Skip to main content
Skip table of contents

Run the iGrafx Platform under Tomcat with a SecurityManager

In some instances and within some corporate environments, Tomcat is only allowed to run with the Java SecurityManager enabled (see https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Security_manager and https://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html). If this is the case, additional configuration is required to allow the iGrafx Platform to run, as the default security policies restrict access to almost all file, property and reflection features.

(warning) When enabling the Security Manager in Tomcat 7, the Tomcat version needs to be at least 7.0.69

Step-by-step guide

The following steps are required to enable the security manager under Tomcat and add the respective permissions for the iGrafx Platform

  1. Enable the security manager for your Tomcat instance
  2. Add the following JDK system variable to your Tomcat JAVA_OPTS: -Dlog4j2.disable.jmx=true

  3. Add the following to your catalina.policy file for the Tomcat instance you are using. Adjust the codeBase path accordingly to wherever the web application is running from and add all SocketPermission entries that are required to connect to remote databases or LDAP servers with at least connect and resolve privileges. "eightcore:1433" is a sample entry and can be omitted. 

    CODE 
    grant codeBase "file:C:/iGrafxPlatform/apache-tomcat-8.0.36/igrafx/iGrafxWebApp/-" {
    permission java.util.PropertyPermission "*", "read,write";
    permission java.lang.RuntimePermission "shutdownHooks";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.lang.RuntimePermission "modifyThread";
    permission java.lang.RuntimePermission "createClassLoader";
	permission java.lang.RuntimePermission "defineClassInPackage.*"; 
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*"; 
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.coyote.*"; 
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; 
    permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.util.calendar";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect.generics.repository";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.lang.RuntimePermission "getProtectionDomain";
    permission java.lang.RuntimePermission "reflectionFactoryAccess";
	permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
    permission java.io.FilePermission "${igrafx.basedirectory}", "read,write,execute";
    permission java.io.FilePermission "${igrafx.basedirectory}/-", "read,write,delete,execute";
    permission java.io.FilePermission "${java.io.tmpdir}", "read";
    permission java.io.FilePermission "${java.home}/lib/rt.jar", "read";
    permission java.net.SocketPermission "eightcore:1433", "connect,resolve";
};
  4. Restart your Tomcat server
  5. If you continue to see access denied errors in the log files, the error has an almost-properly-formatted string. You can add it to the above grant block and modify the formatting to match existing entries.

Settings for predeployed version of iGrafx Platform

To enable the security manager in the predeployed version of the iGrafx Platform, run the manage_service.bat file to configure your Tomcat service. In the Java tab, add the following (the double equal sign is important and not a mistake):

CODE 
-Djava.security.manager
-Djava.security.policy=="c:\iGrafxPlatform\apache-tomcat-8.0.36\conf\catalina.policy"
-Dlog4j2.disable.jmx=true

In addition to the general policy settings mentioned above (step 3 of the "Step-by-step guide"), the following permissions need to be granted in the policy file so that the log4j configuration file can be read by the application:

codeBase "file:C:/iGrafxPlatform/apache-tomcat-8.0.36/igrafx/iGrafxWebApp/-"

CODE 
permission java.io.FilePermission "${catalina.base}/conf/log4j2.xml", "read";

and the logger permissions (this block already exists in the default catalina.policy file) need to be enhanced:

codeBase "file:${catalina.home}/bin/tomcat-juli.jar"

CODE 
permission java.util.PropertyPermission "igrafx.basedirectory", "read";
permission java.io.FilePermission "${igrafx.basedirectory}/logs", "read,write,execute";
permission java.io.FilePermission "${igrafx.basedirectory}/logs/-", "read,write,delete,execute";

If you want to print to PDF, you will need to add several more entries into the catalina.policy file)

codeBase "file:C:/iGrafxPlatform/apache-tomcat-8.0.36/igrafx/iGrafxWebApp/-"

CODE 
    permission java.io.FilePermission "${catalina.base}/bin/.", "read";
    permission java.io.FilePermission "C:/Users/{service user}", "read";
	permission java.io.FilePermission "C:/Users/{service user}/.fop", "read,write";
    permission java.io.FilePermission "C:/Users/{service user}/.fop/fop-fonts.cache", "read,write";

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close