I've got this error in the log file

2007-10-08 10:36:27,753 DEBUG [org.jboss.web.tomcat.security.SecurityFlushSessionListener] Obtaining SecurityManagerService failed::
java.lang.ClassCastException: org.jboss.security.plugins.JaasSecurityManager
at org.jboss.web.tomcat.security.SecurityFlushSessionListener.getSecurityManagerService(SecurityFlushSessionListener.java:193)
at org.jboss.web.tomcat.security.SecurityFlushSessionListener.getSubjectAndSecurityDomain(SecurityFlushSessionListener.java:160)
at org.jboss.web.tomcat.security.SecurityFlushSessionListener.sessionDestroyed(SecurityFlushSessionListener.java:79)
at org.apache.catalina.session.StandardSession.expire(StandardSession.java:687)
at org.apache.catalina.session.StandardSession.isValid(StandardSession.java:579)
at org.apache.catalina.session.ManagerBase.processExpires(ManagerBase.java:678)
at org.apache.catalina.session.ManagerBase.backgroundProcess(ManagerBase.java:663)
at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1284)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1569)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1578)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1578)
at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1558)
at java.lang.Thread.run(Unknown Source)

The server still working but my website isn't accessible. This error is coming from the java policy configuration because when this file is not used, the error don't happen.

So I would like to see a java.policy for Hibernate and Struts applications.

Jsp are accessible but servlet not

I think that i've solve the problem. I've added the following lines at the end of the file :
permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setPrincipalInfo";
permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getPrincipalInfo";
permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setRunAsRole";
permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setServer";
permission javax.security.auth.AuthPermission "createLoginContext.*";

I'll post a mail if during the next days the web app don't crash.




I also post the debian version of the script. I've got a problem with this script : I must give reading rigths to the "/" directory (the Hibernate cache system has to do Tmp.list()). If somebody knows how to solve this security problem ...


// Trusted core Java code
grant codeBase "file:/home/logiciel/java/sources/jre1.5.0_12/lib/ext/-" {
permission java.security.AllPermission;
};
grant codeBase "file:/home/logiciel/java/sources/jre1.5.0_12/lib/*" {
permission java.security.AllPermission;
};
// Trusted core Jboss code
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/bin/-" {
permission java.security.AllPermission;
};

grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/server/default/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/server/default/deploy/jmx-console.war/-"{
permission java.security.AllPermission;
};
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/server/default/deploy/jbossws14.sar/-"{
permission java.security.AllPermission;
};
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/server/default/deploy/jbossweb-tomcat55.sar/-"{
permission java.security.AllPermission;
};
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/server/default/deploy/jboss-aop.deployer/-"{
permission java.security.AllPermission;
};
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/server/default/deploy/http-invoker.sar/-"{
permission java.security.AllPermission;
};
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/server/default/deploy/jboss-bean.deployer/-"{
permission java.security.AllPermission;
};
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/server/default/deploy/jms/-"{
permission java.security.AllPermission;
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/server/default/deploy/uuid-key-generator.sar/-"{
permission java.security.AllPermission;
};
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/server/default/tmp/-" {
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/server/default/tmp/-", "read";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/server/default/tmp/-", "write";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/server/default/tmp/-", "delete";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/bin/autorized/-", "read";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/bin/autorized/-", "write";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/bin/autorized/-", "delete";
permission java.io.FilePermission "/-", "read";
permission java.io.FilePermission "/tmp/-", "write";
permission java.io.FilePermission "/tmp/-", "delete";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.security.SecurityPermission "getPolicy";
};
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/server/default/tmp/-" {
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/server/default/tmp/-", "read";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/server/default/tmp/-", "write";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/server/default/tmp/-", "delete";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/bin/autorized/-", "read";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/bin/autorized/-", "write";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/bin/autorized/-", "delete";
permission java.io.FilePermission "/-", "read";
permission java.io.FilePermission "/tmp/-", "write";
permission java.io.FilePermission "/tmp/-", "delete";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.security.SecurityPermission "getPolicy";
};
grant codeBase "file:/home/logiciel/jboss/jboss-4.0.5.GA/server/default/tmp/-" {
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/server/default/tmp/-", "read";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/server/default/tmp/-", "write";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/server/default/tmp/-", "delete";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/bin/autorized/-", "read";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/bin/autorized/-", "write";
permission java.io.FilePermission "/home/logiciel/jboss/jboss-4.0.5.GA/bin/autorized/-", "delete";
permission java.io.FilePermission "/-", "read";
permission java.io.FilePermission "/tmp/-", "write";
permission java.io.FilePermission "/tmp/-", "delete";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.security.SecurityPermission "getPolicy";
};

grant {
permission java.util.PropertyPermission "*", "read";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "localhost:5432", "accept, connect, listen";
permission java.net.SocketPermission "localhost:8009", "accept, connect, listen";
permission java.net.SocketPermission "*:80", "accept, connect, listen";
permission java.net.SocketPermission "*:110", "accept, connect, listen";
permission java.net.SocketPermission "*:25", "accept, connect, listen";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getSubject";
permission javax.management.MBeanServerPermission "findMBeanServer";
permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*";
permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setPrincipalInfo";
permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getPrincipalInfo";
permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setRunAsRole";
permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setServer";
permission javax.security.auth.AuthPermission "createLoginContext.*";


}
;

the web app isn't accesible, changes made in the file aren't useful. I'm fed up, i'll grant allpermission.

runtime org.jboss.*

I will try to put off the FlushSessionListener in the web.xml. I would like to change the code of this class but I don't know the name of jar(I've seen a solution based on a servlet filter).