Run the iGrafx Platform under Tomcat with a SecurityManager
In some instances and within some corporate environments, Tomcat is only allowed to run with the Java SecurityManager enabled (see https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Security_manager and https://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html). If this is the case, additional configuration is required to allow the iGrafx Platform to run, as the default security policies restrict access to almost all file, property and reflection features.
When enabling the Security Manager in Tomcat 7, the Tomcat version needs to be at least 7.0.69
Step-by-step guide
The following steps are required to enable the security manager under Tomcat and add the respective permissions for the iGrafx Platform
- Enable the security manager for your Tomcat instance
- Add the following JDK system variable to your Tomcat JAVA_OPTS:
-Dlog4j2.disable.jmx=true
Add the following to your
catalina.policy
file for the Tomcat instance you are using. Adjust thecodeBase
path accordingly to wherever the web application is running from and add allSocketPermission
entries that are required to connect to remote databases or LDAP servers with at least connect and resolve privileges. "eightcore:1433" is a sample entry and can be omitted.CODEgrant codeBase "file:C:/iGrafxPlatform/apache-tomcat-8.0.36/igrafx/iGrafxWebApp/-" { permission java.util.PropertyPermission "*", "read,write"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "defineClassInPackage.*"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.coyote.*"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect"; permission java.lang.RuntimePermission "accessClassInPackage.sun.util.calendar"; permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect.generics.repository"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "reflectionFactoryAccess"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.io.FilePermission "${igrafx.basedirectory}", "read,write,execute"; permission java.io.FilePermission "${igrafx.basedirectory}/-", "read,write,delete,execute"; permission java.io.FilePermission "${java.io.tmpdir}", "read"; permission java.io.FilePermission "${java.home}/lib/rt.jar", "read"; permission java.net.SocketPermission "eightcore:1433", "connect,resolve"; };
- Restart your Tomcat server
- If you continue to see access denied errors in the log files, the error has an almost-properly-formatted string. You can add it to the above grant block and modify the formatting to match existing entries.
Settings for predeployed version of iGrafx Platform
To enable the security manager in the predeployed version of the iGrafx Platform, run the manage_service.bat
file to configure your Tomcat service. In the Java tab, add the following (the double equal sign is important and not a mistake):
-Djava.security.manager
-Djava.security.policy=="c:\iGrafxPlatform\apache-tomcat-8.0.36\conf\catalina.policy"
-Dlog4j2.disable.jmx=true
In addition to the general policy settings mentioned above (step 3 of the "Step-by-step guide"), the following permissions need to be granted in the policy file so that the log4j configuration file can be read by the application:
codeBase "file:C:/iGrafxPlatform/apache-tomcat-8.0.36/igrafx/iGrafxWebApp/-"
permission java.io.FilePermission "${catalina.base}/conf/log4j2.xml", "read";
and the logger permissions (this block already exists in the default catalina.policy
file) need to be enhanced:
codeBase "file:${catalina.home}/bin/tomcat-juli.jar"
permission java.util.PropertyPermission "igrafx.basedirectory", "read";
permission java.io.FilePermission "${igrafx.basedirectory}/logs", "read,write,execute";
permission java.io.FilePermission "${igrafx.basedirectory}/logs/-", "read,write,delete,execute";
If you want to print to PDF, you will need to add several more entries into the catalina.policy
file)
codeBase "file:C:/iGrafxPlatform/apache-tomcat-8.0.36/igrafx/iGrafxWebApp/-"
permission java.io.FilePermission "${catalina.base}/bin/.", "read";
permission java.io.FilePermission "C:/Users/{service user}", "read";
permission java.io.FilePermission "C:/Users/{service user}/.fop", "read,write";
permission java.io.FilePermission "C:/Users/{service user}/.fop/fop-fonts.cache", "read,write";