Vadim's Notes

Running Cocoon Under SecurityManager

Here are few tips on how it's possible to run Apache Cocoon under the SecurityManager. I'm assuming here that Cocoon is deployed into the Apache Tomcat 5 application server which is started with:

  catalina start -security

So, in order to make Cocoon run in this environment, follow these steps:

• Make sure your Cocoon is compiled from SVN revision 159598 or later. This means Cocoon 2.1.8 release or later.
• Make sure excalibur URLSource class is SVN revision 159586 or later.
• Edit WEB-INF/cocoon.xconf file to replace EHCache with default store implementation:

  <store logger="core.store"
         class="org.apache.cocoon.components.store.impl.DefaultStore">
    <parameter name="maxobjects" value="1000"/>
    <parameter name="use-persistent-cache" value="false"/>
  </store>
  

  (EHCache tries to set java.tmp.dir - that shouldn't be allowed.)
• Edit WEB-INF/logkit.xconf and point to directory with write access (I'll use in this example Cocoon working directory):

  <filename>${work-directory}/logs/cocoon.log</filename>
  

• And finally, edit $CATALINA_HOME/conf/catalina.policy. Add following entries to the last grant block:

  // File Encoding Property
  permission java.util.PropertyPermission "file.property", "read";
  
  // XML SAX and DOM Parsers Configuration Properties
  permission java.util.PropertyPermission "org.xml.sax.driver", "read";
  permission java.util.PropertyPermission "org.apache.cocoon.components.parser.Parser", "read";
  permission java.util.PropertyPermission "org.apache.excalibur.xml.sax.SAXParser", "read";
  permission java.util.PropertyPermission "javax.xml.parsers.SAXParserFactory", "read";
  permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "read";
  
  // XML Catalog Properties
  permission java.util.PropertyPermission "xml.catalog.ignoreMissing", "read";
  permission java.util.PropertyPermission "xml.catalog.files", "read";
  permission java.util.PropertyPermission "xml.catalog.staticCatalog", "read";
  permission java.util.PropertyPermission "xml.catalog.className", "read";
  permission java.util.PropertyPermission "xml.catalog.prefer", "read";
  permission java.util.PropertyPermission "user.dir", "read";
  
  // Cocoon ClassLoader
  permission java.lang.RuntimePermission "createClassLoader";
  

With the above config, you get nicely working Cocoon core with one caveat: there is some class loading issue with flow, even if you give it all permissions it needs. Weird. If you have luck with it, let me know.