You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Craig R. McClanahan" <Cr...@eng.sun.com> on 2001/01/19 23:00:22 UTC
[PROPOSAL] Tomcat 4.0-beta API Change: Security Manager Facades
BACKGROUND:
One of the unique (AFAIK) features of Tomcat 3.2 as a servlet container is the
fact that you can choose to run Tomcat under a Java SecurityManager (when
running under a Java2 JDK), with corresponding fine-grained control over the
resources that a particular web application can access. In addition, the
security manager can be used to constrain an application from accessing Tomcat
internals (for example, by trying to cast the HttpServletRequest it receives
back to the Tomcat internal implementation class).
This feature has long been on the wish list for 4.0, and recently Glenn Nielsen
<gl...@voyager.apg.more.net> has volunteered to complete it. Those involved in
3.2 will recall that Glenn was also the primary "mover and shaker" in
implementing the security manager feature there.
Currently, as a stopgap security measure, Tomcat 4.0's web application
classloader implements some specific restrictions on access to particular Java
packages -- for example, an application level class is not allowed to load any
class in the org.apache.catalina.* hierarchy. While this does indeed protect
the internal implementation classes, it becomes redundant once running under a
security manager is installed -- the checkPackageAccess() method serves this
purpose in a much more powerful and controlled approach.
THE CURRENT SITUATION:
Currently, the internal object that implements the Java Servlet API objects
exposed to application components implement the corresponding API interfaces
directly. For example:
public class StandardSession
implements HttpSession, Session, Serializable {
...
}
so that, when an application calls request.getSession, an instance of this class
(suitably cast to HttpSession) is returned. The application cannot cast the
returned object to an org.apache.catalina.session.StandardSession, because of
the customized restrictions implemented in the web application class loader.
Switching to the security manager for protection requires a change in this
approach, because the security permissions of a StandardSession are based on
where *that* class was loaded from, and not from the interfaces it implements.
THE PROPOSAL:
For each Servlet API interface that represents an internal Catalina object
exposed to an application object, create a new
org.apache.catalina.facade.XxxxxFacade class according to the following basic
pattern:
* Pass the internal object to the constructor (the facade
will be a wrapper around it).
* Implement the appropriate servlet API interface (so the
facade object can be passed to application components)
* For each public method in the interface, implement a doPrivileged
block that calls the corresponding method on the underlying
internal Catalina object.
For example, the session facade object would look something like this:
package org.apache.catalina.facade;
import javax.servlet.http.HttpSession;
import org.apache.catalina.Session;
public class SessionFacade implements HttpSession {
protected Session session = null;
public SessionFacade(Session session) {
super();
this.session = session;
}
public String getId() {
AccessController.doPrivileged(
new PrivilegedAction()
{
public Object run() {
return (session.getId());
}
}
);
}
... same pattern for all other public methods ...
}
Additionally, the logic that implements request.getSession() would be modified
to look up and return the facade object associated with the current session,
instead of the actual StandardSession object itself.
RECOMMENDATION:
Implementing the remainder of the security manager logic in Tomcat 4.0 was part
of the agreed-upon original release plan, and Glenn has volunteered to undertake
the other changes necessary to Catalina and Jasper to make this happen (and
there are lots of them -- thanks Glenn!). It seems that adding the facade
classes, according to the pattern described above, will be necessary to complete
this work.
Therefore, I feel we should implement this change in Tomcat 4.0, and create a
new beta to allow testing of the results. This can be done in the same beta
release with the changes for the Valve API if that is also agreed upon.
However, I'm currently committed on other activities. In order to achieve these
changes in a timely manner, I'm looking for a volunteer to implement these
changes, if the proposal is accepted.
Comments?
Craig
Re: [PROPOSAL] Tomcat 4.0-beta API Change: Security Manager Facades
Posted by Jason Brittain <ja...@olliance.com>.
Remy Maucherat wrote:
> Quoting "Craig R. McClanahan" <Cr...@eng.sun.com>:
>
>> org.apache.catalina.facade.XxxxxFacade
>
>
> Nice package name. I wonder where you got it :)
>
:)
Unless I understand wrong, isn't a "facade" already a well known feature
that allows Tomcat 3.x to use more than one different version of the
Servlet API? Am I wrong and it does more than just that?
If I'm right, that means you're proposing to use the name "facade"
in the Tomcat 4 codebase to have a completely different meaning,
right? If this is the case, could we instead use a different name? I'm
not sure what name I would use.. "sandbox" maybe?
--
Jason Brittain
Software Engineer, Olliance Inc. http://www.Olliance.com
Current Maintainer, Locomotive Project http://www.Locomotive.org
welcome-file
Posted by Jayesh <ja...@yahoo.com>.
I tried configuring welcome-file attribute like below.
<welcome-file-list>
<welcome-file>
HomePage.jsp
</welcome-file>
</welcome-file-list>
It doesn't work.
Please help.
Jayesh
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
Re: sendRedirect, include and forward don't work with mod_jk and non
standard ssl port
Posted by Hans Bergsten <ha...@gefionsoftware.com>.
Filip Hanik wrote:
>
> Even in Ajp13 there is still a bug.
>
> In the API docs for javax.servlet.ServletRequest.getRequestDispatcher it
> says
> "The pathname specified may be relative, although it cannot extend outside
> the current servlet context. If the path begins with a "/" it is interpreted
> as relative to the current context root. This method returns null if the
> servlet container cannot return a RequestDispatcher."
>
> but it turns out that I can't say
> getRequestDispatcher("myhtml.html"); because it throws an array index out of
> bounds exception.
>
> java.lang.StringIndexOutOfBoundsException: String index out of range: -1
> at java.lang.String.substring(String.java:1503)
> at org.apache.tomcat.util.FileUtil.catPath(FileUtil.java:109)
> [...]
> getRequestDispatcher("/myhtml.html"); works fine however.
>
> should I file the bug report, if so where?
Yes, at this URL: <http://jakarta.apache.org/site/bugs.html>
Hans
--
Hans Bergsten hans@gefionsoftware.com
Gefion Software http://www.gefionsoftware.com
Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com
Re: sendRedirect, include and forward don't work with mod_jk and non standard ssl port
Posted by Filip Hanik <fi...@filip.net>.
Even in Ajp13 there is still a bug.
In the API docs for javax.servlet.ServletRequest.getRequestDispatcher it
says
"The pathname specified may be relative, although it cannot extend outside
the current servlet context. If the path begins with a "/" it is interpreted
as relative to the current context root. This method returns null if the
servlet container cannot return a RequestDispatcher."
but it turns out that I can't say
getRequestDispatcher("myhtml.html"); because it throws an array index out of
bounds exception.
java.lang.StringIndexOutOfBoundsException: String index out of range: -1
at java.lang.String.substring(String.java:1503)
at org.apache.tomcat.util.FileUtil.catPath(FileUtil.java:109)
at
org.apache.tomcat.facade.HttpServletRequestFacade.getRequestDispatcher(HttpS
ervletRequestFacade.java:322)
at com.ratexchange.presentation.FilipTest.doGet(FilipTest.java:37)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.tomcat.core.ServletWrapper.doService(ServletWrapper.java:404)
at org.apache.tomcat.core.Handler.service(Handler.java:286)
at
org.apache.tomcat.core.ServletWrapper.service(ServletWrapper.java:372
getRequestDispatcher("/myhtml.html"); works fine however.
should I file the bug report, if so where?
Filip
~
Namaste - I bow to the divine in you.
~
Filip Hanik
Technical Architect
filip@filip.net
----- Original Message -----
From: "Filip Hanik" <fi...@filip.net>
To: <to...@jakarta.apache.org>; <da...@shore.net>
Sent: Friday, January 19, 2001 4:58 PM
Subject: Re: sendRedirect, include and forward don't work with mod_jk and
non standard ssl port
Good catch,
it works fine with the Ajp13 protocol.
so now we know where the problem is. thanks a lot for your help
Filip
~
Namaste - I bow to the divine in you.
~
Filip Hanik
Technical Architect
filip@filip.net
----- Original Message -----
From: "Dan Milstein" <da...@shore.net>
To: <to...@jakarta.apache.org>
Sent: Friday, January 19, 2001 4:46 PM
Subject: Re: sendRedirect, include and forward don't work with mod_jk and
non standard ssl port
I don't know if that will fix the problem, but if you could try that (i.e.
using ajp13 and seeing if you still have this problem), that would
definitely help me narrow this down (and since there seem to be some basic
redirect problems in TC 3.2 / mod_jk, that would be very, very helpful).
Thanks.
-Dan
p.s. What browser are you using?
Filip Hanik wrote:
>
> ajp12
>
> should I try ajp13?
>
> Filip
>
> ~
> Namaste - I bow to the divine in you.
> ~
> Filip Hanik
> Technical Architect
> filip@filip.net
>
> ----- Original Message -----
> From: "Dan Milstein" <da...@shore.net>
> To: <to...@jakarta.apache.org>
> Sent: Friday, January 19, 2001 4:18 PM
> Subject: Re: sendRedirect, include and forward don't work with mod_jk and
> non standard ssl port
>
> Filip,
>
> Which connection protocol are you using? ajp12? ajp13? jserv?
>
> -Dan
>
--
Dan Milstein // danmil@shore.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org
Re: sendRedirect, include and forward don't work with mod_jk and non standard ssl port
Posted by Filip Hanik <fi...@filip.net>.
Good catch,
it works fine with the Ajp13 protocol.
so now we know where the problem is. thanks a lot for your help
Filip
~
Namaste - I bow to the divine in you.
~
Filip Hanik
Technical Architect
filip@filip.net
----- Original Message -----
From: "Dan Milstein" <da...@shore.net>
To: <to...@jakarta.apache.org>
Sent: Friday, January 19, 2001 4:46 PM
Subject: Re: sendRedirect, include and forward don't work with mod_jk and
non standard ssl port
I don't know if that will fix the problem, but if you could try that (i.e.
using ajp13 and seeing if you still have this problem), that would
definitely help me narrow this down (and since there seem to be some basic
redirect problems in TC 3.2 / mod_jk, that would be very, very helpful).
Thanks.
-Dan
p.s. What browser are you using?
Filip Hanik wrote:
>
> ajp12
>
> should I try ajp13?
>
> Filip
>
> ~
> Namaste - I bow to the divine in you.
> ~
> Filip Hanik
> Technical Architect
> filip@filip.net
>
> ----- Original Message -----
> From: "Dan Milstein" <da...@shore.net>
> To: <to...@jakarta.apache.org>
> Sent: Friday, January 19, 2001 4:18 PM
> Subject: Re: sendRedirect, include and forward don't work with mod_jk and
> non standard ssl port
>
> Filip,
>
> Which connection protocol are you using? ajp12? ajp13? jserv?
>
> -Dan
>
--
Dan Milstein // danmil@shore.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org
Re: sendRedirect, include and forward don't work with mod_jk and non
standard ssl port
Posted by Dan Milstein <da...@shore.net>.
I don't know if that will fix the problem, but if you could try that (i.e. using ajp13 and seeing if you still have this problem), that would definitely help me narrow this down (and since there seem to be some basic redirect problems in TC 3.2 / mod_jk, that would be very, very helpful).
Thanks.
-Dan
p.s. What browser are you using?
Filip Hanik wrote:
>
> ajp12
>
> should I try ajp13?
>
> Filip
>
> ~
> Namaste - I bow to the divine in you.
> ~
> Filip Hanik
> Technical Architect
> filip@filip.net
>
> ----- Original Message -----
> From: "Dan Milstein" <da...@shore.net>
> To: <to...@jakarta.apache.org>
> Sent: Friday, January 19, 2001 4:18 PM
> Subject: Re: sendRedirect, include and forward don't work with mod_jk and
> non standard ssl port
>
> Filip,
>
> Which connection protocol are you using? ajp12? ajp13? jserv?
>
> -Dan
>
--
Dan Milstein // danmil@shore.net
Re: sendRedirect, include and forward don't work with mod_jk and non standard ssl port
Posted by Filip Hanik <fi...@filip.net>.
ajp12
should I try ajp13?
Filip
~
Namaste - I bow to the divine in you.
~
Filip Hanik
Technical Architect
filip@filip.net
----- Original Message -----
From: "Dan Milstein" <da...@shore.net>
To: <to...@jakarta.apache.org>
Sent: Friday, January 19, 2001 4:18 PM
Subject: Re: sendRedirect, include and forward don't work with mod_jk and
non standard ssl port
Filip,
Which connection protocol are you using? ajp12? ajp13? jserv?
-Dan
Filip Hanik wrote:
>
> neither of the above functions work properly when I am using a non
standard
> port for https (ex: 445 instead of 443)
>
> Apache 1.3.14
> Tomcat 3.2.1 + mod_jk.so
> Open SSL 0.9.6
> mod_ssl 2.7.?-1.3.14
>
> any idea why this is happening?
>
> Filip
> ~
> Namaste - I bow to the divine in you.
> ~
> Filip Hanik
> Technical Architect
> filip@filip.net
--
Dan Milstein // danmil@shore.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org
Re: sendRedirect, include and forward don't work with mod_jk and non standard ssl port
Posted by Filip Hanik <fi...@filip.net>.
this is what happens, the sendRedirect or include or forward switches the
url from saying https to say http even though the port is http
/Filip
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Hint: https://rpit.ratexchange.net:9701/
----------------------------------------------------------------------------
----
Apache/1.3.14 Server at rpit.ratexchange.net Port 9701
~
Namaste - I bow to the divine in you.
~
Filip Hanik
Technical Architect
filip@filip.net
----- Original Message -----
From: "Dan Milstein" <da...@shore.net>
To: <to...@jakarta.apache.org>
Sent: Friday, January 19, 2001 4:18 PM
Subject: Re: sendRedirect, include and forward don't work with mod_jk and
non standard ssl port
Filip,
Which connection protocol are you using? ajp12? ajp13? jserv?
-Dan
Filip Hanik wrote:
>
> neither of the above functions work properly when I am using a non
standard
> port for https (ex: 445 instead of 443)
>
> Apache 1.3.14
> Tomcat 3.2.1 + mod_jk.so
> Open SSL 0.9.6
> mod_ssl 2.7.?-1.3.14
>
> any idea why this is happening?
>
> Filip
> ~
> Namaste - I bow to the divine in you.
> ~
> Filip Hanik
> Technical Architect
> filip@filip.net
--
Dan Milstein // danmil@shore.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org
Re: sendRedirect, include and forward don't work with mod_jk and non
standard ssl port
Posted by Dan Milstein <da...@shore.net>.
Filip,
Which connection protocol are you using? ajp12? ajp13? jserv?
-Dan
Filip Hanik wrote:
>
> neither of the above functions work properly when I am using a non standard
> port for https (ex: 445 instead of 443)
>
> Apache 1.3.14
> Tomcat 3.2.1 + mod_jk.so
> Open SSL 0.9.6
> mod_ssl 2.7.?-1.3.14
>
> any idea why this is happening?
>
> Filip
> ~
> Namaste - I bow to the divine in you.
> ~
> Filip Hanik
> Technical Architect
> filip@filip.net
--
Dan Milstein // danmil@shore.net
sendRedirect, include and forward don't work with mod_jk and non standard ssl port
Posted by Filip Hanik <fi...@filip.net>.
neither of the above functions work properly when I am using a non standard
port for https (ex: 445 instead of 443)
Apache 1.3.14
Tomcat 3.2.1 + mod_jk.so
Open SSL 0.9.6
mod_ssl 2.7.?-1.3.14
any idea why this is happening?
Filip
~
Namaste - I bow to the divine in you.
~
Filip Hanik
Technical Architect
filip@filip.net
----- Original Message -----
From: "Remy Maucherat" <re...@betaversion.org>
To: <to...@jakarta.apache.org>
Sent: Friday, January 19, 2001 3:25 PM
Subject: Re: [PROPOSAL] Tomcat 4.0-beta API Change: Security Manager Facades
Quoting "Craig R. McClanahan" <Cr...@eng.sun.com>:
> Kurt Schrader wrote:
>
> > So what do we need a 4.1 branch for then?
>
> If we take the action Remy recommends, we won't. I'm +1 for this (it
> will certainly
> reduce the effort of double-committing all the changes), if we're
> willing to accept
> the fact that it will increase the time before a 4.0 production quality
> release is
> ready.
Given the delay caused by the security manager support inclusion and the
Valve
modifications, it won't probably cause any additional delay.
> The 4.1 branch was originally created because of a "feature freeze" on
> 4.0. The
> various proposals today are effectively to "unfreeze" the 4.0 branch, so
> that some
> new functionality (already committed on the 4.1 branch) can get moved
> into 4.0
> instead, along with the other proposed changes that would otherwise need
> to be posted
> to both.
>
> We can recreate the 4.1 branch at some future point when 4.0 is
> refrozen.
Agreed.
It that case, I suggest that the 4.1 branch be merged back ASAP. Having a
non-
beta quality web connector in a beta wasn't a good thing anyway, IMO.
I wrongly interpreted the proposal on the security manager, as I was
answering
an email dealing with i18n at the same time (so I'm +1 now).
As Kief suggested, I think that no wrapping should occur if no security
manager
is present (common sense).
There is also a code change needed to provide proper i18n support. Instead
of
putting in a hack in 4.0 to get around one half of the issue, I suggest
instead
that some code is moved from the connector.http package to the connector
package (some buffers, as well as some code which needs to be merged into
HttpRequestBase).
Remy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, email: tomcat-dev-help@jakarta.apache.org
Re: [PROPOSAL] Tomcat 4.0-beta API Change: Security Manager Facades
Posted by Remy Maucherat <re...@betaversion.org>.
Quoting "Craig R. McClanahan" <Cr...@eng.sun.com>:
> Kurt Schrader wrote:
>
> > So what do we need a 4.1 branch for then?
>
> If we take the action Remy recommends, we won't. I'm +1 for this (it
> will certainly
> reduce the effort of double-committing all the changes), if we're
> willing to accept
> the fact that it will increase the time before a 4.0 production quality
> release is
> ready.
Given the delay caused by the security manager support inclusion and the Valve
modifications, it won't probably cause any additional delay.
> The 4.1 branch was originally created because of a "feature freeze" on
> 4.0. The
> various proposals today are effectively to "unfreeze" the 4.0 branch, so
> that some
> new functionality (already committed on the 4.1 branch) can get moved
> into 4.0
> instead, along with the other proposed changes that would otherwise need
> to be posted
> to both.
>
> We can recreate the 4.1 branch at some future point when 4.0 is
> refrozen.
Agreed.
It that case, I suggest that the 4.1 branch be merged back ASAP. Having a non-
beta quality web connector in a beta wasn't a good thing anyway, IMO.
I wrongly interpreted the proposal on the security manager, as I was answering
an email dealing with i18n at the same time (so I'm +1 now).
As Kief suggested, I think that no wrapping should occur if no security manager
is present (common sense).
There is also a code change needed to provide proper i18n support. Instead of
putting in a hack in 4.0 to get around one half of the issue, I suggest instead
that some code is moved from the connector.http package to the connector
package (some buffers, as well as some code which needs to be merged into
HttpRequestBase).
Remy
RE: [PROPOSAL] Tomcat 4.0-beta API Change: Security ManagerFacades
Posted by Marc Saegesser <ma...@apropos.com>.
> From: Craig R. McClanahan [mailto:Craig.McClanahan@eng.sun.com]
> How about if we create a branch of 4.0, and I check in these
> changes on that
> branch? If things work out well, we can merge back to the main branch --
> otherwise, wel'll have learned what needs to be done to add this
> functionality
> into 4.1.
+1
Re: [PROPOSAL] Tomcat 4.0-beta API Change: Security
ManagerFacades
Posted by Kief Morris <ki...@bitbull.com>.
Craig R. McClanahan typed the following on 10:09 PM 1/19/2001 -0800
>How about if we create a branch of 4.0, and I check in these changes on that
>branch? If things work out well, we can merge back to the main branch --
>otherwise, wel'll have learned what needs to be done to add this functionality
>into 4.1.
+1 This sounds like the right way to do it.
Kief
Re: [PROPOSAL] Tomcat 4.0-beta API Change: Security ManagerFacades
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Kief Morris wrote:
> Craig R. McClanahan typed the following on 02:59 PM 1/19/2001 -0800
> >> So what do we need a 4.1 branch for then?
> >
> >If we take the action Remy recommends, we won't. I'm +1 for this
>
> OK, I understand the motivations for this. When/how do you think the
> PersistentManager code I submitted last week should be integrated?
> I hate to put more untried code into 4.0, but I'd really like to see it
> committed somewhere where people can try it and I can build onto
> it. I have a number of things I'd like discuss doing with the session
> classes, like refactoring StandardSession into an abstract class and
> implementing the locking/request completion stuff we've discussed
> here.
>
This one has been troubling me too.
I've been looking through the code and like most of what I see so far, and agree
that we need to be able to experiment with it, but not destabilize the base
release. In 4.1, this would have been entirely appropriate -- but not really if
we unfreeze 4.0.
How about if we create a branch of 4.0, and I check in these changes on that
branch? If things work out well, we can merge back to the main branch --
otherwise, wel'll have learned what needs to be done to add this functionality
into 4.1.
> Kief
>
Craig
Re: [PROPOSAL] Tomcat 4.0-beta API Change: Security Manager
Facades
Posted by Kief Morris <ki...@bitbull.com>.
Craig R. McClanahan typed the following on 02:59 PM 1/19/2001 -0800
>> So what do we need a 4.1 branch for then?
>
>If we take the action Remy recommends, we won't. I'm +1 for this
OK, I understand the motivations for this. When/how do you think the
PersistentManager code I submitted last week should be integrated?
I hate to put more untried code into 4.0, but I'd really like to see it
committed somewhere where people can try it and I can build onto
it. I have a number of things I'd like discuss doing with the session
classes, like refactoring StandardSession into an abstract class and
implementing the locking/request completion stuff we've discussed
here.
Kief
Re: [PROPOSAL] Tomcat 4.0-beta API Change: Security Manager Facades
Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.
Kurt Schrader wrote:
> On Fri, 19 Jan 2001, Remy Maucherat wrote:
>
> > Since it's the API changes day, may I then suggest that we just merge back all
> > the changes done so far in 4.1, which deal with replacing the resources package
> > with JNDI context. It works, and it's solid. I don't feel like we should leave
> > a whole deprecated package in there, that we'll have to support anyway.
>
> So what do we need a 4.1 branch for then?
>
>
If we take the action Remy recommends, we won't. I'm +1 for this (it will certainly
reduce the effort of double-committing all the changes), if we're willing to accept
the fact that it will increase the time before a 4.0 production quality release is
ready.
The 4.1 branch was originally created because of a "feature freeze" on 4.0. The
various proposals today are effectively to "unfreeze" the 4.0 branch, so that some
new functionality (already committed on the 4.1 branch) can get moved into 4.0
instead, along with the other proposed changes that would otherwise need to be posted
to both.
We can recreate the 4.1 branch at some future point when 4.0 is refrozen.
Craig
Re: [PROPOSAL] Tomcat 4.0-beta API Change: Security Manager Facades
Posted by Kurt Schrader <ks...@engin.umich.edu>.
On Fri, 19 Jan 2001, Remy Maucherat wrote:
> Since it's the API changes day, may I then suggest that we just merge back all
> the changes done so far in 4.1, which deal with replacing the resources package
> with JNDI context. It works, and it's solid. I don't feel like we should leave
> a whole deprecated package in there, that we'll have to support anyway.
So what do we need a 4.1 branch for then?
Re: [PROPOSAL] Tomcat 4.0-beta API Change: Security Manager Facades
Posted by Remy Maucherat <re...@betaversion.org>.
Quoting "Craig R. McClanahan" <Cr...@eng.sun.com>:
> org.apache.catalina.facade.XxxxxFacade
Nice package name. I wonder where you got it :)
>* Pass the internal object to the constructor (the facade
> will be a wrapper around it).
>
>* Implement the appropriate servlet API interface (so the
> facade object can be passed to application components)
>
>* For each public method in the interface, implement a doPrivileged
> block that calls the corresponding method on the underlying
> internal Catalina object.
+0.
I would wrap the request and response using the facades at the last moment,
just before going into the filter pipeline.
That way, we only need to implement the standard servlet API functions in the
facade.
Would that work ?
> RECOMMENDATION:
>
> Therefore, I feel we should implement this change in Tomcat 4.0, and
> create a
> new beta to allow testing of the results. This can be done in the same
> beta
> release with the changes for the Valve API if that is also agreed upon.
Since it's the API changes day, may I then suggest that we just merge back all
the changes done so far in 4.1, which deal with replacing the resources package
with JNDI context. It works, and it's solid. I don't feel like we should leave
a whole deprecated package in there, that we'll have to support anyway.
> However, I'm currently committed on other activities. In order to
> achieve these
> changes in a timely manner, I'm looking for a volunteer to implement
> these
> changes, if the proposal is accepted.
>
> Comments?
Remy
Re: [PROPOSAL] Tomcat 4.0-beta API Change: Security Manager Facades
Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.
Looks like there are enough +1's and no -1's to implement the architecture
change required for the SecurityManager.
I was hoping someone more familiar with the Tomcat 4 architecture would step
up to do this. But since one else has, I'll take a stab at it since I am
implementing the SecurityManager.
Regards,
Glenn
"Craig R. McClanahan" wrote:
>
> BACKGROUND:
>
> One of the unique (AFAIK) features of Tomcat 3.2 as a servlet container is the
> fact that you can choose to run Tomcat under a Java SecurityManager (when
> running under a Java2 JDK), with corresponding fine-grained control over the
> resources that a particular web application can access. In addition, the
> security manager can be used to constrain an application from accessing Tomcat
> internals (for example, by trying to cast the HttpServletRequest it receives
> back to the Tomcat internal implementation class).
>
> This feature has long been on the wish list for 4.0, and recently Glenn Nielsen
> <gl...@voyager.apg.more.net> has volunteered to complete it. Those involved in
> 3.2 will recall that Glenn was also the primary "mover and shaker" in
> implementing the security manager feature there.
>
> Currently, as a stopgap security measure, Tomcat 4.0's web application
> classloader implements some specific restrictions on access to particular Java
> packages -- for example, an application level class is not allowed to load any
> class in the org.apache.catalina.* hierarchy. While this does indeed protect
> the internal implementation classes, it becomes redundant once running under a
> security manager is installed -- the checkPackageAccess() method serves this
> purpose in a much more powerful and controlled approach.
>
> THE CURRENT SITUATION:
>
> Currently, the internal object that implements the Java Servlet API objects
> exposed to application components implement the corresponding API interfaces
> directly. For example:
>
> public class StandardSession
> implements HttpSession, Session, Serializable {
>
> ...
>
> }
>
> so that, when an application calls request.getSession, an instance of this class
> (suitably cast to HttpSession) is returned. The application cannot cast the
> returned object to an org.apache.catalina.session.StandardSession, because of
> the customized restrictions implemented in the web application class loader.
>
> Switching to the security manager for protection requires a change in this
> approach, because the security permissions of a StandardSession are based on
> where *that* class was loaded from, and not from the interfaces it implements.
>
> THE PROPOSAL:
>
> For each Servlet API interface that represents an internal Catalina object
> exposed to an application object, create a new
> org.apache.catalina.facade.XxxxxFacade class according to the following basic
> pattern:
>
> * Pass the internal object to the constructor (the facade
> will be a wrapper around it).
>
> * Implement the appropriate servlet API interface (so the
> facade object can be passed to application components)
>
> * For each public method in the interface, implement a doPrivileged
> block that calls the corresponding method on the underlying
> internal Catalina object.
>
> For example, the session facade object would look something like this:
>
> package org.apache.catalina.facade;
>
> import javax.servlet.http.HttpSession;
> import org.apache.catalina.Session;
>
> public class SessionFacade implements HttpSession {
>
> protected Session session = null;
>
> public SessionFacade(Session session) {
> super();
> this.session = session;
> }
>
> public String getId() {
> AccessController.doPrivileged(
> new PrivilegedAction()
> {
> public Object run() {
> return (session.getId());
> }
> }
> );
> }
>
> ... same pattern for all other public methods ...
>
> }
>
> Additionally, the logic that implements request.getSession() would be modified
> to look up and return the facade object associated with the current session,
> instead of the actual StandardSession object itself.
>
> RECOMMENDATION:
>
> Implementing the remainder of the security manager logic in Tomcat 4.0 was part
> of the agreed-upon original release plan, and Glenn has volunteered to undertake
> the other changes necessary to Catalina and Jasper to make this happen (and
> there are lots of them -- thanks Glenn!). It seems that adding the facade
> classes, according to the pattern described above, will be necessary to complete
> this work.
>
> Therefore, I feel we should implement this change in Tomcat 4.0, and create a
> new beta to allow testing of the results. This can be done in the same beta
> release with the changes for the Valve API if that is also agreed upon.
>
> However, I'm currently committed on other activities. In order to achieve these
> changes in a timely manner, I'm looking for a volunteer to implement these
> changes, if the proposal is accepted.
>
> Comments?
>
> Craig
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-dev-help@jakarta.apache.org
--
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
Re: [PROPOSAL] Tomcat 4.0-beta API Change: Security Manager
Facades
Posted by Kief Morris <ki...@bitbull.com>.
Craig R. McClanahan typed the following on 02:00 PM 1/19/2001 -0800
>THE PROPOSAL:
>
>For each Servlet API interface that represents an internal Catalina object
>exposed to an application object, create a new
>org.apache.catalina.facade.XxxxxFacade class according to the following basic
>pattern:
>
>* Pass the internal object to the constructor (the facade
> will be a wrapper around it).
>
>* Implement the appropriate servlet API interface (so the
> facade object can be passed to application components)
>
>* For each public method in the interface, implement a doPrivileged
> block that calls the corresponding method on the underlying
> internal Catalina object.
Sounds cool. If the application doesn't use the security manager,
will the object simply continue "raw" without being wrapped by
the facade to avoid the added overhead? e.g:
// Raw session
Session mySession = whatever;
if (security_enabled) {
mySession = new SessionFacade (mySession);
}
// Raw or facade session, doesn't really matter
mySession.doStuff();
Kief