weiwei added a comment - 30/Mar/05 02:35 PM

weiwei added a comment - 30/Mar/05 02:35 PM I also have this problem. In order to execute my program, I need install a SecurityManager on tomcat server; But, when i started tomcat server with security and all permission, jetspeed2 threw many exceptions; I can't understand this problem. Hope this problem can be solved soon.

David Le Strat added a comment - 12/Sep/05 04:55 AM

David Le Strat added a comment - 12/Sep/05 04:55 AM I am revisiting the RdbmsPolicy and how policies get loaded in addition to the RdbmsPolicy. They are quite a few issues with the current implementation including the recursive loop reported above.

Ate Douma added a comment - 12/Sep/05 07:21 AM

Ate Douma added a comment - 12/Sep/05 07:21 AM David, Another issue which needs to be addressed is that the current implementation is tied to the SUN JDK. DST and I encountered this problem when we worked on getting J2 running on WebSphere (which requires the IBM JDK). I didn't have enough time left to find a solution the last time I worked on that, but maybe DST has looked into it by now.

Santiago Gala added a comment - 23/Sep/05 04:44 AM

Santiago Gala added a comment - 23/Sep/05 04:44 AM I'll take a look into the problem when I have the time. OTOH, I have a solution that works for me to "untie" the implementation from Sun's JDK. I'm attaching a patch for people to test before committing.

Santiago Gala added a comment - 23/Sep/05 04:45 AM

Santiago Gala added a comment - 23/Sep/05 04:45 AM It is very dirty, just for testing.

David Le Strat added a comment - 23/Sep/05 02:07 PM

David Le Strat added a comment - 23/Sep/05 02:07 PM All, I have been working on this issue and have a fix to solve both problems. I will commit Saturday morning. As part of the changes I have been implementing, the Authorization provider is now configurable to specify whether J2 should enforce additional J2SE policies configured on top of the RdbmsPolicy. If this setting is set to true, the AuthorizationProvider will load a SecurityPolicies singleton that will provide a list of all Policies configured. I am still debating whether this is really needed and comments on this are welcome. See authorization provider configuration below: <!-- Security: Authorization Provider --> <bean id="org.apache.jetspeed.security.AuthorizationProvider"       class="org.apache.jetspeed.security.impl.AuthorizationProviderImpl" >   <constructor-arg index="0"><ref bean="org.apache.jetspeed.security.impl.RdbmsPolicy"/></constructor-arg>   <!-- Does not use the default policy as a default behavior -->   <constructor-arg index="1"><value>false</value></constructor-arg> </bean> The RdbmsPolicy code has been changed quite a bit. Checking whether a resource is authorized is now done in the implies method. The getPermissions method should not return permissions from the database configuration as those map to principals, not codesources. getPermissions will return the permission configured for the J2SE policies if configured to do so through the AuthorizationProvider. This code fixes the StackOverFlow issue with Tomcat -security enabled. It also remove the hard code dependency from Sun PolicyFile. On another note, there are some differencies in folder constraints checking when running with -security or not. For instance admin can see the Administrative pages when running Tomcat in normal mode but cannot with the security mode. This may need to be reported as a separate issue. Regards, David Le Strat.

David Le Strat added a comment - 24/Sep/05 09:34 PM

David Le Strat added a comment - 24/Sep/05 09:34 PM This should take care of this issue, please validate.