Search code examples
javasecuritytomcatjava-web-start

AccessControlException when starting embedded Tomcat from Java Webstart

For our Kunagi Java web application we have a signed kunagi.jar file which contains our classes together with classes from embedded Tomcat 6. This runs perfectly when calling java -jar kunagi.jar.

But when starting it with Java WebStart, I get an exception while embedded Tomcat is starting: 

java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.deploy)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393)
    at java.security.AccessController.checkPermission(AccessController.java:553)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
    at net.sourceforge.jnlp.runtime.JNLPClassLoader.loadClass(JNLPClassLoader.java:1018)
    at java.lang.Class.getDeclaredMethods0(Native Method)
    at java.lang.Class.privateGetDeclaredMethods(Class.java:2444)
    at java.lang.Class.getMethod0(Class.java:2687)
    at java.lang.Class.getMethod(Class.java:1620)
    at org.apache.catalina.startup.SetPublicIdRule.begin(WebRuleSet.java:639)
    at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276)
    ... 33 more

Of course kunagi.jar is signed, otherwise it wouldn't even start. It seams Java WebStart enables Java Security globally, which somehow embedded Tomcat "inherits" and fails to initialize.

Here is the JNLP file:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://kunagi.org/webstart" href="kunagi.jnlp">
    <information>
        <title>Kunagi</title>
        <vendor>Kunagi Team</vendor>
        <homepage href="http://kunagi.org"/>
        <description>SCRUM Tool</description>
        <description kind="short">SCRUM Tool</description>
        <offline-allowed/>
    </information>
    <security>
        <all-permissions/>
    </security>
    <resources>
        <j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se"/>
        <jar href="kunagi.jar" main="true" />
    </resources>
    <application-desc name="Kunagi" main-class="katokorbo.Katokorbo"/>
    <update check="always"/>
</jnlp>

Is there a way to disable security checks for Tomcat inside of Java WebStart? Or how can I configure embedded Tomcat to permit access to org.apache.catalina...?

Solution

  • I have solved my problem as follows:

    Disable security manager after WebStart started my application. First line in my main() method:

    System.setSecurityManager(null);

    Tell Tomcat to use the default class loader:

    context.setLoader(new WebappLoader(getClass().getClassLoader()));

    Now Tomcat runs within WebStart :-D