Author Topic: TOMCAT5_SECURITY=yes, one issue left  (Read 7380 times)

Wessel

  • Newbie
  • *
  • Posts: 18
  • Karma: 2
    • View Profile
TOMCAT5_SECURITY=yes, one issue left
« on: June 11, 2008, 23:05:14 »
Hi,

I know I can switch of security, but wouldn't it be nice to have it working :-)

I've managed to get most of QM working with security tight enabled in tomcat5. I used the following security rules:

// QueueMetrics rules
 grant {
permission java.net.SocketPermission "localhost:3306", "connect,resolve";
permission java.io.FilePermission "/var/log/asterisk/queue_log", "read";
permission java.io.FilePermission "/var/lib/tomcat5.5/webapps/queuemetrics/WEB-INF/classes/logging.properties", "rea
d";
};

This will work for all the functions (as far as i tested it) but it breaks as soon as I request the license information with the error below, If anybody was able to work around this error, please let me know

Wessel

It forwards to the page: http://localhost:8180/queuemetrics/$WEBAPP/sys_errore.jsp
And in the log it bumps the following dump.
[F56D8F8D70E367938D4451F1DCC357E5] Tempo totale esecuzione verbo 'qm_start': 467 ms
[F56D8F8D70E367938D4451F1DCC357E5] [ERR] -- Inner Exception --
Exception: java.security.AccessControlException
Error:
access denied (java.util.PropertyPermission * read,write)Stack trace:
java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write)
   at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
   at java.security.AccessController.checkPermission(AccessController.java:427)
   at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
   at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1252)
   at java.lang.System.getProperties(System.java:561)
   at it.loway.app.queuemetrics.autenticazione.caricaDatiPaginaLicenza.doRun(Unknown Source)
   at it.loway.tpf.transaction.servlets.LowayTransactionController.serveRequest(Unknown Source)
   at it.loway.tpf.transaction.servlets.LowayTransactionController.serveRequestWrapper(Unknown Source)
   at it.loway.tpf.transaction.servlets.LowayTransactionController.doPost(Unknown Source)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:585)
   at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:243)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
   at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:275)
   at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:161)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:245)
   at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilterChain.java:177)
   at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:156)
   at java.security.AccessController.doPrivileged(Native Method)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:152)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
   at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
   at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
   at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
   at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
   at java.lang.Thread.run(Thread.java:595)
-- End Inner Exception --

<code>
« Last Edit: June 11, 2008, 23:12:19 by Wessel »

silmaril

  • Newbie
  • *
  • Posts: 13
  • Karma: 0
    • View Profile
    • Email
Re: TOMCAT5_SECURITY=yes, one issue left
« Reply #1 on: June 13, 2008, 09:34:04 »

As of now, i have used the following line for this:
permission java.util.PropertyPermission "*", "read,write";

but i think we can cut it down to the 'read' part.

BTW there is another issue with the security manager:
http://forum.queuemetrics.com/index.php?topic=249.0

QueueMetrics

  • Loway
  • Hero Member
  • *
  • Posts: 2999
  • Karma: 39
    • View Profile
    • QueueMetrics
Re: TOMCAT5_SECURITY=yes, one issue left
« Reply #2 on: June 13, 2008, 09:37:21 »
We're tracking this issue as bug #365

QueueMetrics

  • Loway
  • Hero Member
  • *
  • Posts: 2999
  • Karma: 39
    • View Profile
    • QueueMetrics
Re: TOMCAT5_SECURITY=yes, one issue left
« Reply #3 on: June 16, 2008, 17:01:50 »
This should be it:

Code: [Select]
grant codeBase "file:/usr/local/queuemetrics/tomcat/webapps/queuemetrics/-" {
 permission java.net.SocketPermission "localhost:3306", "connect,resolve";
 permission java.io.FilePermission "/var/log/asterisk/queue_log", "read";
 permission java.util.PropertyPermission "*", "read,write";
 permission java.lang.RuntimePermission "createClassLoader";
 permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete";

 // if you use LIVE connection to Asterisk instances:
 permission java.net.SocketPermission "127.0.0.1:5038", "connect,resolve";
};

Of course you have to:
1. se t the correct path for your QM webapp
2. set the correct path to your database
3. set the cortrect path to your Asterisk server
4. if you use external XMl-RPC services, you should add "connect, resolve" grants for those as well.



Wessel

  • Newbie
  • *
  • Posts: 18
  • Karma: 2
    • View Profile
Re: TOMCAT5_SECURITY=yes, one issue left
« Reply #4 on: June 23, 2008, 00:44:35 »
Thanks!

I'll test it this week,

Wessel

QueueMetrics

  • Loway
  • Hero Member
  • *
  • Posts: 2999
  • Karma: 39
    • View Profile
    • QueueMetrics
Re: TOMCAT5_SECURITY=yes, one issue left
« Reply #5 on: June 23, 2008, 16:54:54 »
Pls let us know if you encounter any problems.

silmaril

  • Newbie
  • *
  • Posts: 13
  • Karma: 0
    • View Profile
    • Email
Re: TOMCAT5_SECURITY=yes, one issue left
« Reply #6 on: January 18, 2009, 19:38:36 »

If you are using call files, there is on permission missing from the previous set:
Code: [Select]
permission java.io.FilePermission "/var/spool/asterisk/outgoing/*", "write";

QueueMetrics

  • Loway
  • Hero Member
  • *
  • Posts: 2999
  • Karma: 39
    • View Profile
    • QueueMetrics
Re: TOMCAT5_SECURITY=yes, one issue left
« Reply #7 on: January 19, 2009, 10:50:46 »
Thanks for pointing that out. We advise for using direct TCP connection rather than call-files, if possible.