomcat9/-" { permission java.security.AllPermission; }; Emmanuel Bourg Le 22/12/2022 à 11:05, Alban Espié-Guillon a écrit : > Hello, > > I'm very new to tomcat, forgive me if I did not found my answer > elsewhere, i'm currently out of of ideas. > > I'm trying to setup a standalone tomcat9 (9.0.31-1~deb10u7) on Debian > 11, with security manager enabled. > > I'm seeing in catalina logs the following stacktrace (full stacktrace > provided in attachment): > > 37 21-Dec-2022 16:12:04.587 SEVERE [main] > org.apache.tomcat.util.descriptor.web.WebXmlParser.parseWebXml Parse > error in application web.xml file at [file:/var/lib/tomcat9/conf/web.xml] > 38     java.security.AccessControlException: access denied > ("java.lang.RuntimePermission" > "accessClassInPackage.org.apache.tomcat.util.buf") > > Disabling the security manager makes it disappear, but I don't > understand why tomcat has an issue reading > /var/lib/tomcat9/conf/web.xml, which is a simlink to > /etc/tomcat9/web.xml, and I did not edit the file as you see: > > # ll /etc/tomcat9/web.xml > -rw-r----- 1 root tomcat 169K Feb  5  2020 /etc/tomcat9/web.xml > > I tried to add the following policy in case of it could help: > > grant codeBase "file:/var/lib/tomcat9/conf/web.xml" { >         permission java.security.AllPermission; > }; > > But the error was still logged. > > I tried to report the issue to users@tomcat.apache.org and I got the > following answser: > > >The security manager is deprecated in newer versions of Java. If you > are new to Tomcat, whatever problem using the security manager is > intended to solve, I'd strongly encourage you to find an alternative > solution. > > >The codebase refers to the JAR trying to read the file, not the file > the JAR is trying to read. > > >I suspect the Debian distribution hasn't updated the catalina.policy > file to take account of the way Debian redistributes the Tomcat files > around the file system. If you really do want to use the security > manager, you'll need to take that up with the Debian folks. > > >Mark >