Hi Alban,
Did you try this rule:
grant codeBase "file:/etc/tomcat9/-" {
permission java.security.AllPermission;
};
Emmanuel Bourg
Le 22/12/2022 à 11:05, Alban Espié-Guillon a écrit :
> Hello,
>
> I'm very new to tomcat, forgive me if I did not found my answer
> elsewhere, i'm currently out of of ideas.
>
> I'm trying to setup a standalone tomcat9 (9.0.31-1~deb10u7) on Debian
> 11, with security manager enabled.
>
> I'm seeing in catalina logs the following stacktrace (full stacktrace
> provided in attachment):
>
> 37 21-Dec-2022 16:12:04.587 SEVERE [main]
> org.apache.tomcat.util.descriptor.web.WebXmlParser.parseWebXml Parse
> error in application web.xml file at [file:/var/lib/tomcat9/conf/web.xml]
> 38 java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission"
> "accessClassInPackage.org.apache.tomcat.util.buf")
>
> Disabling the security manager makes it disappear, but I don't
> understand why tomcat has an issue reading
> /var/lib/tomcat9/conf/web.xml, which is a simlink to
> /etc/tomcat9/web.xml, and I did not edit the file as you see:
>
> # ll /etc/tomcat9/web.xml
> -rw-r----- 1 root tomcat 169K Feb 5 2020 /etc/tomcat9/web.xml
>
> I tried to add the following policy in case of it could help:
>
> grant codeBase "file:/var/lib/tomcat9/conf/web.xml" {
> permission java.security.AllPermission;
> };
>
> But the error was still logged.
>
> I tried to report the issue to users@tomcat.apache.org and I got the
> following answser:
>
> >The security manager is deprecated in newer versions of Java. If you
> are new to Tomcat, whatever problem using the security manager is
> intended to solve, I'd strongly encourage you to find an alternative
> solution.
>
> >The codebase refers to the JAR trying to read the file, not the file
> the JAR is trying to read.
>
> >I suspect the Debian distribution hasn't updated the catalina.policy
> file to take account of the way Debian redistributes the Tomcat files
> around the file system. If you really do want to use the security
> manager, you'll need to take that up with the Debian folks.
>
> >Mark
>