Page 1 of 1
FilePermission for custom framework
Posted: Thu Apr 15, 2021 1:15 pm
by Patrik
Hi,
I have a custom framework that needs to read and write files "somewhere" on the server.
My (kind of random) choice was a custom subfolder within tomcat\webapps that will be created automatically if it is missing.
I expected this to be no problem with the permissions due to the existing entry
Code: Select all
grant codeBase "file:${oxygen.data.dir}/frameworks/-" {
permission java.security.AllPermission;
};
But I got an error. So I tried to find (with a long sequence of try&error) the most selective grant that solved this error and got this (very surprisingly):
Code: Select all
grant codeBase "file:${catalina.base}/webapps/oxygen-xml-web-author/WEB-INF/-" {
permission java.io.FilePermission "${catalina.base}/webapps/-", "read,write";
};
But I don't like this solution at all since
- it is not very selective on the codeBase or the permission
- it doesn't have any relation to my custom framework or custom folder
Could you guide me to a better grant or name me a better place for my files to be stored?
Thanks and regards,
Patrik
Re: FilePermission for custom framework
Posted: Fri Apr 16, 2021 8:02 pm
by mihai_coanda
Hello,
The webapps folder should not be tempered as it should only store web applications, not dynamic data.
You should use the oxygen data directory that is passed as the oxygen.data.dir system property to the java code of your framework.
This folder holds the configuration of the Web Author like frameworks, plugins, options, etc.
Regards,
Michael
Re: FilePermission for custom framework
Posted: Mon Apr 19, 2021 10:44 am
by Patrik
Hi Michael,
thanks a lot. Changing the folder as you suggested works without any modifications to the policies - perfect! :)
Regards,
Patrik
Re: FilePermission for custom framework
Posted: Wed Apr 21, 2021 6:42 pm
by Patrik
Hi again,
it turned out that using the folder <oxygen.data.dir> does
not always work. When applying an XSLT transformation to a file in that folder I get an error with missing priviliges:
Code: Select all
java.security.AccessControlException: Access denied : C:\Program Files\oXygen XML Web Author 23.1\tomcat\work\Catalina\localhost\oxygen-xml-web-author\TgicServiceCatalog\Deploy-ITU\TgicServiceCatalog.xml
at ro.sync.servlet.plugin.SecurityAwareFileURLStreamHandler.openConnection(SecurityAwareFileURLStreamHandler.java:87) ~[classes/:?]
at java.net.URL.openConnection(Unknown Source) ~[?:1.8.0_202]
at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:1037) ~[oxygen-patched-xerces.jar:2.12.1-xml-schema-1.1]
at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown Source) ~[oxygen-patched-xerces.jar:2.12.1-xml-schema-1.1]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[oxygen-patched-xerces.jar:?]
at org.ditang.relaxng.defaults.RelaxDefaultsParserConfiguration.parse(Unknown Source) ~[oxygen.jar:?]
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[oxygen-patched-xerces.jar:?]
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) ~[oxygen-patched-xerces.jar:?]
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) ~[oxygen-patched-xerces.jar:?]
at ro.sync.xml.parser.CatalogEnabledXMLReader$1$1.run(Unknown Source) ~[oxygen.jar:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_202]
at ro.sync.security.Sandbox.runWithAllPerms(Sandbox.java:223) ~[oxygen-sandbox.jar:?]
at ro.sync.xml.parser.CatalogEnabledXMLReader$1.run(Unknown Source) ~[oxygen.jar:?]
at ro.sync.security.SandboxCore.runWithConfirmation(SandboxCore.java:258) ~[oxygen-sandbox.jar:?]
at ro.sync.security.ConnectionsSandbox.runWithConnectConfirmation(ConnectionsSandbox.java:263) ~[oxygen-sandbox.jar:?]
at ro.sync.security.Sandbox.runWithConnectConfirmation(Sandbox.java:355) ~[oxygen-sandbox.jar:?]
at ro.sync.xml.parser.CatalogEnabledXMLReader.parse(Unknown Source) ~[oxygen.jar:?]
at net.sf.saxon.event.Sender.sendSAXSource(Sender.java:435) ~[oxygen-patched-saxon-9he.jar:?]
at net.sf.saxon.event.Sender.send(Sender.java:141) ~[oxygen-patched-saxon-9he.jar:?]
at net.sf.saxon.Controller.makeSourceTree(Controller.java:1360) ~[oxygen-patched-saxon-9he.jar:?]
at net.sf.saxon.s9api.XsltTransformer.transform(XsltTransformer.java:335) ~[oxygen-patched-saxon-9he.jar:?]
at net.sf.saxon.jaxp.TransformerImpl.transform(TransformerImpl.java:71) ~[oxygen-patched-saxon-9he.jar:?]
at com.gdvdl.TgicServiceCatalog.operations.DeployDiff.compare(DeployDiff.java:104) ~[?:?]
at com.gdvdl.TgicServiceCatalog.operations.DeployDiff.doOperation(DeployDiff.java:58) ~[?:?]
at ro.sync.ecss.webapp.actions.g.doOperation(Unknown Source) ~[oxygen.jar:?]
at ro.sync.ecss.extensions.o.f(Unknown Source) ~[oxygen.jar:?]
[...]
And in this case even granting all priviliges doesn't help:
Code: Select all
grant {
permission java.security.AllPermission;
};
Any ideas what to do to make this work?
Thanks and regards,
Patrik
Re: FilePermission for custom framework
Posted: Thu Apr 22, 2021 4:23 pm
by cristi_talau
Hello,
Indeed, for files that are accessed via "file://" URLs we have another layer of security that restricts access only to reading and only to:
- <oxygen.data.dir>/frameworks/
- <oxygen.data.dir>/plugins/
In your case, the catalog file was accessed via a "file://" URL and not directly using new File(...) . A quick solution would be to add it inside a framework or plugin.
Best,
Cristian
Re: FilePermission for custom framework
Posted: Mon Apr 26, 2021 10:25 am
by Patrik
Thanks for the hint. I just used a subfolder within frameworks and it works so far.
(I didn't use the framework folder itself since I expect it to be deleted when updating the framework.)
Best regards
Patrik