The ProtectionDomain class encloses a group of classes whose instances have the same permissions, public keys, and URI. A given class can belong to one and only one ProtectionDomain. For more information on ProtectionDomain, see the Java documentation.
Enabling the JVM Security Manager
Enabling the Security Manager restricts permissions at the application server level. By default, all permissions at that level are disallowed, so legitimate permissions must be added specifically. You must add permissions for JasperReports Server. Doing so does not interfere with server operations because JasperReports Server security restrictions occur on other levels.
Add the enabling code for the Security Manager in the file <apache-tomcat>/conf/catalina.policy file. ProtectionDomains can be enabled, as defined in <js-webapp>/WEB-INF/applicationContext.xml, reportsProtectionDomainProvider bean.
To enable the Security Manager and give JasperReports Server full permissions there, add the following code fragment at the end of catalina.policy:
After enabling the manager, you should add the security parameter to your Tomcat startup command. For example:
<apache-tomcat>binstartup -security
If you did not add the permissions properly, you will receive errors like the following:
Restoring Disallowed Permissions
The file <js-webapp>/WEB-INF/applicationContext.xml defines the permissions that are allowed for java.security.Class. You might have to use the file to add permissions that enabling the Security Manager has disallowed. On the application level, only specified permissions are granted now, so any application-level permissions you were using have been disallowed. You must write code that restores them.
To help you restore necessary permissions, the following commented sample code is provided in the applicationContext.xml file. For instance, to add permission for read/write access to the /temp folder, you would uncomment the code for the bean class java.io.FilePermission:
Additional Customizations for Previous Versions of Tomcat
For Tomcat versions 6.0.20 and earlier, you also need to add permissions for Groovy scripts in the catalina.policy file and in the protection domain for reports.
In <apache-tomcat>/conf/catalina.policy, permissions to read the JasperReports Server classpath needs to be granted to Groovy scripts (which use /groovy/script as their codebase). This change applies to calculated fields in Ad Hoc, which use Groovy to evaluate expressions:
In <js-webapp>/WEB-INF/applicationContext.xml, the same permissions need to be added to reportsProtectionDomainProvider. This change grants access to reports that use the Groovy language, plus reports that need to load additional classes from the JasperReports Server web application:
Also, for a Tomcat bug found in 6.0.16, and fixed in 6.0.18, the following configuration change is required for JasperReports Server to start properly.
In <apache-tomcat>/conf/catalina.policy, find the section that starts with:
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
Add the following line in that section:
Recommended Comments
There are no comments to display.