You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Glenn Nielsen <gl...@voyager.apg.more.net> on 2001/09/04 03:27:20 UTC

Re: Extending Server.xml configurability (foradditionalclasspaths)

Rick Mann wrote:
> 
> 
> > Comments:
> >
> > If you need to restrict access to an API for security reasons there are ways
> > to do that using the Java SecurityManager configuration and permissions
> > granted in the security policy file.
> 
> If you tell me how this is done, I'll let you know if that solves my
> problem. Chances are it does not, because I can't give access to a directory
> to the owner of some contexts, and say "put your common classes in here". I
> have to give access to the CATALINA_HOME/lib|classes dir to every owner of a
> context and I don't want to have to do that.
> 
> But I'm always open to suggestion.
> 

This solution only works in Tomcat 4 running with the Java SecurityManager,
the -security option.

Install the jar file for your API in $CATALINA_HOME/lib.
Edit $JAVA_HOME/jre/lib/security/java.security, add the packages
you wish to protect to the properties package.access and package.definition.
With the above java.security configuration a java class can only define
a class in your package or access a class in your package if it is granted
the correct RuntimePermission.  For example, if your package were com.foo.protect
the following permissions within a codebase grant in the catalina.policy file
would allow use of your protected package.

permission java.lang.RuntimePermission "defineClassInPackage.com.foo.protect";
permission java lang.RuntimePermission "accessClassInPackage.com.foo.protect";

Any codebase which did not have the above permissions would throw an
AccessControlException.

See the Tomcat 4 catalina.policy file and the tomcat-security.html doc
for more information.

Regards,

Glenn

----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------