Re: tomcat9 access denied /var/lib/tomcat9/conf/web.xml

To: Emmanuel Bourg <ebourg@apache.org>, debian-java@lists.debian.org
Subject: Re: tomcat9 access denied /var/lib/tomcat9/conf/web.xml
From: alban.espie-guillon@ow2.org
Date: Thu, 29 Dec 2022 11:37:34 +0100
Message-id: <[🔎] 8aba31de-d9de-9d3a-32bf-e68d8ed4109a@ow2.org>
In-reply-to: <[🔎] b89c4b03-299e-4ac0-5ed1-3d7eec2699f4@apache.org>
References: <[🔎] f66ceb71-ab42-cc98-673b-16b69759a638@ow2.org> <[🔎] b89c4b03-299e-4ac0-5ed1-3d7eec2699f4@apache.org>

Hi Emmanuel,

I added the rule and restarted tomcat but the error remains.

Regards,


On 12/27/22 10:21 PM, Emmanuel Bourg <ebourg@apache.org> wrote:

Hi Alban,

Did you try this rule:

grant codeBase "file:/etc/tomcat9/-" {
   permission java.security.AllPermission;
};

Emmanuel Bourg


Le 22/12/2022 à 11:05, Alban Espié-Guillon a écrit :
> Hello,
>
> I'm very new to tomcat, forgive me if I did not found my answer> elsewhere, i'm currently out of of ideas.
>
> I'm trying to setup a standalone tomcat9 (9.0.31-1~deb10u7) on Debian> 11, with security manager enabled.
>
> I'm seeing in catalina logs the following stacktrace (full stacktrace> provided in attachment):
>
> 37 21-Dec-2022 16:12:04.587 SEVERE [main]> org.apache.tomcat.util.descriptor.web.WebXmlParser.parseWebXml Parse> error in application web.xml file at [file:/var/lib/tomcat9/conf/web.xml]> 38 java.security.AccessControlException: access denied> ("java.lang.RuntimePermission"> "accessClassInPackage.org.apache.tomcat.util.buf")
>
> Disabling the security manager makes it disappear, but I don't> understand why tomcat has an issue reading> /var/lib/tomcat9/conf/web.xml, which is a simlink to> /etc/tomcat9/web.xml, and I did not edit the file as you see:
>
> # ll /etc/tomcat9/web.xml
> -rw-r----- 1 root tomcat 169K Feb  5  2020 /etc/tomcat9/web.xml
>
> I tried to add the following policy in case of it could help:
>
> grant codeBase "file:/var/lib/tomcat9/conf/web.xml" {
>          permission java.security.AllPermission;
> };
>
> But the error was still logged.
>
> I tried to report the issue to users@tomcat.apache.org and I got the> following answser:
>
> >The security manager is deprecated in newer versions of Java. If you> are new to Tomcat, whatever problem using the security manager is> intended to solve, I'd strongly encourage you to find an alternative> solution.
>
> >The codebase refers to the JAR trying to read the file, not the file> the JAR is trying to read.
>
> >I suspect the Debian distribution hasn't updated the catalina.policy> file to take account of the way Debian redistributes the Tomcat files> around the file system. If you really do want to use the security> manager, you'll need to take that up with the Debian folks.
>
>  >Mark
>

Reply to:

References:
- tomcat9 access denied /var/lib/tomcat9/conf/web.xml
  - From: Alban Espié-Guillon <alban.espie-guillon@ow2.org>
- Re: tomcat9 access denied /var/lib/tomcat9/conf/web.xml
  - From: Emmanuel Bourg <ebourg@apache.org>

Prev by Date: Re: tomcat9 access denied /var/lib/tomcat9/conf/web.xml
Previous by thread: Re: tomcat9 access denied /var/lib/tomcat9/conf/web.xml
Index(es):
- Date
- Thread