tags:

views:

283

answers:

2
+1  Q: 

Access denied when my servlet tries to SSH from Tomcat

I've written a Servlet that uses the library ganymed-ssh2-build210.jar (it uses these classes: import ch.ethz.ssh2.Connection; import ch.ethz.ssh2.Session; import ch.ethz.ssh2.StreamGobbler;) to run commands over an SSH connection (for test purposes it connects to my local machine). When I run my class as a standalone app it works, but when I deploy it into Tomcat and Tomcat starts it up as a Servlet, I get this exception (I've cut off the end, as I figured it probably wasn't relevent, but I can include it all if that would help):

java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:22 connect,resolve)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
    at java.security.AccessController.checkPermission(AccessController.java:546)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
    at java.lang.SecurityManager.checkConnect(SecurityManager.java:1034)
    at java.net.Socket.connect(Socket.java:513)
    at ch.ethz.ssh2.transport.TransportManager.establishConnection(TransportManager.java:340)
    at ch.ethz.ssh2.transport.TransportManager.initialize(TransportManager.java:448)
    at ch.ethz.ssh2.Connection.connect(Connection.java:643)
    ...

Is this perhaps something to do with security policies? If so, do you know how I change them?

I'm using Java 1.6 and Tomcat6.

A: 

It looks like java is getting access denied on port 22 - are you sure you're trying to connect as a client, and not spawn a server? If it was trying to bind a listener to port 22, you're likely to get an error unless you're running as a superuser.

zigdon  2009-10-16 17:24:22
Definitely connects as a client, it runs fine as a standalone app.
Sam Illingworth  2009-10-16 17:27:06
A: 

Are you running Tomcat with the -security argument turned on? If so, you need to edit $CATALINA_BASE/conf/catalina.policy and allow ch.ethz.ssh2.transport access to java.net.Socket.

Andy Gherna  2009-10-16 17:27:25
Sorry to sound like a noob, but what would that entry look like? I've just tried the following (I copied the jar example from local.policy), but to no avail:grant codeBase "jar:file:${catalina.base}/webapps/GetSpinData/WEB-INF/lib/ganymed-ssh2-build210.jar!/-"{ permission java.net.SocketPermission "127.0.0.1:22", "connect";};
Sam Illingworth  2009-10-16 17:39:48
I added the following to catch everything:grant codeBase "jar:file:${catalina.base}/webapps/GetSpinData/WEB-INF/lib/ganymed-ssh2-build210.jar!/-"{ permission java.security.AllPermission;};grant codeBase "file:${catalina.base}/webapps/GetSpinData/WEB-INF/lib/-"{ permission java.security.AllPermission;};grant codeBase "file:${catalina.base}/webapps/GetSpinData/WEB-INF/classes/-"{ permission java.security.AllPermission;};It works, thanks! :DHow would I narrow it down to just the permissions I need? And is that the right file, or should it be in local.policy?
Sam Illingworth  2009-10-16 18:09:31
Keep it in catalina.policy, don't change local.policy. I believe the startup scripts/batch files pass the path to this file in to the security manager when tomcat starts up.I'm not really sure how to narrow this down to the specific permissions you need. I hate to dish you off to a link, but if you look at http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html, this will give you (probably more than enough) information you need to nail down the exact permissions. My guess is you will want to look at the NetPermission and SocketPermission. Hope this helps.
Andy Gherna  2009-10-17 04:02:14

related questions

How can I share a variable or object between two or more Servlets?
debug JSP from eclipse
Are writes from within a Tomcat 6 CometProcessor non-blocking
Does Weblogic 9.x support the 2.4 Servlet standard?
How does debug level (0-99) in the Tomcat server.xml affect speed?
When do you use a JSP and when a Servlet?
How to choose the max thread count for an HTTP servlet container?
Creating a java servlet web application
Writing post data from one java servlet to another
Unit testing a java servlet
Measure Total Network Transfer Time from Servlets
Usable JSP/Servlet Hosting
How to avoid temporary file creation on server-side when pushing back full HTML content to clients?
servlet not in root application's servlet context
How to make embedded servlet engine instantiate servlets eagerly?
Java Servlet 404 errors
Can a servlet determine if the data posted to it is enctype="multipart/form-data"?
Write a Servlet that Talks to JMS (ActiveMQ) and OnMessage Update the Site
Accessing Tomcat Context Path from Servlet
Unit-testing servlets
Tomcat doFilter() invoked with committed response
Is there a way to access web.xml properties from a Java Bean?
Trouble using JRun to Host Java Servlets
Invalid <url-pattern> servlet mapping in tomcat 6.0
Accessing post variables using Java Servlets