You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Glenn Nielsen <gl...@voyager.apg.more.net> on 2000/04/20 05:33:01 UTC
Using SecurityManager to set JSP execution security policy
Hi,
I haven't installed Tomcat yet but I grepped through the code and found
that the AdapativeClassLoader class uses the Security Manager. Does that
mean that it is possible to implement a security policy for execution of
JSP in the JVM java.policy file?
Something like this?
grant CODEBASE="file:/some/path/to/tomcat/work/*" {
// permissions
};
If very restrictive permissions were set, would that cause the servlet
which is generated from the JSP to generate a SecurityException when
it is run? (I did a grep for Priveleged and did not find anything)
If the JSP were able to run, then for any beans or tag libraries installed
on the server which used classes/methods that would generate a SecurityException
could have the code surrounded by beginPriveleged()/endPriveleged()?
We are very interested in pushing out to over 500 web publishers (non programmers)
the ability to publish dynamic content using JSP 1.1 by solely using beans
and/or tag libraries. Not being able to implement Security for JSP is
a show stopper for us.
Regards,
Glenn
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
Re: Using SecurityManager to set JSP execution security policy
Posted by co...@costin.dnt.ro.
> Both below and in the Tomcat README, JDK1.1 compatability is mentioned.
>
> The JDK1.2 SecurityManager is a great deal more flexible and extensible
> than JDK1.1.
>
> You mention below using a java.policy file, wasn't that introduced in JDK1.2?
>
> I would prefer implementing a JDK1.2 SecurityManager. But how can this
> fit in with JDK1.1 compatability?
JDK1.2 has much more "powerfull" security mechanisms, and even if it may
be possible to implement security using JDK1.1 ( applets are working
fine), probably the best use of the time is to just use JDK1.2.
The security can be implemented as a component, without breaking
compatibility with JDK1.1 - we'll enable it only if JDK1.2 is detected and
use conditional compilation, etc.
> Will the SecurityManager only be available when Tomcat is used with 1.2?
> Is that what you meant below when referring to using two different jar
> files for Tomcat? The first jar contains Tomcat w/o Security, the second
> when installed adds and/or overwrites classes that implement security?
I think we should define a "basic tomcat" with only the core classes, and
various "plug-in" components - like Apache adapter, security, various
special modes like "non-file-system-based", deployment tools, etc.
> By TomcatPermissions you mean Tomcat objects that are currently private,
> but administrative servlets could if granted permission by the SecurityManager
> gain access to reading/setting private variables or calling internal Tomcat
> methods?
Yes. With standard permissions we can control file system and network
access, but we need a special Permission for accessing tomcat core ( a
servlet will see only the API interfaces and nothing more without this
permission). Thanks to Facades it is possible to have only a single
"gate" between servlets and internal core, and keep everything outside
core in a different "codebase" with very restrictive permissions.
> Just trying to think through the design issues for a Tomcat SecurityManager.
The main problem is fixing the class loader to work with CodeBase and work
with the JDK1.2 mechanisms ( it needs to expose the code base for the
loaded servlets/jsp).
After that we can play with various security policies and find the minimal
set of permissions a servlet needs, build it in a way that will allow us
to give only minimal permissions to the core ( file access to work dir RW
and context docbase RO, bind on 8080, etc).
Then we should find an easy-to-configure way to add more permissions and
document everything.
I think we should try to keep everything as simple as possible - security
is really hard and the only way to trust "un-trusted" servlets is to have
something that is well tested and really clear and well documented.
Costin
Re: Using SecurityManager to set JSP execution security policy
Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.
Both below and in the Tomcat README, JDK1.1 compatability is mentioned.
The JDK1.2 SecurityManager is a great deal more flexible and extensible
than JDK1.1.
You mention below using a java.policy file, wasn't that introduced in JDK1.2?
I would prefer implementing a JDK1.2 SecurityManager. But how can this
fit in with JDK1.1 compatability?
Will the SecurityManager only be available when Tomcat is used with 1.2?
Is that what you meant below when referring to using two different jar
files for Tomcat? The first jar contains Tomcat w/o Security, the second
when installed adds and/or overwrites classes that implement security?
By TomcatPermissions you mean Tomcat objects that are currently private,
but administrative servlets could if granted permission by the SecurityManager
gain access to reading/setting private variables or calling internal Tomcat
methods?
Just trying to think through the design issues for a Tomcat SecurityManager.
Glenn
Costin Manolache wrote:
>
> Great !
>
> Right now there are 2 missing pieces:
> - adding code to the ClassLoader to report the code source. Probably you'll
> have to extend AdaptiveClassLoader and add the right method - in order
> to leave Adaptive compatible with JDK1.1
>
> - write a sample java.policy and document it. As a bonus you can add a
> simple generator ( like apache.conf generator) that will create a "default"
> policy. ( super-super bonus - web based interface to add/remove rules,
> but I'm dreaming :-)
>
> It isn't very hard - but it will take some time. Let me know if I can help.
>
> One very interesting addition is to add TomcatPermission - that will allow
> apps to access tomcat internal objects, but we need a lot of work on the
> code to close the doors. Another very important experiment will be to
> separate tomcat build in 2 separate jar files - one containing code that
> require the special permissions ( the network adapter ) and one with the
> rest of the code.
>
> You need to give read permission for each webapps to it's own directory,
> write permission to it's temp dir - and nothing else. If the webapp
> is accessing a database - probably the admin will have to allow this.
>
> It will be fun!
>
> Costin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
--
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
Re: Using SecurityManager to set JSP execution security policy
Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.
Thanks for replying with information on how Security should be implemented.
I'll use the 3.1 final release as a starting point.
This _will_ be fun!
But the fun will have to wait, I will be on vacation next week. :-)
Regards,
Glenn
Costin Manolache wrote:
>
> Glenn Nielsen wrote:
>
> > If you need a volunteer...
> >
> > I can put in some time writing the code to implement a SecurityManager.
> >
>
> Great !
>
> Right now there are 2 missing pieces:
> - adding code to the ClassLoader to report the code source. Probably you'll
> have to extend AdaptiveClassLoader and add the right method - in order
> to leave Adaptive compatible with JDK1.1
>
> - write a sample java.policy and document it. As a bonus you can add a
> simple generator ( like apache.conf generator) that will create a "default"
> policy. ( super-super bonus - web based interface to add/remove rules,
> but I'm dreaming :-)
>
> It isn't very hard - but it will take some time. Let me know if I can help.
>
> One very interesting addition is to add TomcatPermission - that will allow
> apps to access tomcat internal objects, but we need a lot of work on the
> code to close the doors. Another very important experiment will be to
> separate tomcat build in 2 separate jar files - one containing code that
> require the special permissions ( the network adapter ) and one with the
> rest of the code.
>
> You need to give read permission for each webapps to it's own directory,
> write permission to it's temp dir - and nothing else. If the webapp
> is accessing a database - probably the admin will have to allow this.
>
> It will be fun!
>
> Costin
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
--
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
Re: Using SecurityManager to set JSP execution security policy
Posted by Costin Manolache <co...@costin.dnt.ro>.
Glenn Nielsen wrote:
> If you need a volunteer...
>
> I can put in some time writing the code to implement a SecurityManager.
>
Great !
Right now there are 2 missing pieces:
- adding code to the ClassLoader to report the code source. Probably you'll
have to extend AdaptiveClassLoader and add the right method - in order
to leave Adaptive compatible with JDK1.1
- write a sample java.policy and document it. As a bonus you can add a
simple generator ( like apache.conf generator) that will create a "default"
policy. ( super-super bonus - web based interface to add/remove rules,
but I'm dreaming :-)
It isn't very hard - but it will take some time. Let me know if I can help.
One very interesting addition is to add TomcatPermission - that will allow
apps to access tomcat internal objects, but we need a lot of work on the
code to close the doors. Another very important experiment will be to
separate tomcat build in 2 separate jar files - one containing code that
require the special permissions ( the network adapter ) and one with the
rest of the code.
You need to give read permission for each webapps to it's own directory,
write permission to it's temp dir - and nothing else. If the webapp
is accessing a database - probably the admin will have to allow this.
It will be fun!
Costin
Re: Using SecurityManager to set JSP execution security policy
Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.
If you need a volunteer...
I can put in some time writing the code to implement a SecurityManager.
Regards,
Glenn
Costin Manolache wrote:
>
> Policy-based security doesn't work yet - there are some special changes that
> need to be done in the AdaptiveClassLoader ( to allow the JVM access to the code
> source ).
>
> It is on the todo list, and I'll do it if nobody else has the time/will to implement
> it, but
> please don't expect too much - we'll need a lot of review, security can't be done in
> few weeks.
>
> Costin
>
> Glenn Nielsen wrote:
>
> > Hi,
> >
> > I haven't installed Tomcat yet but I grepped through the code and found
> > that the AdapativeClassLoader class uses the Security Manager. Does that
> > mean that it is possible to implement a security policy for execution of
> > JSP in the JVM java.policy file?
> >
> > Something like this?
> >
> > grant CODEBASE="file:/some/path/to/tomcat/work/*" {
> > // permissions
> > };
> >
> > If very restrictive permissions were set, would that cause the servlet
> > which is generated from the JSP to generate a SecurityException when
> > it is run? (I did a grep for Priveleged and did not find anything)
> >
> > If the JSP were able to run, then for any beans or tag libraries installed
> > on the server which used classes/methods that would generate a SecurityException
> > could have the code surrounded by beginPriveleged()/endPriveleged()?
> >
> > We are very interested in pushing out to over 500 web publishers (non programmers)
> > the ability to publish dynamic content using JSP 1.1 by solely using beans
> > and/or tag libraries. Not being able to implement Security for JSP is
> > a show stopper for us.
> >
> > Regards,
> >
> > Glenn
> >
> > ----------------------------------------------------------------------
> > Glenn Nielsen glenn@more.net | /* Spelin donut madder |
> > MOREnet System Programming | * if iz ina coment. |
> > Missouri Research and Education Network | */ |
> > ----------------------------------------------------------------------
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
--
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------
Re: Using SecurityManager to set JSP execution security policy
Posted by Costin Manolache <co...@costin.dnt.ro>.
Policy-based security doesn't work yet - there are some special changes that
need to be done in the AdaptiveClassLoader ( to allow the JVM access to the code
source ).
It is on the todo list, and I'll do it if nobody else has the time/will to implement
it, but
please don't expect too much - we'll need a lot of review, security can't be done in
few weeks.
Costin
Glenn Nielsen wrote:
> Hi,
>
> I haven't installed Tomcat yet but I grepped through the code and found
> that the AdapativeClassLoader class uses the Security Manager. Does that
> mean that it is possible to implement a security policy for execution of
> JSP in the JVM java.policy file?
>
> Something like this?
>
> grant CODEBASE="file:/some/path/to/tomcat/work/*" {
> // permissions
> };
>
> If very restrictive permissions were set, would that cause the servlet
> which is generated from the JSP to generate a SecurityException when
> it is run? (I did a grep for Priveleged and did not find anything)
>
> If the JSP were able to run, then for any beans or tag libraries installed
> on the server which used classes/methods that would generate a SecurityException
> could have the code surrounded by beginPriveleged()/endPriveleged()?
>
> We are very interested in pushing out to over 500 web publishers (non programmers)
> the ability to publish dynamic content using JSP 1.1 by solely using beans
> and/or tag libraries. Not being able to implement Security for JSP is
> a show stopper for us.
>
> Regards,
>
> Glenn
>
> ----------------------------------------------------------------------
> Glenn Nielsen glenn@more.net | /* Spelin donut madder |
> MOREnet System Programming | * if iz ina coment. |
> Missouri Research and Education Network | */ |
> ----------------------------------------------------------------------
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org