Tomcat permissions and class loading

Florent Georges lists at
Thu Jul 15 21:31:09 UTC 2010


  I have a webapp deployed in tomcat6 (6.0.20-2ubuntu2), which
needs to dynamically instantiate an object from a class name.  In
order to do so, it needs to get the class object from that class
name; it uses:

    clazz = Class.forName(className);

  If the class is not found by this class loader, it maintains a
list of JAR files to use to look up for the class.  Thus it uses
a URLClassLoader instantiated like this:

    URL[] urls = ...;
    ClassLoader parent = ConfigHelper92.class.getClassLoader();
    ClassLoader loader = new URLClassLoader(urls, parent);
    clazz = Class.forName(className, true, loader);

  Given the Ubuntu security policies defined by the Ubuntu
package, this result in a ClassNotFoundException in the later
case (when the class must be searched in the JAR files maintained
by the webapp).  If I add the following permission in the file
/etc/tomcat6/policy.d/50local.policy, everything's fine:

    grant codeBase "file:${catalina.base}/webapps/mywebapp/-" {

  I would of course prefer to add only the needed permissions,
but I could not find them in the documentation, nor by googling.
Any clue?


Florent Georges


More information about the Ubuntu-devel-discuss mailing list