EAR deployment

Discussion:

EAR deployment

r***@e1b.org

2018-06-27 16:15:18 UTC

I seem unable to deploy EARs. I have set the catalina.policy to:
grant {
permission java.security.AllPermission;
};

I have set the work directory to "work" (and at deploy see the exploded
EAR there).

Also I have set deployOnStartup to false, autoDeploy to true, and
unpackWARs to true.

On deploy, at first matters look promising. It unpacks, initializes my
EJBs, then I get single AccessContorlException (RuntimePermistion),
followed by an infinitely repeating (every 5 seconds or so) access control
exception (FilePermission).

INFO: Created Ejb(deployment-id=CloseEventsBean, ejb-name=CloseEventsBean,
container=Default Singleton Container)
Jun 26, 2018 11:41:40 AM org.apache.openejb.assembler.classic.Assembler
startEjbs
INFO: Created Ejb(deployment-id=ManagerReminderBean,
ejb-name=ManagerReminderBean, container=Default Singleton Container)
Jun 26, 2018 11:41:40 AM sun.reflect.NativeMethodAccessorImpl invoke
SEVERE: Exception invoking periodic operation:
java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "setContextClassLoader")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:884)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.Thread.setContextClassLoader(Thread.java:1474)
at
org.apache.openejb.log.LoggerCreator$Get.exec(LoggerCreator.java:94)
at
org.apache.openejb.log.LoggerCreator$Get.exec(LoggerCreator.java:105)
at
org.apache.openejb.util.JuliLogStream.isWarnEnabled(JuliLogStream.java:61)
at
org.apache.openejb.util.Logger.isWarningEnabled(Logger.java:425)
at org.apache.openejb.util.Logger.warning(Logger.java:646)
at
org.apache.tomee.catalina.TomcatWebAppBuilder.checkHost(TomcatWebAppBuilder.java:2233)
at
org.apache.tomee.catalina.GlobalListenerSupport.lifecycleEvent(GlobalListenerSupport.java:141)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:94)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1164)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1388)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1392)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1360)
at java.lang.Thread.run(Thread.java:748)

Below is the repeating exception.

Jun 26, 2018 11:41:50 AM sun.reflect.NativeMethodAccessorImpl invoke
SEVERE: Exception invoking periodic operation:
java.security.AccessControlException: access denied
("java.io.FilePermission" "C:\IBM\liferay\tomee\webapps\ROOT.war" "read")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:884)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
at java.io.File.exists(File.java:814)
at
org.apache.catalina.startup.HostConfig.checkResources(HostConfig.java:1296)
at
org.apache.catalina.startup.HostConfig.check(HostConfig.java:1623)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:314)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:94)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1164)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1388)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1392)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1360)
at java.lang.Thread.run(Thread.java:748)

What am I missing? I can see that the exception implies additional
permissions, but why doesn't my blanket grant of all permission in the
catalina policy file cover this?

Ross

Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.

Jonathan Gallimore

2018-06-27 16:22:43 UTC

Permalink

Hi

What version of TomEE are you running?

Are you deploying your EAR from webapps, or from apps with <Deployments
dir="apps" /> added in tomee.xml?

Regards

Jon

Post by r***@e1b.org
grant {
permission java.security.AllPermission;
};
I have set the work directory to "work" (and at deploy see the exploded
EAR there).
Also I have set deployOnStartup to false, autoDeploy to true, and
unpackWARs to true.
On deploy, at first matters look promising. It unpacks, initializes my
EJBs, then I get single AccessContorlException (RuntimePermistion),
followed by an infinitely repeating (every 5 seconds or so) access control
exception (FilePermission).
INFO: Created Ejb(deployment-id=CloseEventsBean,
ejb-name=CloseEventsBean,
container=Default Singleton Container)
Jun 26, 2018 11:41:40 AM org.apache.openejb.assembler.classic.Assembler
startEjbs
INFO: Created Ejb(deployment-id=ManagerReminderBean,
ejb-name=ManagerReminderBean, container=Default Singleton Container)
Jun 26, 2018 11:41:40 AM sun.reflect.NativeMethodAccessorImpl invoke
java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "setContextClassLoader")
at
java.security.AccessControlContext.checkPermission(
AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:884)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.Thread.setContextClassLoader(Thread.java:1474)
at
org.apache.openejb.log.LoggerCreator$Get.exec(LoggerCreator.java:94)
at
org.apache.openejb.log.LoggerCreator$Get.exec(LoggerCreator.java:105)
at
org.apache.openejb.util.JuliLogStream.isWarnEnabled(JuliLogStream.java:61)
at
org.apache.openejb.util.Logger.isWarningEnabled(Logger.java:425)
at org.apache.openejb.util.Logger.warning(Logger.java:646)
at
org.apache.tomee.catalina.TomcatWebAppBuilder.checkHost(
TomcatWebAppBuilder.java:2233)
at
org.apache.tomee.catalina.GlobalListenerSupport.lifecycleEvent(
GlobalListenerSupport.java:141)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(
LifecycleBase.java:94)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(
ContainerBase.java:1164)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
processChildren(ContainerBase.java:1388)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
processChildren(ContainerBase.java:1392)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
run(ContainerBase.java:1360)
at java.lang.Thread.run(Thread.java:748)
Below is the repeating exception.
Jun 26, 2018 11:41:50 AM sun.reflect.NativeMethodAccessorImpl invoke
java.security.AccessControlException: access denied
("java.io.FilePermission" "C:\IBM\liferay\tomee\webapps\ROOT.war" "read")
at
java.security.AccessControlContext.checkPermission(
AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:884)
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
at java.io.File.exists(File.java:814)
at
org.apache.catalina.startup.HostConfig.checkResources(
HostConfig.java:1296)
at
org.apache.catalina.startup.HostConfig.check(HostConfig.java:1623)
at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:314)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(
LifecycleBase.java:94)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(
ContainerBase.java:1164)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
processChildren(ContainerBase.java:1388)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
processChildren(ContainerBase.java:1392)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
run(ContainerBase.java:1360)
at java.lang.Thread.run(Thread.java:748)
What am I missing? I can see that the exception implies additional
permissions, but why doesn't my blanket grant of all permission in the
catalina policy file cover this?
Ross
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.

r***@e1b.org

2018-06-27 17:12:29 UTC

Permalink

I'm running 7.0.4. I have been deploying to webapps (<Deployments
dir="apps" /> remains commented).

Ross

From: "Jonathan Gallimore" <***@gmail.com>
To: ***@tomee.apache.org,
Date: 06/27/2018 12:22 PM
Subject: Re: EAR deployment

Hi

What version of TomEE are you running?

Are you deploying your EAR from webapps, or from apps with <Deployments
dir="apps" /> added in tomee.xml?

Regards

Jon

java.security.AccessController.checkPermission(AccessController.java:884)

Post by r***@e1b.org
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.Thread.setContextClassLoader(Thread.java:1474)
at
org.apache.openejb.log.LoggerCreator$Get.exec(LoggerCreator.java:94)
at
org.apache.openejb.log.LoggerCreator$Get.exec(LoggerCreator.java:105)
at

org.apache.openejb.util.JuliLogStream.isWarnEnabled(JuliLogStream.java:61)

Post by r***@e1b.org
at
org.apache.openejb.util.Logger.isWarningEnabled(Logger.java:425)
at org.apache.openejb.util.Logger.warning(Logger.java:646)
at
org.apache.tomee.catalina.TomcatWebAppBuilder.checkHost(
TomcatWebAppBuilder.java:2233)
at
org.apache.tomee.catalina.GlobalListenerSupport.lifecycleEvent(
GlobalListenerSupport.java:141)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(
LifecycleBase.java:94)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(
ContainerBase.java:1164)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
processChildren(ContainerBase.java:1388)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
processChildren(ContainerBase.java:1392)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
run(ContainerBase.java:1360)
at java.lang.Thread.run(Thread.java:748)
Below is the repeating exception.
Jun 26, 2018 11:41:50 AM sun.reflect.NativeMethodAccessorImpl invoke
java.security.AccessControlException: access denied
("java.io.FilePermission" "C:\IBM\liferay\tomee\webapps\ROOT.war" "read")
at
java.security.AccessControlContext.checkPermission(
AccessControlContext.java:472)
at

java.security.AccessController.checkPermission(AccessController.java:884)

Post by r***@e1b.org
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
at java.io.File.exists(File.java:814)
at
org.apache.catalina.startup.HostConfig.checkResources(
HostConfig.java:1296)
at
org.apache.catalina.startup.HostConfig.check(HostConfig.java:1623)
at

org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:314)

Post by r***@e1b.org
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(
LifecycleBase.java:94)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(
ContainerBase.java:1164)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
processChildren(ContainerBase.java:1388)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
processChildren(ContainerBase.java:1392)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.
run(ContainerBase.java:1360)
at java.lang.Thread.run(Thread.java:748)
What am I missing? I can see that the exception implies additional
permissions, but why doesn't my blanket grant of all permission in the
catalina policy file cover this?
Ross
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.

--
BEGIN-ANTISPAM-VOTING-LINKS
------------------------------------------------------

Teach CanIt if this mail (ID 01W3QmO1O) is spam:
Spam:
https://milton-web.wnyric.org/canit/b.php?c=s&i=01W3QmO1O&m=2bb7a21db8c9&t=20180627

Not spam:
https://milton-web.wnyric.org/canit/b.php?c=n&i=01W3QmO1O&m=2bb7a21db8c9&t=20180627

Forget vote:
https://milton-web.wnyric.org/canit/b.php?c=f&i=01W3QmO1O&m=2bb7a21db8c9&t=20180627

------------------------------------------------------
END-ANTISPAM-VOTING-LINKS

Confidentiality Notice:
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.

Romain Manni-Bucau

2018-06-27 20:54:33 UTC

Permalink

Hi

can you confirm it works without the security manager enabled?

Also can you check connecting on the JVM through JMX that the right policy
file is used and tomcat didn't override the one you thought using?

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>

Post by r***@e1b.org
I'm running 7.0.4. I have been deploying to webapps (<Deployments
dir="apps" /> remains commented).
Ross
Date: 06/27/2018 12:22 PM
Subject: Re: EAR deployment
Hi
What version of TomEE are you running?
Are you deploying your EAR from webapps, or from apps with <Deployments
dir="apps" /> added in tomee.xml?
Regards
Jon

control

Post by r***@e1b.org
exception (FilePermission).
INFO: Created Ejb(deployment-id=CloseEventsBean,
ejb-name=CloseEventsBean,
container=Default Singleton Container)
Jun 26, 2018 11:41:40 AM org.apache.openejb.assembler.classic.Assembler
startEjbs
INFO: Created Ejb(deployment-id=ManagerReminderBean,
ejb-name=ManagerReminderBean, container=Default Singleton Container)
Jun 26, 2018 11:41:40 AM sun.reflect.NativeMethodAccessorImpl invoke
java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "setContextClassLoader")
at
java.security.AccessControlContext.checkPermission(
AccessControlContext.java:472)
at

java.security.AccessController.checkPermission(AccessController.java:884)

org.apache.openejb.util.JuliLogStream.isWarnEnabled(JuliLogStream.java:61)

"read")

Post by r***@e1b.org
at
java.security.AccessControlContext.checkPermission(
AccessControlContext.java:472)
at

java.security.AccessController.checkPermission(AccessController.java:884)

org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:314)

entity

Post by r***@e1b.org
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if

this

Post by r***@e1b.org
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or

any

Post by r***@e1b.org
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.

--
BEGIN-ANTISPAM-VOTING-LINKS
------------------------------------------------------
https://milton-web.wnyric.org/canit/b.php?c=s&i=01W3QmO1O&m=2bb7a21db8c9&t=20180627
https://milton-web.wnyric.org/canit/b.php?c=n&i=01W3QmO1O&m=2bb7a21db8c9&t=20180627
https://milton-web.wnyric.org/canit/b.php?c=f&i=01W3QmO1O&m=2bb7a21db8c9&t=20180627
------------------------------------------------------
END-ANTISPAM-VOTING-LINKS
This electronic message and any attachments may contain confidential or
privileged information, and is intended only for the individual or entity
identified above as the addressee. If you are not the addressee (or the
employee or agent responsible to deliver it to the addressee), or if this
message has been addressed to you in error, you are hereby notified that
you may not copy, forward, disclose or use any part of this message or any
attachments. Please notify the sender immediately by return e-mail or
telephone and delete this message from your system.

r***@e1b.org

2018-06-28 15:19:06 UTC

Permalink

So:

1. With the security manager disabled, the ear deploys fine, ejb's
instantitiate, initialize, etc -- no errors at all!

2. I connected to the running jvm with jmx, and poked around for a while,
but could not find where it specified the policy file Tomcat was using.
Can I get a hint as to where this info is?

Thanks,
Ross

From: "Romain Manni-Bucau" <***@gmail.com>
To: ***@tomee.apache.org,
Date: 06/27/2018 04:54 PM
Subject: Re: EAR deployment

Hi

can you confirm it works without the security manager enabled?

Also can you check connecting on the JVM through JMX that the right policy
file is used and tomcat didn't override the one you thought using?

Romain Manni-Bucau
@rmannibucau <
https://milton-web.wnyric.org/canit/urlproxy.php?_q=aHR0cHM6Ly90d2l0dGVyLmNvbS9ybWFubmlidWNhdQ%3D%3D&_s=ZXJpZTE%3D&_c=7b6344b3

Post by Romain Manni-Bucau
| Blog

<
https://milton-web.wnyric.org/canit/urlproxy.php?_q=aHR0cHM6Ly9ybWFubmlidWNhdS5tZXRhd2VyeC5uZXQv&_s=ZXJpZTE%3D&_c=03b3f7d2

Post by Romain Manni-Bucau
| Old Blog

<
https://milton-web.wnyric.org/canit/urlproxy.php?_q=aHR0cDovL3JtYW5uaWJ1Y2F1LndvcmRwcmVzcy5jb20%3D&_s=ZXJpZTE%3D&_c=7ac52c4b

Post by Romain Manni-Bucau
| Github <

https://milton-web.wnyric.org/canit/urlproxy.php?_q=aHR0cHM6Ly9naXRodWIuY29tL3JtYW5uaWJ1Y2F1&_s=ZXJpZTE%3D&_c=d53ffcf9

Post by Romain Manni-Bucau
|

LinkedIn <
https://milton-web.wnyric.org/canit/urlproxy.php?_q=aHR0cHM6Ly93d3cubGlua2VkaW4uY29tL2luL3JtYW5uaWJ1Y2F1&_s=ZXJpZTE%3D&_c=aff046f7

Post by Romain Manni-Bucau
| Book

<
https://milton-web.wnyric.org/canit/urlproxy.php?_q=aHR0cHM6Ly93d3cucGFja3RwdWIuY29tL2FwcGxpY2F0aW9uLWRldmVsb3BtZW50L2phdmEtZWUtOC1oaWdoLXBlcmZvcm1hbmNl&_s=ZXJpZTE%3D&_c=5ede79c4

Post by Romain Manni-Bucau
I'm running 7.0.4. I have been deploying to webapps (<Deployments
dir="apps" /> remains commented).
Ross
Date: 06/27/2018 12:22 PM
Subject: Re: EAR deployment
Hi
What version of TomEE are you running?
Are you deploying your EAR from webapps, or from apps with <Deployments
dir="apps" /> added in tomee.xml?
Regards
Jon

control

Post by r***@e1b.org
exception (FilePermission).
INFO: Created Ejb(deployment-id=CloseEventsBean,
ejb-name=CloseEventsBean,
container=Default Singleton Container)
Jun 26, 2018 11:41:40 AM

org.apache.openejb.assembler.classic.Assembler