FilePermission for custom framework

[Patrik]

Hi,

I have a custom framework that needs to read and write files "somewhere" on the server.

My (kind of random) choice was a custom subfolder within tomcat\webapps that will be created automatically if it is missing.

I expected this to be no problem with the permissions due to the existing entry

Code: Select all

grant codeBase "file:${oxygen.data.dir}/frameworks/-" {
    permission java.security.AllPermission;
};

But I got an error. So I tried to find (with a long sequence of try&error) the most selective grant that solved this error and got this (very surprisingly):

Code: Select all

grant codeBase "file:${catalina.base}/webapps/oxygen-xml-web-author/WEB-INF/-" {
  permission java.io.FilePermission "${catalina.base}/webapps/-", "read,write";
};

But I don't like this solution at all since

• it is not very selective on the codeBase or the permission
• it doesn't have any relation to my custom framework or custom folder

Could you guide me to a better grant or name me a better place for my files to be stored?

Thanks and regards,
Patrik

[mihai_coanda]

Hello,

The webapps folder should not be tempered as it should only store web applications, not dynamic data.

You should use the oxygen data directory that is passed as the oxygen.data.dir system property to the java code of your framework.
This folder holds the configuration of the Web Author like frameworks, plugins, options, etc.

Regards,
Michael

[Patrik]

Hi Michael,

thanks a lot. Changing the folder as you suggested works without any modifications to the policies - perfect! :)

Regards,
Patrik

[Patrik]

Hi again,

it turned out that using the folder <oxygen.data.dir> does not always work. When applying an XSLT transformation to a file in that folder I get an error with missing priviliges:

Code: Select all

java.security.AccessControlException: Access denied : C:\Program Files\oXygen XML Web Author 23.1\tomcat\work\Catalina\localhost\oxygen-xml-web-author\TgicServiceCatalog\Deploy-ITU\TgicServiceCatalog.xml
	at ro.sync.servlet.plugin.SecurityAwareFileURLStreamHandler.openConnection(SecurityAwareFileURLStreamHandler.java:87) ~[classes/:?]
	at java.net.URL.openConnection(Unknown Source) ~[?:1.8.0_202]
	at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:1037) ~[oxygen-patched-xerces.jar:2.12.1-xml-schema-1.1]
	at org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Unknown Source) ~[oxygen-patched-xerces.jar:2.12.1-xml-schema-1.1]
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[oxygen-patched-xerces.jar:?]
	at org.ditang.relaxng.defaults.RelaxDefaultsParserConfiguration.parse(Unknown Source) ~[oxygen.jar:?]
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) ~[oxygen-patched-xerces.jar:?]
	at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) ~[oxygen-patched-xerces.jar:?]
	at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) ~[oxygen-patched-xerces.jar:?]
	at ro.sync.xml.parser.CatalogEnabledXMLReader$1$1.run(Unknown Source) ~[oxygen.jar:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_202]
	at ro.sync.security.Sandbox.runWithAllPerms(Sandbox.java:223) ~[oxygen-sandbox.jar:?]
	at ro.sync.xml.parser.CatalogEnabledXMLReader$1.run(Unknown Source) ~[oxygen.jar:?]
	at ro.sync.security.SandboxCore.runWithConfirmation(SandboxCore.java:258) ~[oxygen-sandbox.jar:?]
	at ro.sync.security.ConnectionsSandbox.runWithConnectConfirmation(ConnectionsSandbox.java:263) ~[oxygen-sandbox.jar:?]
	at ro.sync.security.Sandbox.runWithConnectConfirmation(Sandbox.java:355) ~[oxygen-sandbox.jar:?]
	at ro.sync.xml.parser.CatalogEnabledXMLReader.parse(Unknown Source) ~[oxygen.jar:?]
	at net.sf.saxon.event.Sender.sendSAXSource(Sender.java:435) ~[oxygen-patched-saxon-9he.jar:?]
	at net.sf.saxon.event.Sender.send(Sender.java:141) ~[oxygen-patched-saxon-9he.jar:?]
	at net.sf.saxon.Controller.makeSourceTree(Controller.java:1360) ~[oxygen-patched-saxon-9he.jar:?]
	at net.sf.saxon.s9api.XsltTransformer.transform(XsltTransformer.java:335) ~[oxygen-patched-saxon-9he.jar:?]
	at net.sf.saxon.jaxp.TransformerImpl.transform(TransformerImpl.java:71) ~[oxygen-patched-saxon-9he.jar:?]
	at com.gdvdl.TgicServiceCatalog.operations.DeployDiff.compare(DeployDiff.java:104) ~[?:?]
	at com.gdvdl.TgicServiceCatalog.operations.DeployDiff.doOperation(DeployDiff.java:58) ~[?:?]
	at ro.sync.ecss.webapp.actions.g.doOperation(Unknown Source) ~[oxygen.jar:?]
	at ro.sync.ecss.extensions.o.f(Unknown Source) ~[oxygen.jar:?]
	[...]

And in this case even granting all priviliges doesn't help:

Code: Select all

grant {
    permission java.security.AllPermission;
};

Any ideas what to do to make this work?

Thanks and regards,
Patrik

[cristi_talau]

Hello,

Indeed, for files that are accessed via "file://" URLs we have another layer of security that restricts access only to reading and only to:
- <oxygen.data.dir>/frameworks/
- <oxygen.data.dir>/plugins/

In your case, the catalog file was accessed via a "file://" URL and not directly using new File(...) . A quick solution would be to add it inside a framework or plugin.

Best,
Cristian

[Patrik]

Thanks for the hint. I just used a subfolder within frameworks and it works so far.
(I didn't use the framework folder itself since I expect it to be deleted when updating the framework.)

Best regards
Patrik