AccessControlException when starting embedded Tomcat from Java Webstart

Question

For our Kunagi Java web application we have a signed kunagi.jar file which contains our classes together with classes from embedded Tomcat 6. This runs perfectly when calling java -jar kunagi.jar.

But when starting it with Java WebStart, I get an exception while embedded Tomcat is starting:

java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.deploy)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
    at java.security.AccessController.checkPermission(AccessController.java:553)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
    at net.sourceforge.jnlp.runtime.JNLPClassLoader.loadClass(JNLPClassLoader.java:1018)
    at java.lang.Class.getDeclaredMethods0(Native Method)
    at java.lang.Class.privateGetDeclaredMethods(Class.java:2444)
    at java.lang.Class.getMethod0(Class.java:2687)
    at java.lang.Class.getMethod(Class.java:1620)
    at org.apache.catalina.startup.SetPublicIdRule.begin(WebRuleSet.java:639)
    at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276)
    ... 33 more

Of course kunagi.jar is signed, otherwise it wouldn't even start. It seams Java WebStart enables Java Security globally, which somehow embedded Tomcat "inherits" and fails to initialize.

Here is the JNLP file:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://kunagi.org/webstart" href="kunagi.jnlp">
    <information>
        <title>Kunagi</title>
        <vendor>Kunagi Team</vendor>
        <homepage href="http://kunagi.org"/>
        <description>SCRUM Tool</description>
        <description kind="short">SCRUM Tool</description>
        <offline-allowed/>
    </information>
    <security>
        <all-permissions/>
    </security>
    <resources>
        <j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se"/>
        <jar href="kunagi.jar" main="true" />
    </resources>
    <application-desc name="Kunagi" main-class="katokorbo.Katokorbo"/>
    <update check="always"/>
</jnlp>

Is there a way to disable security checks for Tomcat inside of Java WebStart? Or how can I configure embedded Tomcat to permit access to org.apache.catalina...?

Answer 1

@Witek: Tomcat doesn't turn the SecurityManager on: the JVM must be started with a SecurityManager enabled and a policy file in place. Tomcat launches long after the SecurityManager is in place.