AccessControlException when running embedded Tomcat from Java Webstart

For our Kunagi Java web application, we have a signed kunagi.jar file that contains our classes along with classes from the built-in Tomcat 6. This works fine when java -jar kunagi.jar .

But when starting from Java WebStart, I get an exception, while the built-in Tomcat starts up:

 java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.deploy) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:393) at java.security.AccessController.checkPermission(AccessController.java:553) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291) at java.lang.ClassLoader.loadClass(ClassLoader.java:266) at net.sourceforge.jnlp.runtime.JNLPClassLoader.loadClass(JNLPClassLoader.java:1018) at java.lang.Class.getDeclaredMethods0(Native Method) at java.lang.Class.privateGetDeclaredMethods(Class.java:2444) at java.lang.Class.getMethod0(Class.java:2687) at java.lang.Class.getMethod(Class.java:1620) at org.apache.catalina.startup.SetPublicIdRule.begin(WebRuleSet.java:639) at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1276) ... 33 more 

Of course kunagi.jar signed, otherwise it will not even start. It seams Java WebStart allows Java Security globally, which somehow embedded Tomcat “inherits” and cannot be initialized.

Here is the JNLP file:

 <?xml version="1.0" encoding="UTF-8"?> <jnlp spec="1.0+" codebase="http://kunagi.org/webstart" href="kunagi.jnlp"> <information> <title>Kunagi</title> <vendor>Kunagi Team</vendor> <homepage href="http://kunagi.org"/> <description>SCRUM Tool</description> <description kind="short">SCRUM Tool</description> <offline-allowed/> </information> <security> <all-permissions/> </security> <resources> <j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se"/> <jar href="kunagi.jar" main="true" /> </resources> <application-desc name="Kunagi" main-class="katokorbo.Katokorbo"/> <update check="always"/> </jnlp> 

Is there a way to disable security checks for Tomcat inside Java WebStart? Or how can I configure embedded Tomcat to allow access to org.apache.catalina... ?