0

I have deployed a web application (example.war) on tomcat 6 with SSL enabled.

When I start tomcat without security manager and try connect to the server with url: "https://localhost:8443/example" it successfully connects and and displays the contents of index.jsp file (welcome-file).

But when I start tomcat with security manager, it show following error on browser (firefox) for the same url.

Secure Connection Failed

An error occurred during a connection to localhost:8443.
Peer reports it experienced an internal error.
(Error code: ssl_error_internal_error_alert)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Here are the permission provided in catalina.policy

grant {
    permission java.util.PropertyPermission "java.home", "read";
    permission java.util.PropertyPermission "java.naming.*", "read";
    permission java.util.PropertyPermission "javax.sql.*", "read";

    // OS Specific properties to allow read access
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.version", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";

    // JVM properties to allow read access
    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "java.vendor", "read";
    permission java.util.PropertyPermission "java.vendor.url", "read";
    permission java.util.PropertyPermission "java.class.version", "read";
    permission java.util.PropertyPermission "java.specification.version", "read";
    permission java.util.PropertyPermission "java.specification.vendor", "read";
    permission java.util.PropertyPermission "java.specification.name", "read";

    permission java.util.PropertyPermission "java.vm.specification.version", "read";
    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
    permission java.util.PropertyPermission "java.vm.specification.name", "read";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";

    // Required for OpenJMX
    permission java.lang.RuntimePermission "getAttribute";

    // Allow read of JAXP compliant XML parser debug
    permission java.util.PropertyPermission "jaxp.debug", "read";

    // Precompiled JSPs need access to these packages.
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.security.util";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";

    // Precompiled JSPs need access to these system properties.
    permission java.util.PropertyPermission
     "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
    permission java.util.PropertyPermission "org.apache.el.parser.COERCE_TO_ZERO", "read";
};

grant codeBase "file:${catalina.base}/webapps/example/-" {
    permission java.security.AllPermission;
};

And it works fine when I provide all permissions as below:

grant {
    permission java.security.AllPermission;
};

grant codeBase "file:${catalina.base}/webapps/example/-" {
    permission java.security.AllPermission;
};

I want to know what specific permissions I am supposed to add so as to make it work without providing AllPermission?

Prashant Kedia
  • 318
  • 5
  • 14
  • You have several typos in your question example -> exmaple. Check your configuration files don't have the same issue. – Mark Thomas Nov 18 '13 at 11:49
  • Check the Tomcat logs for a SecurityException. That will tell you what went wrong where and from that you should be able to figure out what permission is missing or (the more likely case) where the configuration is wrong. – Mark Thomas Nov 18 '13 at 11:50
  • Thanks for the reply Mark. I have corrected the typos in the question but my configuration file does not have typo issue. Tomcat logs are clean (successfully loading all resources). – Prashant Kedia Nov 18 '13 at 20:05

1 Answers1

1

Finally the issue has been resolved. I started tomcat with environment variable "CATALINA_OPTS" set to value "-Djava.security.debug=access" which logged details about access permissions and I found some AccessControlExceptions - access denied.

Adding following permission resolved the issue:

permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read";

permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
permission java.lang.RuntimePermission "accessClassInPackage.com.sun.xml.internal.bind.v2.runtime.reflect";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.util";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action";
permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.ec";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.interfaces";
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.rsa";

permission java.security.SecurityPermission "putProviderProperty.SunJCE";
permission java.security.SecurityPermission "putProviderProperty.SunPKCS11-NSS";

permission java.io.FilePermission "/usr/lib/jvm/java-7-openjdk-i386/jre/lib/security/nss.cfg", "read";
permission java.io.FilePermission "/usr/lib/jvm/java-7-openjdk-common/jre/lib/ext/i386/libj2pkcs11.so", "read";
permission  java.io.FilePermission "/usr/lib/jvm/java-7-openjdk-common/jre/lib/ext/libj2pkcs11.so", "read";

permission java.io.FilePermission "/usr/share/java/i386/libj2pkcs11.so", "read";
permission java.io.FilePermission "/usr/share/java/libj2pkcs11.so", "read";

permission java.io.FilePermission "/usr/lib/i386-linux-gnu/jni/i386/libj2pkcs11.so", "read";
permission java.io.FilePermission "/usr/lib/i386-linux-gnu/jni/libj2pkcs11.so", "read";

But I am not sure if adding file permissions with absolute path to libraries is a good idea (last 7 entries). Any suggestion on this?

Prashant Kedia
  • 318
  • 5
  • 14
  • Why do we need to add specific permission in grant { ... } section, if granted permission java.security.AllPermission to the particular codebase? Say, if I want to allow one of my webapp webapp.war with all-permission, why do we still need to add permissions in grant {...}. It should simply work without adding any permission in grant {...}. Isn't the grant is a subset of grant {...}? The webapp should work with all privileges provided AllPermissions even if we don't have added any permissions in grant {...}. – Pawan Nov 19 '13 at 05:52
  • Please look at [this] (http://stackoverflow.com/questions/26365646/console-log-not-goes-to-tomcat-logcatalina-start-security-tomcat-log). If you know the answer help me to improve. – Hariprasath Oct 15 '14 at 05:58