I have a very large web application that I would like to publish specifications on what permissions are needed to be granted for "Tomcat Security Manager" to work properly with the web application.
Is there any automatic way to run the web application and generate a list of all the permissions that are needed?
I've tried doing this manually by enabling Tomcat Security Manager and working my way through the security exceptions and adding the needed permissions. The problem with this, however, is that only one security exception is shown at a time and after every exception I need to update the catalina.policy, restart Tomcat and move to the next exception.
I have literally spent 2hrs doing this without any hint of being close to complete. There has to be a better way.
I have found the answer to this question.
Adding the following Java option to Tomcat will create an entry in stderr for every permission that is needed:
-Djava.security.debug=all
I'm not sure why I didn't find this before, but its documented in the Tomcat 6.0 manual.
http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html#Troubleshooting