Tomcat – java.security.AccessControlException: access denied (logging.properties read)

After upgraded to Tomcat version 5.5.25, it hit a lot errors in security policy path.

Caused by: java.security.AccessControlException: access denied (java.io.FilePermission /usr/share/tomcat5.5-webapps/jsp-examples/WEB-INF/classes/logging.properties read)

Above error is cause by policy file, Tomcat 5.5.25 made a lot modified at policy file, we need to modify policy file(03catalina.policy) file to fix it.

vi 03catalina.policy which usually located at policy.d folder

mkyong@mkyong-desktop:/etc/tomcat5.5/policy.d$ vi 03catalina.policy

find below

grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
        permission java.lang.RuntimePermission "shutdownHooks";
        permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
        permission java.util.PropertyPermission "catalina.base", "read";
        permission java.util.logging.LoggingPermission "control";
        permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
        permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
        permission java.lang.RuntimePermission "getClassLoader";
        // To enable per context logging configuration, permit read access to the appropriate file.
        // Be sure that the logging configuration is secure before enabling such access
        // eg for the examples web application:
        //permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
};

CHANGED TO below to allow all permission like before

grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.security.AllPermission;
};

OR enable permission explicitly to your web app path

permission java.io.FilePermission “${catalina.base}${file.separator}webapps${file.separator}YOUR_PATH_HERE
${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties”, “read”;

full command is

grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
        permission java.lang.RuntimePermission "shutdownHooks";
        permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
        permission java.util.PropertyPermission "catalina.base", "read";
        permission java.util.logging.LoggingPermission "control";
        permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
        permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
        permission java.lang.RuntimePermission "getClassLoader";
        // To enable per context logging configuration, permit read access to the appropriate file.
        // Be sure that the logging configuration is secure before enabling such access
        // eg for the examples web application:
        permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}YOUR_PATH_HERE${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
};

Done, restart Tomcat.

Lean says:

November 13, 2009 at 8:50 pm

You can disable security if your tomcat won’t host third party wars, you can set the TOMCAT5_SECURITY variable to false in /etc/default/tomcat5.5

mkyong says:

November 13, 2009 at 11:51 pm

Thanks for the tricks

Ahlonko says:

September 20, 2009 at 2:41 pm

That’s what i did , but my problem stays the same. It’s impossible to launch Admin and Manager tomcats app and in the same time it’s impossible to run the cmsc application http://www.cmscontainer.org

Here is my new environment:

Using CATALINA_BASE: /usr/share/tomcat6
Using CATALINA_HOME: /usr/share/tomcat6
Using CATALINA_TMPDIR: /usr/share/tomcat6/temp
Using JRE_HOME: /usr/lib/jvm/java6
Server version: Apache Tomcat/6.0.20
Server built: Aug 8 2009 10:43:00
Server number: 6.0.0.0
OS Name: Linux
OS Version: 2.6.20.1-1-686
Architecture: i386
JVM Version: 1.6.0_14-b08
JVM Vendor: Sun Microsystems Inc.

Any suggestion will be appreciated .

THanks

mkyong says:

September 22, 2009 at 1:09 am

not really sure your root cause of it, try send your question to Tomcat mail list , see will anyone facing the same problem before?

http://tomcat.apache.org/lists.html

September 19, 2009 at 4:59 pm

I ‘ll do the upgrade to Tomcat6 . Will i do the same modifications in policy files ?

Thanks Mkyong.

mkyong says:

September 19, 2009 at 11:38 pm

No, Tomcat 6 is more stable and easy to use.

September 19, 2009 at 11:54 am

Hello Mkyong,

Thanks for this real helping blog. Could you please help with this …

I have the same problem earlier solved by you . I follow the solution proposed but i still have the same errors !
I made the change in 03catalina.policy

here is what shows tomcat version.sh

Using CATALINA_BASE: /usr/share/tomcat5.5
Using CATALINA_HOME: /usr/share/tomcat5.5
Using CATALINA_TMPDIR: /usr/share/tomcat5.5/temp
Using JRE_HOME: /usr/lib/jvm/java5
Server version: Apache Tomcat/5.5
Server built: Oct 15 2008 12:57:44
Server number: 5.5.26.0
OS Name: Linux
OS Version: 2.6.20.1-1-686
Architecture: i386
JVM Version: 1.5.0_17-b04
JVM Vendor: Sun Microsystems Inc.

and here is my errors log

SEVERE: Error unregistering mbean
java.security.AccessControlException: access denied (java.io.FilePermission /WEB-INF/classes/logging.properties read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.File.exists(File.java:700)
at org.apache.naming.resources.FileDirContext.file(FileDirContext.java:828)
at org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:211)

Thanks for any suggestions.

mkyong says:

September 19, 2009 at 1:29 pm

How about this?

set permission java.security.AllPermission; in your Tomcat policy file?

If possible please upgrade to Tomcat 6.

Vinod says:

May 22, 2009 at 7:55 am

Thank you.

Jeff says:

November 25, 2008 at 9:06 am

O…i ‘ve met the same problem.And it really got me crazy for a whole afternoon.
Thank you!Good job.

mkyong says:

November 25, 2008 at 9:58 am

hmm… i still suggest upgrade to tomcat version 6 if possible

simon says:

August 14, 2008 at 10:52 am

thank you!

mkyong says:

August 14, 2008 at 11:00 am

Great, seem work to you, however i suggest upgrade tomcat to version 5.5.26 or version 6, because tomcat 5.5.25 really a lot of bugs.

Tire of Programming?

Share It

Related Posts

13 Comments

Leave a Reply

Books Reviewed

Categories

Friends & Links

Recent Posts

Recent Comments

About Mkyong Dot Com