FilePermission for custom framework

Patrik
Posts: 279
Joined: Thu Nov 28, 2013 9:32 am
Location: Hamburg/Germany
Contact:

FilePermission for custom framework

Post by Patrik » Thu Apr 15, 2021 1:15 pm

Hi,

I have a custom framework that needs to read and write files "somewhere" on the server.

My (kind of random) choice was a custom subfolder within tomcat\webapps that will be created automatically if it is missing.

I expected this to be no problem with the permissions due to the existing entry

Code: Select all

grant codeBase "file:${oxygen.data.dir}/frameworks/-" {
    permission java.security.AllPermission;
};
But I got an error. So I tried to find (with a long sequence of try&error) the most selective grant that solved this error and got this (very surprisingly):

Code: Select all

grant codeBase "file:${catalina.base}/webapps/oxygen-xml-web-author/WEB-INF/-" {
  permission java.io.FilePermission "${catalina.base}/webapps/-", "read,write";
};
But I don't like this solution at all since
  • it is not very selective on the codeBase or the permission
  • it doesn't have any relation to my custom framework or custom folder
Could you guide me to a better grant or name me a better place for my files to be stored?

Thanks and regards,
Patrik

mihai_coanda
Posts: 31
Joined: Wed Jul 20, 2016 8:22 am

Re: FilePermission for custom framework

Post by mihai_coanda » Fri Apr 16, 2021 8:02 pm

Hello,

The webapps folder should not be tempered as it should only store web applications, not dynamic data.

You should use the oxygen data directory that is passed as the oxygen.data.dir system property to the java code of your framework.
This folder holds the configuration of the Web Author like frameworks, plugins, options, etc.

Regards,
Michael
Michael
http://www.oxygenxml.com

Patrik
Posts: 279
Joined: Thu Nov 28, 2013 9:32 am
Location: Hamburg/Germany
Contact:

Re: FilePermission for custom framework

Post by Patrik » Mon Apr 19, 2021 10:44 am

Hi Michael,

thanks a lot. Changing the folder as you suggested works without any modifications to the policies - perfect! :)

Regards,
Patrik

Patrik
Posts: 279
Joined: Thu Nov 28, 2013 9:32 am
Location: Hamburg/Germany
Contact:

Re: FilePermission for custom framework

Post by Patrik » Wed Apr 21, 2021 6:42 pm

Hi again,

it turned out that using the folder <oxygen.data.dir> does not always work. When applying an XSLT transformation to a file in that folder I get an error with missing priviliges:

Code: Select all

java.security.AccessControlException: Access denied : C:\Program Files\oXygen XML Web Author 23.1\tomcat\work\Catalina\localhost\oxygen-xml-web-author\TgicServiceCatalog\Deploy-ITU\TgicServiceCatalog.xml
	at ro.sync.servlet.plugin.SecurityAwareFileURLStreamHandler.openConnection(SecurityAwareFileURLStreamHandler.java:87) ~[classes/:?]
	at java.net.URL.openConnection(Unknown Source) ~[?:1.8.0_202]
	at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:1037) ~[oxygen-patched-xerces.jar:2.12.1-xml-schema-1.1]
	at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown Source) ~[oxygen-patched-xerces.jar:2.12.1-xml-schema-1.1]
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[oxygen-patched-xerces.jar:?]
	at org.ditang.relaxng.defaults.RelaxDefaultsParserConfiguration.parse(Unknown Source) ~[oxygen.jar:?]
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[oxygen-patched-xerces.jar:?]
	at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) ~[oxygen-patched-xerces.jar:?]
	at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) ~[oxygen-patched-xerces.jar:?]
	at ro.sync.xml.parser.CatalogEnabledXMLReader$1$1.run(Unknown Source) ~[oxygen.jar:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_202]
	at ro.sync.security.Sandbox.runWithAllPerms(Sandbox.java:223) ~[oxygen-sandbox.jar:?]
	at ro.sync.xml.parser.CatalogEnabledXMLReader$1.run(Unknown Source) ~[oxygen.jar:?]
	at ro.sync.security.SandboxCore.runWithConfirmation(SandboxCore.java:258) ~[oxygen-sandbox.jar:?]
	at ro.sync.security.ConnectionsSandbox.runWithConnectConfirmation(ConnectionsSandbox.java:263) ~[oxygen-sandbox.jar:?]
	at ro.sync.security.Sandbox.runWithConnectConfirmation(Sandbox.java:355) ~[oxygen-sandbox.jar:?]
	at ro.sync.xml.parser.CatalogEnabledXMLReader.parse(Unknown Source) ~[oxygen.jar:?]
	at net.sf.saxon.event.Sender.sendSAXSource(Sender.java:435) ~[oxygen-patched-saxon-9he.jar:?]
	at net.sf.saxon.event.Sender.send(Sender.java:141) ~[oxygen-patched-saxon-9he.jar:?]
	at net.sf.saxon.Controller.makeSourceTree(Controller.java:1360) ~[oxygen-patched-saxon-9he.jar:?]
	at net.sf.saxon.s9api.XsltTransformer.transform(XsltTransformer.java:335) ~[oxygen-patched-saxon-9he.jar:?]
	at net.sf.saxon.jaxp.TransformerImpl.transform(TransformerImpl.java:71) ~[oxygen-patched-saxon-9he.jar:?]
	at com.gdvdl.TgicServiceCatalog.operations.DeployDiff.compare(DeployDiff.java:104) ~[?:?]
	at com.gdvdl.TgicServiceCatalog.operations.DeployDiff.doOperation(DeployDiff.java:58) ~[?:?]
	at ro.sync.ecss.webapp.actions.g.doOperation(Unknown Source) ~[oxygen.jar:?]
	at ro.sync.ecss.extensions.o.f(Unknown Source) ~[oxygen.jar:?]
	[...]
And in this case even granting all priviliges doesn't help:

Code: Select all

grant {
    permission java.security.AllPermission;
};
Any ideas what to do to make this work?

Thanks and regards,
Patrik

cristi_talau
Posts: 332
Joined: Thu Sep 04, 2014 4:22 pm

Re: FilePermission for custom framework

Post by cristi_talau » Thu Apr 22, 2021 4:23 pm

Hello,

Indeed, for files that are accessed via "file://" URLs we have another layer of security that restricts access only to reading and only to:
- <oxygen.data.dir>/frameworks/
- <oxygen.data.dir>/plugins/

In your case, the catalog file was accessed via a "file://" URL and not directly using new File(...) . A quick solution would be to add it inside a framework or plugin.

Best,
Cristian

Patrik
Posts: 279
Joined: Thu Nov 28, 2013 9:32 am
Location: Hamburg/Germany
Contact:

Re: FilePermission for custom framework

Post by Patrik » Mon Apr 26, 2021 10:25 am

Thanks for the hint. I just used a subfolder within frameworks and it works so far.
(I didn't use the framework folder itself since I expect it to be deleted when updating the framework.)

Best regards
Patrik

Post Reply