I\'m using Tomcat 6.0.24, as packaged for Ubuntu Karmic. The default security policy of Ubuntu\'s Tomcat package is pretty stringent, but appears straightforward. In /va
Are you directly deploying to the ROOT directory ?
Usually when you put a war in the webapps folder, say 100myapp.war
, it unpacks to a folder named 100myapp
itself. Shouldn't the grants then be done on this new folder rather than the ROOT folder ?
It's possible that you have to grant file access permissions separately. Try changing the grant for your app to:
grant codeBase "file:${catalina.base}/webapps/ROOT.war" {
permission java.security.AllPermission;
permission java.io.FilePermission "file:${catalina.base}/webapps/ROOT/-", "read, write";
}
If that doesn't work, then it could be that some code outside of what your existing grants cover is accessing those property files (e.g. servlet or other library code).
As a workaround, and to confirm if this is the case, you could do a straight grant on the .properties that are causing you the problem:
grant {
permission java.io.FilePermission "file:${catalina.base}/webapps/ROOT/WEB-INF/classes/com/foo/some-file-here.txt", "read, write";
}
It seems in fact that the latter could be the case since the stack trace shows code in Tomcat's context loader. If the straight grant on the .properties works, you might want to lock the grant down to org.apache.naming.resources.FileDirContext.
Do you get any stack traces specific to your own code?
Are you using Ubuntu's package-managed version? We had a nightmare recently with security stuff with it, but found that by downloading Tomcat separately and using that, the security issues went away.
Corroboration:
http://www.howtogeek.com/howto/linux/installing-tomcat-6-on-ubuntu/
If you are running Ubuntu and want to use the Tomcat servlet container, you should not use the version from the repositories as it just doesn’t work correctly. Instead you’ll need to use the manual installation process that I’m outlining here.
Tomcat runs with its own tomcat user. The war files need to be visible to that user - probably worth checking that first?