This change doesn't seem to work with the tomcat in SL5.5, so this change won't be done

In EGEE the trustmanager and util-java are set up so that the tomcat version of the trustmanager can be different that in different webapps.

That has been achieved by putting trustmanager and util-java into the tomcat server/lib directory along with bcprov and log4j jars and each webapp has their own set of these jars in their lib directory. This way the webapps each have their independent versions of these jars and tomcat it's own versions and the version updates can be done per service avoiding having to test and certify all services when one of these libraries changes.

Here is the class loader diagram of tomcat.

        bootstrap
             | 
         common
             |
          shared
          /      \
     server     webapp

When the tomcat is stand alone installation, the trustmanager in server/lib is run first and it adds the bouncycastle cryptography provider to the cryptography providers list for the whole VM. When the webapps are run they see the bouncycastle provider and use it happily.

In the case the tomcat is run behind apache http server frontend, the apache handles the ssl handshake and tomcat ssl is not even configured, instead a jk connector is used. In this case the EGEE library setup causes problems. As the trustmanager in server/lib is not run it doesn't add the boucycastle provider. Thus the first webapp that is run notices that the provider is not set and sets it up itself. All is fine for that webapp. But the other webapps see that the provider is set and when they try to use it they fail as the boucycastle that is added to the providers is the instance from the first webapp and from it's classloader and there is strong protection between webapps. Thus the provider the other webapps try to use is inaccessible.

The way to solve the classloader problem is to move the bouncycastle bcprov library to the common/lib of tomcat and remove it from all the webapp library directories. That way the bouncycastle that is set up by the first webapp comes from the common classloader and thus is accessible to all webapps.

-- JoniHahkala - 04 Sep 2008

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2011-04-26 - JoniHahkala
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    EGEE All webs login

This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Ask a support question or Send feedback