dev@glassfish.java.net

Re: Unable to migrate a Tomcat 5.5 webapp to Glassfish

From: Felipe Gaścho <fgaucho_at_gmail.com>
Date: Mon, 19 Dec 2005 16:50:19 -0300

ok, it seems the security manager is enabled by default in the Glassfish...

my code was running well unde Tomcat because the tomcat don“t activate the
security manager unless you specify it through the startup line command..

The strategy of my code:

on the JAAS Filter, I“m setting some security parameter on the init(...)
method:

    public void init(FilterConfig arg0) throws ServletException {
        ServletContext context = arg0.getServletContext();
        System.setProperty("java.security.manager", "");
        System.setProperty(JAVA_SECURITY_POLICY, context
                .getRealPath("WEB-INF/jaas/default.policy"));
        System.setProperty(JAVA_SECURITY_AUTH_POLICY, context
                .getRealPath("WEB-INF/jaas/app.policy"));
        System.setProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, context
                .getRealPath("WEB-INF/jaas/jaas.config"));
    }

the first command activate the security manager in the Tomcat container..
and I figured out the following problem tryin to do the same under
Glassfish:

Glassfish has secutiry activated by default. That“s why the code fails to
startup - the lines of my init() method are not authorized by the security
manager, i.e., the code itself predicts an unsafe server on the startup.

I think I need to review this strategy under Glassfish. I will try your
suggestion later at home.

thank you very much,

     Felipe Gaścho






On 12/19/05, ronald monzillo <Ronald.Monzillo_at_sun.com> wrote:
>
> Felipe,
>
> your application needs some pretty serious permissions, which may
> confirm that you are running without a security manager on the other
> deployment platforms you have tried.
>
> If you would like to run the glassfish containers with a security
> manager, you will have to grant your app at least the following
> permissions.
>
> grant codeBase
> "file:${com.sun.aas.instanceRoot
> }/applications/j2ee-modules/cejug-classifieds/-"{
> permission java.util.PropertyPermission "java.security.manager",
> "write";
> permission java.util.PropertyPermission "java.security.policy", "write";
> permission java.util.PropertyPermission "java.security.auth.policy",
> "write";
> };
>
> you can add the above grants to the server.policy file, or the
> application specific policy file (althoughthe former is likely
> simpler and more resilitent, as the latter will be recreated
> each time redeploy your app).
>
> after updating the policy file, you should restart the server,
> or redeploy the app.
>
> Ron
>
> you can also consult the the appserver admin gude for instructions how
> to disable the security manager.
>
> http://docs.sun.com/source/819-0076/jvm.html#wp1031405
>
> Felipe Gaścho wrote On 12/19/05 12:14,:
> > ok, I copied a ZIP file containing all files required to deploy the
> > application:
>
> >
> > This is a snapshot of our a under-development project - without any
> > revision or tests... It is just for our early tests. I included the
> > source code to allow you to inspect the project design.
> >
> > into the zip you have:
> >
> > - the war file, ready for deployment
> > - the SQL folder containing the MySql scripts used to create the
> > database ...
> > - the MySql driver we commonly copy to the common;lib folder on the
> > Tomcat server
> >
> > I hope it serve for your evaluation. Any other issue, we are here to
> > help you.
> >
> > Thank you very much for your friendly attention,
> >
> > Felipe Gaścho
> > Cejug-Classifieds owner
> >
> >
> >
> >
> >
> > On 12/19/05, *ronald monzillo * <Ronald.Monzillo_at_sun.com
> > <mailto:Ronald.Monzillo_at_sun.com>> wrote:
> >
> > Dear Felipe,
> > I see you have c''ed dev_at_cejug-classifieds.dev.java.net
> > <mailto:dev_at_cejug-classifieds.dev.java.net> in your
> > response, so I will wait to see if someone can provide me with the
> > application (ready to deploy).
> >
> > Ron
> >
> >
> > Felipe Gaścho wrote On 12/19/05 11:11,:
> > > Dear Ronald,
> > >
> > > unfortunately, our maven file is obsolete... The easy way to
> > compile and
> > > run the project is through the Web Tools for Eclipse. After
> > download and
> > > unzip the WTP, you can refer to the video on:
> > >
> >
> https://cejug-classifieds.dev.java.net/files/documents/2638/25871/wtp_install.htm
> > <
> https://cejug-classifieds.dev.java.net/files/documents/2638/25871/wtp_install.htm
> >
> > >
> > > We are trying to fix old issues about our automated complie/deploy
> > > scripts, but for now it is more interesting to use WTP....
> > >
> > > please send a copy of all your mail to our developers list in
> > order to
> > > allow other developers to respond your questions:
> > > dev_at_cejug-classifieds.dev.java.net
> > <mailto:dev_at_cejug-classifieds.dev.java.net>
> > > <mailto: dev_at_cejug-classifieds.dev.java.net
> > <mailto:dev_at_cejug-classifieds.dev.java.net>>
> > >
> > > best regards,
> > >
> > > Felipe Gaścho
> > > Cejug-Classifieds owner
> > >
> > >
> > >
> > > On 12/19/05, *ronald monzillo* < Ronald.Monzillo_at_sun.com
> > <mailto:Ronald.Monzillo_at_sun.com>
> > > <mailto:Ronald.Monzillo_at_sun.com <mailto:Ronald.Monzillo_at_sun.com>>>
> > wrote:
> > >
> > > Felipe,
> > >
> > > I think that at least part of the difference may be that the
> > > SecurityManager is enabled in the failing environment, and
> > > disabled where the app succeeds.
> > >
> > > I tried to checkout and build the app by doing
> > >
> > > cvs co cejug-classifieds
> > > maven build
> > >
> > > but I caught the following flack from the build.
> > >
> > > If you can assist me in completely the build, I will
> > > give it another try. Alternatively, if you could send
> > > me the application (ready to deploy) I will try that.
> > >
> > > Ron
> > >
> > > ----------
> > >
> > > The build cannot continue because of the following unsatisfied
> > > dependencies:
> > >
> > > activation-.jar; path override doesn't exist:
> > >
> >
> /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/lib/activation.jar
> > > informa-.jar; path override doesn't exist:
> > >
> >
> /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/lib/informa.jar
> >
> > >
> > > mail-.jar; path override doesn't exist:
> > >
> >
> /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/lib/mail.jar
> > > c-.tld; path override doesn't exist:
> > >
> > /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/tld/c.tld
> > > c-rt-.tld; path override doesn't exist:
> > >
> > /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/tld/c-
> rt.tld
> > > fmt-.tld; path override doesn't exist:
> > >
> >
> /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/tld/fmt.tld
> > > fmt-rt-.tld; path override doesn't exist:
> > >
> > /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/tld/fmt-
> rt.tld
> > > job-.tld; path override doesn't exist:
> > >
> >
> /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/tld/job.tld
> > > rss-.tld; path override doesn't exist:
> > >
> >
> /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/tld/rss.tld
> > > sql-.tld; path override doesn't exist:
> > >
> >
> /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/tld/sql.tld
> > > sql-rt-.tld; path override doesn't exist:
> > >
> > /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/tld/sql-
> rt.tld
> > > x-.tld; path override doesn't exist:
> > >
> > /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/tld/x.tld
> > > x-rt-.tld; path override doesn't exist:
> > >
> > /space/monzillo/sandbox/cejug-classifieds/web-app/WEB-INF/tld/x-
> rt.tld
> > >
> > > Total time: 3 seconds
> > > Finished at: Mon Dec 19 10:49:37 EST 2005
> > >
> > > paddler 545 =>find . -name x-rt.tld
> > > ./web-app/WebContent/WEB-INF/tld/x-rt.tld
> > > paddler 546 =>ant usage
> > > Buildfile: build.xml
> > >
> > > BUILD FAILED
> > > /space/monzillo/sandbox/cejug-classifieds/build.xml:195: The
> > string "--"
> > > is not permitted within comments.
> > >
> > > Total time: 0 seconds
> > > paddler 547 =>
> > >
> > > result of the
> > > SecurityManager being enabled in the
> > >
> > > Jeanfrancois Arcand wrote On 12/17/05 18:42,:
> > > > Just read that on the forum. Can someone from the security
> team
> > > follow
> > > > up. We should try to support such simple apps in GlassFish.
> > > >
> > > > Thanks
> > > >
> > > > -- Jeanfrancois
> > > >
> > > >
> > > >> migrating a web-application Tomcat 5.5 --> Glassfish
> > > >>Posted: Dec 17, 2005 12:13 PM
> > > >> Click to reply to this topic Reply
> > > >>
> > > >>Dear friends,
> > > >>
> > > >>I have a web-application that runs well in the Tomcat 5.5
> > and also
> > > in the Websphere 6.1.
> > > >>
> > > >>I downloaded the latest promoted build of Glassfish, follow
> the
> > > QuickStartGuide and everything was ok until I try to deploy my
> war
> > > file.
> > > >>
> > > >>Using the admin page, I got a sucessfuly deploy but the
> > > web-application didn“t started up. The application page
> > opened, but
> > > any path I tried returned a blank page.
> > > >>
> > > >>How to proceed?
> > > >>
> > > >>vbkraemer
> > > >>
> > > >>Posts: 10
> > > >>
> > > >>Re: migrating a web-application Tomcat 5.5 --> Glassfish
> > > >>Posted: Dec 17, 2005 1:21 PM
> > > >> Click to reply to this topic Reply
> > > >>
> > > >>Have you looked in the server's error log file?
> > > >>
> > > >>The name of the file is server.log... it should be in
> > > <install-dir>/domains/domain1/logs/server.log.
> > > >>
> > > >>That may have some help information.
> > > >>
> > > >>To get much more help via this forum, you may need to
> describe
> > > your app, etc. in a bit more detail.
> > > >>
> > > >>vbk
> > > >>
> > > >>felipegaucho
> > > >>
> > > >>Posts: 10
> > > >>
> > > >>Re: migrating a web-application Tomcat 5.5 --> Glassfish
> > > >>Posted: Dec 17, 2005 2:38 PM
> > > >> Click to reply to this topic Reply
> > > >>
> > > >>The project is the Cejug-Classifieds:
> > > https://cejug-classifieds.dev.java.net/
> > <https://cejug-classifieds.dev.java.net/>
> > > >>
> > > >>all code available through CVS - Check out source code with
> > a CVS
> > > client. For example:
> > > >>
> > > >>cvs -d ;pserver: guest_at_cvs.dev.java.net
> > <mailto:guest_at_cvs.dev.java.net> :/cvs login
> > > >>
> > > >>followed by
> > > >>
> > > >>cvs -d ;pserver:guest_at_cvs.dev.java.net:/cvs checkout
> > cejug-classifieds
> > > >>
> > > >>
> > > >>The cejug-classifieds is a web-app that include JAAS
> > features, and
> > > the problem seems related to the security issues:
> > > >>
> > >
> > >>[#|2005-12-17T16:16:
> 32.671-0200|INFO|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=14
> > ;_ThreadName=Thread-31;|JACC
> > > Policy Provider: PolicyWrapper.implies, context(null)-
> > permission((
> > > java.util.PropertyPermission java.security.manager write))
> domain
> > > that failed(ProtectionDomain
> > >
> >
> (file:/E:/glassfish/domains/domain1/applications/j2ee-modules/cejug-classifieds/WEB-INF/classes/net/java/dev/cejug/classifieds/filter/JaasFilter.class
> > > <no signer certificates>;)
> > > >>WebappClassLoader
> > > >>delegate: true
> > > >>repositories:
> > > >>/WEB-INF/classes/
> > > >>----------> Parent Classloader:
> > > >>EJBClassLoader :
> > > >>urlSet = []
> > > >>doneCalled = false
> > > >>Parent -> java.net.URLClassLoader_at_1724a9d
> > > >>
> > > >>
> > > >><no principals>
> > > >>java.security.Permissions_at_1ba49d (
> > > >>(javax.security.auth.PrivateCredentialPermission
> > > javax.resource.spi.security.PasswordCredential * "*" read)
> > > >>(org.apache.naming.JndiPermission
> > > >
> > > >
> > >
> > > --
> > >
> > >
> > >
> >
> > --
> >
> >
> >
>
> --
>
>
>