Tip: Running IT Mill Toolkit Applications in Tomcat with Security Manager

General
1

I did not find any info about running an IT Mill Toolkit application in a Tomcat when the security manager is turned on. I spent some time to figure out all the required permissions so I post them here.

Turning on the Tomcat Security Manager makes all IT Mill Toolkit applications to fail to start by default. You need to add at least the following to the catalina.policy:


grant codeBase "file:${catalina.home}/webapps/<YOUR_WAR_NAME_HERE>/WEB-INF/lib/-" {

        // Properties read permissions required to start the IT Mill Toolkit service
        permission java.util.PropertyPermission "com.itmill.toolkit.terminal.gwt.server.Debug", "read";
        permission java.util.PropertyPermission "com.itmill.toolkit.terminal.gwt.server.debug", "read";
        permission java.util.PropertyPermission "com.itmill.toolkit.terminal.gwt.server.testingToolsActive", "read";
        permission java.util.PropertyPermission "com.itmill.toolkit.terminal.gwt.server.testingtoolsactive", "read";
        permission java.util.PropertyPermission "com.itmill.toolkit.terminal.gwt.server.ClassLoader", "read";
        permission java.util.PropertyPermission "com.itmill.toolkit.terminal.gwt.server.classloader", "read";
        permission java.util.PropertyPermission "com.itmill.toolkit.terminal.gwt.server.Resources", "read";
        permission java.util.PropertyPermission "com.itmill.toolkit.terminal.gwt.server.resources", "read";
        permission java.util.PropertyPermission "catalina.home", "read";
        permission java.util.PropertyPermission "user.language", "write";
};

With Apache Tomcat/6.0.18 there still seemed to be some permissions missing at first application request(!) after server boot.

I did not find a solution for this, but as this affected only the first request/visitor, a simple workaround would be to visit and test the application right after booting the Tomcat server.

Probably you need to add many other permissions in order your application to be really useful (to access a db, file, network, etc), but these should help you to get started.

2

Update: Some more permissions needed if using 5.3.0 RC 5 (or newer):

 permission java.util.PropertyPermission "com.itmill.toolkit.terminal.gwt.server.productionMode", "read";
permission java.util.PropertyPermission "com.itmill.toolkit.terminal.gwt.server.productionmode", "read";

Maybe now the “debug” property permission could be left out now, but didn’t test that…

3

it turned out this was exactly the case, I tried to turn off tomcat security manager (in /etc/init.d/tomcat55) and now it works ok. I don’t need the security manager… yet, so I’ll leave that switched off.
big thanks for sharing the way to solve it!

4

I had the same problem with eatj.com hosting where Vaadin app can be hosted for free in a trial account. Vaadin app didnät run there till I added following lines to the catalina.policy on through eatj ftp access.

grant codeBase “file:${catalina.home}/webapps/helloworld/WEB-INF/lib/-” {

    // Properties read permissions required to start the IT Mill Toolkit service
    permission java.util.PropertyPermission "com.vaadin.terminal.gwt.server.Debug", "read";
    permission java.util.PropertyPermission "com.vaadin.terminal.gwt.server.debug", "read";
    permission java.util.PropertyPermission "com.vaadin.terminal.gwt.server.testingToolsActive", "read";
    permission java.util.PropertyPermission "com.vaadin.terminal.gwt.server.testingtoolsactive", "read";
    permission java.util.PropertyPermission "com.vaadin.terminal.gwt.server.ClassLoader", "read";
    permission java.util.PropertyPermission "com.vaadin.terminal.gwt.server.classloader", "read";
    permission java.util.PropertyPermission "com.vaadin.terminal.gwt.server.Resources", "read";
    permission java.util.PropertyPermission "com.vaadin.terminal.gwt.server.resources", "read";
    permission java.util.PropertyPermission "com.vaadin.terminal.gwt.server.disable-xsrf-protection", "read";
    permission java.util.PropertyPermission "com.vaadin.terminal.gwt.server.resourceCacheTime", "read";
    permission java.util.PropertyPermission "com.vaadin.terminal.gwt.server.resourcecachetime", "read";
    permission java.util.PropertyPermission "com.vaadin.terminal.gwt.server.widgetset", "read";
    permission java.util.PropertyPermission "catalina.home", "read";
    permission java.util.PropertyPermission "user.language", "write";

};

Hope this will be useful for someone trying Vaadin on eatj.