Tomcat – java.security.AccessControlException: access denied (logging.properties read)

by

Problem

After upgraded to Tomcat version 5.5.25, it starting to hit a lot of errors in security policy : 


Caused by: java.security.AccessControlException: access denied 
      (java.io.FilePermission /usr/share/tomcat5.5-
            webapps/jsp-examples/WEB-INF/classes/logging.properties read)

Solution

Above error is caused by the Tomcat’s policy file, Tomcat 5.5.25 made a lot of modification on policy file. To fix it, you need to make some changes in the policy file(03catalina.policy)…

Issue vi 03catalina.policy, the file is usually located at policy.d folder


mkyong@mkyong-desktop:/etc/tomcat5.5/policy.d$ vi 03catalina.policy

find following pattern :

File : 03catalina.policy


grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
        //...omitted for readability  
};

CHANGED TO this, grant all permission.

File : 03catalina.policy


grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.security.AllPermission;
};

Done, restart Tomcat.

Alternatively…

You can enable permission to your web app path explicitly.


permission java.io.FilePermission "${catalina.base}${file.separator}
   webapps${file.separator}YOUR_PATH_HERE${file.separator}WEB-INF
   ${file.separator}classes${file.separator}logging.properties", "read";

full command is

File : 03catalina.policy


grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
        //...omitted for readability  
        permission java.io.FilePermission "${catalina.base}${file.separator}webapps$
        {file.separator}YOUR_PATH_HERE${file.separator}WEB-INF${file.separator}
        classes${file.separator}logging.properties", "read";
};

mkyong

Founder of Mkyong.com, passionate Java and open-source technologies. If you enjoy my tutorials, consider making a donation to these charities.

14 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
drx
5 years ago

Hi everybody,

Here : https://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html

is written :

java.security.AllPermission  <=> Allows access to all permissions, just as if you were running Tomcat without a SecurityManager.

So I think we should avoir : java.security.AllPermission

no ?

0
Reply
Lean
16 years ago

You can disable security if your tomcat won’t host third party wars, you can set the TOMCAT5_SECURITY variable to false in /etc/default/tomcat5.5

0
Reply
mkyong
16 years ago
Reply to  Lean

Thanks for the tricks

0
Reply
Ahlonko
16 years ago

That’s what i did , but my problem stays the same. It’s impossible to launch Admin and Manager tomcats app and in the same time it’s impossible to run the cmsc application http://www.cmscontainer.org

Here is my new environment:

Using CATALINA_BASE: /usr/share/tomcat6
Using CATALINA_HOME: /usr/share/tomcat6
Using CATALINA_TMPDIR: /usr/share/tomcat6/temp
Using JRE_HOME: /usr/lib/jvm/java6
Server version: Apache Tomcat/6.0.20
Server built: Aug 8 2009 10:43:00
Server number: 6.0.0.0
OS Name: Linux
OS Version: 2.6.20.1-1-686
Architecture: i386
JVM Version: 1.6.0_14-b08
JVM Vendor: Sun Microsystems Inc.

Any suggestion will be appreciated .

THanks

0
Reply
mkyong
16 years ago
Reply to  Ahlonko

not really sure your root cause of it, try send your question to Tomcat mail list , see will anyone facing the same problem before?

http://tomcat.apache.org/lists.html

0
Reply
Ahlonko
16 years ago

I ‘ll do the upgrade to Tomcat6 . Will i do the same modifications in policy files ?

Thanks Mkyong.

0
Reply
mkyong
16 years ago
Reply to  Ahlonko

No, Tomcat 6 is more stable and easy to use.

0
Reply
Ahlonko
16 years ago

Hello Mkyong,

Thanks for this real helping blog. Could you please help with this …

I have the same problem earlier solved by you . I follow the solution proposed but i still have the same errors !
I made the change in 03catalina.policy

here is what shows tomcat version.sh

Using CATALINA_BASE: /usr/share/tomcat5.5
Using CATALINA_HOME: /usr/share/tomcat5.5
Using CATALINA_TMPDIR: /usr/share/tomcat5.5/temp
Using JRE_HOME: /usr/lib/jvm/java5
Server version: Apache Tomcat/5.5
Server built: Oct 15 2008 12:57:44
Server number: 5.5.26.0
OS Name: Linux
OS Version: 2.6.20.1-1-686
Architecture: i386
JVM Version: 1.5.0_17-b04
JVM Vendor: Sun Microsystems Inc.

and here is my errors log

SEVERE: Error unregistering mbean
java.security.AccessControlException: access denied (java.io.FilePermission /WEB-INF/classes/logging.properties read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.File.exists(File.java:700)
at org.apache.naming.resources.FileDirContext.file(FileDirContext.java:828)
at org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:211)

Thanks for any suggestions.

0
Reply
mkyong
16 years ago
Reply to  Ahlonko

How about this?

set permission java.security.AllPermission; in your Tomcat policy file?

If possible please upgrade to Tomcat 6.

0
Reply
Vinod
17 years ago

Thank you.

0
Reply
Jeff
17 years ago

O…i ‘ve met the same problem.And it really got me crazy for a whole afternoon.
Thank you!Good job.

0
Reply
mkyong
17 years ago
Reply to  Jeff

hmm… i still suggest upgrade to tomcat version 6 if possible

0
Reply
simon
17 years ago

🙂 thank you!

0
Reply
mkyong
17 years ago
Reply to  simon

Great, seem work to you, however i suggest upgrade tomcat to version 5.5.26 or version 6, because tomcat 5.5.25 really a lot of bugs.

0
Reply