search cancel

Error 'export failed' when a non-administrator user tries to export a web archive

book

Article ID: 201007

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

A non-administrator user attempts to export a Web Archive, but it fails with the following error:

In the manager logs at FINEST level you see the following messages:

06 Oct 2020 16:42:36,851- Thread: 125 FINEST [com.vontu.manager.security.VontuPolicy] PERMISSION
 CODE SOURCE: file:/C:/Program%20Files/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/ProtectManager/WEB-INF/lib/manager.jar
 CLASS:       java.io.FilePermission
 NAME:        C:\ArchiveFolder\t3\incident_list.html
 ACTIONS:     write
 AUTHORIZED:  false
06 Oct 2020 16:42:36,851- Thread: 125 FINEST [com.vontu.manager.security.VontuPolicy] PERMISSION
 CODE SOURCE: file:/C:/Program%20Files/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/ProtectManager/WEB-INF/lib/manager.jar
 CLASS:       java.io.FilePermission
 NAME:        C:\ArchiveFolder\t3\incident_list.html
 ACTIONS:     write
 AUTHORIZED:  false
06 Oct 2020 16:42:36,851- Thread: 125 FINEST [com.vontu.manager.security.VontuPolicy] PERMISSION
 CODE SOURCE: file:/C:/Program%20Files/Symantec/DataLossPrevention/EnforceServer/15.7/Protect/tomcat/webapps/ProtectManager/WEB-INF/lib/manager.jar
 CLASS:       java.io.FilePermission
 NAME:        C:\ArchiveFolder\t3\incident_list.html
 ACTIONS:     write
 AUTHORIZED:  true

Cause

  • You move the default Web Archival folder in Protect.properties from the default location of:
    web.archive.home = C:/ProgramData/Symantec/DataLossPrevention/EnforceServer/<ver>/archive

    to a directory that is not a subdirectory of the following path:
    C:/ProgramData/Symantec/DataLossPrevention/EnforceServer/<ver>

    for example:
    web.archive.home = C:/webarchive
  • You create/import a new DLP User
  • You grant the "Web Archive" privilege to a DLP Role and assign the new DLP User to this role

Resolution

As a workaround, you can add an additional permission line to manager.policy that covers the custom Web Archival directory.

  1. In C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<ver>\Protect\config\manager.policy, look for the block that begins with the following:

    grant codeBase "file:${catalina.home}/webapps/ProtectManager/WEB-INF/lib/-" 
  2. Within this block, add the following line:

    permission java.io.FilePermission "C:/webarchive${/}-", "read,write,delete";

Attachments