Wednesday, April 01, 2009

Tomcat security

One painful thing I'm learning is the restrictions tomcat has when running under the -security option.Basically many things (eg: jaxb, jax-ws, axis) can't run.
Locating the appropriate permissions is pretty daunting.Now lhttp://www.onjava.com/pub/a/onjava/2007/01/03/discovering-java-security-requirements.html has a tool calledProfilingSecurityManager (which is just a custom SecurityManager class) which displays the permissions required(basically start catalina with -Djava.security.manager=secmgr.ProfingSecurityManager)You then use a perl script
Another reference is http://www.petrovic.org/blog/2006/05/07/tomcat-security-option-and-catalinapolicy-file
Basically export CATALINA_OPTS=-Djava.security.debug=access,failurethen run catalina.sh run -security
Look in catalina.out for denied.Then seek for "domain that failed ProtectionDomain" for the codebase or domain.
http://www.jchains.org/ also allows you to do the same for standard java execution.

No comments: