安全连接在启用安全管理器的情况下使用tomcat时失败

时间:2013-11-18 11:41:57

标签: security tomcat ssl securitymanager

我已在启用了SSL的tomcat 6上部署了一个Web应用程序(example.war)。

当我在没有安全管理器的情况下启动tomcat并尝试使用url:"https://localhost:8443/example"连接到服务器时,它成功连接并且 并显示index.jsp文件(welcome-file)的内容。

但是当我使用安全管理器启动tomcat时,它会在浏览器(firefox)上显示相同网址的错误。

Secure Connection Failed

An error occurred during a connection to localhost:8443.
Peer reports it experienced an internal error.
(Error code: ssl_error_internal_error_alert)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

以下是catalina.policy

中提供的权限 
grant {
    permission java.util.PropertyPermission "java.home", "read";
    permission java.util.PropertyPermission "java.naming.*", "read";
    permission java.util.PropertyPermission "javax.sql.*", "read";

    // OS Specific properties to allow read access
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.version", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";

    // JVM properties to allow read access
    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "java.vendor", "read";
    permission java.util.PropertyPermission "java.vendor.url", "read";
    permission java.util.PropertyPermission "java.class.version", "read";
    permission java.util.PropertyPermission "java.specification.version", "read";
    permission java.util.PropertyPermission "java.specification.vendor", "read";
    permission java.util.PropertyPermission "java.specification.name", "read";

    permission java.util.PropertyPermission "java.vm.specification.version", "read";
    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
    permission java.util.PropertyPermission "java.vm.specification.name", "read";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";

    // Required for OpenJMX
    permission java.lang.RuntimePermission "getAttribute";

    // Allow read of JAXP compliant XML parser debug
    permission java.util.PropertyPermission "jaxp.debug", "read";

    // Precompiled JSPs need access to these packages.
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.util";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";

    // Precompiled JSPs need access to these system properties.
    permission java.util.PropertyPermission
     "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
    permission java.util.PropertyPermission "org.apache.el.parser.COERCE_TO_ZERO", "read";
};

grant codeBase "file:${catalina.base}/webapps/example/-" {
    permission java.security.AllPermission;
};

当我提供以下所有权限时,它工作正常:

grant {
    permission java.security.AllPermission;
};

grant codeBase "file:${catalina.base}/webapps/example/-" {
    permission java.security.AllPermission;
};

我想知道我应该添加哪些特定权限,以便在不提供AllPermission的情况下使其工作?

1 个答案:

答案 0 :(得分:1)

最后问题已经解决。我启动了tomcat,环境变量“CATALINA_OPTS”设置为值“-Djava.security.debug = access”,其中记录了有关的详细信息 访问权限,我发现了一些AccessControlExceptions - 访问被拒绝。

添加以下权限解决了问题:

permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read";

permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.bind.v2.runtime.reflect";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.util";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action";
permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.ec";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.interfaces";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.rsa";

permission java.security.SecurityPermission "putProviderProperty.SunJCE";
permission java.security.SecurityPermission "putProviderProperty.SunPKCS11-NSS";

permission java.io.FilePermission "/usr/lib/jvm/java-7-openjdk-i386/jre/lib/security/nss.cfg", "read";
permission java.io.FilePermission "/usr/lib/jvm/java-7-openjdk-common/jre/lib/ext/i386/libj2pkcs11.so", "read";
permission  java.io.FilePermission "/usr/lib/jvm/java-7-openjdk-common/jre/lib/ext/libj2pkcs11.so", "read";

permission java.io.FilePermission "/usr/share/java/i386/libj2pkcs11.so", "read";
permission java.io.FilePermission "/usr/share/java/libj2pkcs11.so", "read";

permission java.io.FilePermission "/usr/lib/i386-linux-gnu/jni/i386/libj2pkcs11.so", "read";
permission java.io.FilePermission "/usr/lib/i386-linux-gnu/jni/libj2pkcs11.so", "read";

但我不确定是否添加带库的绝对路径的文件权限是一个好主意(最后7个条目)。有什么建议吗?

相关问题
最新问题