For our Kunagi Java web application we have a signed kunagi.jar
file which contains our classes together with classes from embedded Tomcat 6. This runs perfectly when calling java -jar kunagi.jar
.
But when starting it with Java WebStart, I get an exception while embedded Tomcat is starting:
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.deploy)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
at java.security.AccessController.checkPermission(AccessController.java:553)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291)
at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
at net.sourceforge.jnlp.runtime.JNLPClassLoader.loadClass(JNLPClassLoader.java:1018)
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2444)
at java.lang.Class.getMethod0(Class.java:2687)
at java.lang.Class.getMethod(Class.java:1620)
at org.apache.catalina.startup.SetPublicIdRule.begin(WebRuleSet.java:639)
at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276)
... 33 more
Of course kunagi.jar
is signed, otherwise it wouldn't even start. It seams Java WebStart enables Java Security globally, which somehow embedded Tomcat "inherits" and fails to initialize.
Here is the JNLP file:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://kunagi.org/webstart" href="kunagi.jnlp">
<information>
<title>Kunagi</title>
<vendor>Kunagi Team</vendor>
<homepage href="http://kunagi.org"/>
<description>SCRUM Tool</description>
<description kind="short">SCRUM Tool</description>
<offline-allowed/>
</information>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se"/>
<jar href="kunagi.jar" main="true" />
</resources>
<application-desc name="Kunagi" main-class="katokorbo.Katokorbo"/>
<update check="always"/>
</jnlp>
Is there a way to disable security checks for Tomcat inside of Java WebStart? Or how can I configure embedded Tomcat to permit access to org.apache.catalina...
?
@Witek: Tomcat doesn't turn the SecurityManager on: the JVM must be started with a SecurityManager enabled and a policy file in place. Tomcat launches long after the SecurityManager is in place.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With