<< Browser Wars Vs Solitaire Wars | Home | Solving Apache Derby and Continuum installation issue on Debian >>

Solving Pebble deployment issues on Tomcat 5.5 caused by Java Security Manager policies on Debian

When you install Tomcat 5.5 on a debian 4 distro (apt-get install tomcat5.5) the Tomcat installation is locked down so that it's quite secure - explict permission must be given to webapps that need to write to the filesystem, especially if those webapps are not located in the default tomcat webApps directory (e.g. such as those times that you want to run an Engine with multiple Hosts that respond to different domain names (vhosts), e.g. on your development server.

When deploying Pebble (http://pebble.sourceforge.net/) to a blog.devserver.local I was seeing an error message in my /var/lib/tomcat5.5/logs/catalina_yyyy-mm-dd.log file:

"java.security.AccessControlException: access denied (java.io.FilePermission pebble.log write)"

After a bit of digging around in /etc/tomcat5.5/policy.d I found a file called "04webapps.policy" which seems to be the place to modify security settings for webapps, I added the following rule:

grant codeBase "file:/var/www/vhosts/blog.devserver.local/data/-" {
    permission java.security.AllPermission;
};

Note the  "/-" onthe end of the path, that means anything in that directory (recursively), more about the specification of the path can be read in the FilePermission API, here: http://java.sun.com/j2se/1.4.2/docs/api/java/io/FilePermission.html

My pebble.properties was also configured to use this directory vis this statement:

dataDirectory=/var/www/vhosts/blog.devserver.local/data/pebble

I also found that you can enable extra security related debugging information logging by modifying /etc/rc.d/tomcat5.5 and adding this statement:

CATALINA_OPTS=-Djava.security.debug=all

(Note that in previous versions of Tomcat that environment variable used to be TOMCAT_OPTS which threw me off for a while until I figured it had been renamed, a note to that effect i found here (http://logging.apache.org/log4j/1.2/manual.html) when I was when researching the next problem.)

So, after restarting tomcat I thought pebble should fire up now, but no, there's something else to fix:

"java.security.AccessControlException: access denied (java.io.FilePermission /WEB-INF/classes/logging.properties read)"

What's happening here is that the log4j is trying to read it's properties file, but it's not allowed to, adding this to 04webapps.policy fixes it (in a somewhat blanket fasion/less secure way):

grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
    permission java.security.AllPermission;
};

Securing it up is done by changing it as follows.

grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
//    permission java.security.AllPermission;
    permission java.io.FilePermission "/var/www/vhosts/blog.devserver.local/webApps/blog/WEB-INF/classes/logging.properties", "read";
};

After this I could finally deploy and start Pebble and I now feel confident about solving other Java Security Manager (http://java.sun.com/j2se/1.4.2/docs/api/java/lang/SecurityManager.html) related issues.




Send a TrackBack