This article describes how to run Semarchy xDM under Tomcat using a Security Manager, which is a good practice to improve security with this application server.

The Tomcat Security Manager

The Security Manager is a Java component that aims at protecting the host operating system and segregating the different code bases running under Tomcat.

With the Security Manager, Contexts to be run within individual silos called sandboxes. Each sandbox can be configured with different privileges, providing more control over their access to system resources.

For detailed information about running Tomcat with SecurityManager, visit the official Tomcat documentation.

Enabling the Security Manager on Tomcat

  • Open the catalina.policy file under <tomcat_home>/conf
  • Add the following content at the end of the file:
grant codeBase ""file:${catalina.home}/webapps/semarchy/-"" {
 permission java.security.AllPermission;
 };
  • If other applications are running on the same Tomcat server, you may need to add additional permissions for them.
  • Run Tomcat with the -security parameter

Under Windows:

startup -security

Under Linux:

./startup.sh -security

Important note about Java 8

If Tomcat is running on Java 8, activating the Security Manager will trigger errors in the catalina.out file:

07-Oct-2020 11:01:29.991 INFO [Blueprint Extender: 1] org.apache.catalina.loader.WebappClassLoaderBase.loadClass Security violation, attempt to use restricted class [jdk.internal.dynalink.support.messages]
 java.security.AccessControlException: access denied (""java.lang.RuntimePermission"" ""accessClassInPackage.jdk.internal.dynalink.support"")
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
  at java.security.AccessController.checkPermission(AccessController.java:886)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
  at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
  at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1301)
  at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1188)

These errors are due to a bug in Tomcat and are not blocking xDM from executing properly. Meanwhile, to avoid these from happening, apply the following workaround:

  • Open the server.xml file under <tomcat_home>/conf
  • Add the following XML block after existing listeners:
<Listener className=""org.apache.catalina.core.JreMemoryLeakPreventionListener""
 classesToInitialize=""jdk.internal.dynalink.support.Guards"" />