Tomcat permissions and class loading
Florent Georges
lists at fgeorges.org
Thu Jul 15 21:31:09 UTC 2010
Hi,
I have a webapp deployed in tomcat6 (6.0.20-2ubuntu2), which
needs to dynamically instantiate an object from a class name. In
order to do so, it needs to get the class object from that class
name; it uses:
clazz = Class.forName(className);
If the class is not found by this class loader, it maintains a
list of JAR files to use to look up for the class. Thus it uses
a URLClassLoader instantiated like this:
URL[] urls = ...;
ClassLoader parent = ConfigHelper92.class.getClassLoader();
ClassLoader loader = new URLClassLoader(urls, parent);
clazz = Class.forName(className, true, loader);
Given the Ubuntu security policies defined by the Ubuntu
package, this result in a ClassNotFoundException in the later
case (when the class must be searched in the JAR files maintained
by the webapp). If I add the following permission in the file
/etc/tomcat6/policy.d/50local.policy, everything's fine:
grant codeBase "file:${catalina.base}/webapps/mywebapp/-" {
permission java.security.AllPermission;
};
I would of course prefer to add only the needed permissions,
but I could not find them in the documentation, nor by googling.
Any clue?
Regards,
--
Florent Georges
http://fgeorges.org/
More information about the Ubuntu-devel-discuss
mailing list