You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by rz...@apache.org on 2022/02/17 07:47:35 UTC
[tomee] 02/03: TOMEE-3840 - Adds TomEE specific policies to catalina.policy config file to allow startup with enabled security
This is an automated email from the ASF dual-hosted git repository.
rzo1 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 4b009f18bd2adb61053ee55d2411ba1b84e089b1
Author: Richard Zowalla <rz...@apache.org>
AuthorDate: Thu Feb 17 08:43:31 2022 +0100
TOMEE-3840 - Adds TomEE specific policies to catalina.policy config file to allow startup with enabled security
Reverted the previous fix for TOMEE-3840 in favour of this Installer-based approach, so we do not need to update a sole config file in TomEE for every Tomcat update.
---
.../src/main/resources/tomee/conf/catalina.policy | 5 +++
.../src/main/resources/tomee/conf/catalina.policy | 5 +++
.../src/main/resources/tomee/conf/catalina.policy | 5 +++
.../src/main/resources/tomee/conf/catalina.policy | 5 +++
.../java/org/apache/tomee/installer/Installer.java | 38 ++++++++++++++++++++++
.../java/org/apache/tomee/installer/Paths.java | 9 +++++
.../org/apache/tomee/installer/PathsInterface.java | 2 ++
7 files changed, 69 insertions(+)
diff --git a/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy
index 7aab95d..748ba1c 100644
--- a/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy
+++ b/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy
@@ -94,6 +94,11 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
permission java.util.PropertyPermission "catalina.base", "read";
+ // TOMEE-3840
+ permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read";
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
+
+
// Note: To enable per context logging configuration, permit read access to
// the appropriate file. Be sure that the logging configuration is
// secure before enabling such access.
diff --git a/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy
index 7aab95d..748ba1c 100644
--- a/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy
+++ b/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy
@@ -94,6 +94,11 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
permission java.util.PropertyPermission "catalina.base", "read";
+ // TOMEE-3840
+ permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read";
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
+
+
// Note: To enable per context logging configuration, permit read access to
// the appropriate file. Be sure that the logging configuration is
// secure before enabling such access.
diff --git a/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy
index 7aab95d..748ba1c 100644
--- a/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy
+++ b/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy
@@ -94,6 +94,11 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
permission java.util.PropertyPermission "catalina.base", "read";
+ // TOMEE-3840
+ permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read";
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
+
+
// Note: To enable per context logging configuration, permit read access to
// the appropriate file. Be sure that the logging configuration is
// secure before enabling such access.
diff --git a/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy
index 7aab95d..748ba1c 100644
--- a/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy
+++ b/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy
@@ -94,6 +94,11 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
permission java.util.PropertyPermission "catalina.base", "read";
+ // TOMEE-3840
+ permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read";
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
+
+
// Note: To enable per context logging configuration, permit read access to
// the appropriate file. Be sure that the logging configuration is
// secure before enabling such access.
diff --git a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
index a5e2a60..c56f7bf 100644
--- a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
+++ b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java
@@ -957,6 +957,44 @@ public class Installer implements InstallerInterface {
} catch (final IOException e) {
// no-op
}
+
+ //
+ // conf/catalina.policy
+ //
+
+ // if we can't backup the file, do not modify it
+ if (!Installers.backup(paths.getCatalinaPolicy() , alerts)) {
+ return;
+ }
+
+ String catalinaPolicy = Installers.readAll(paths.getCatalinaPolicy(), alerts);
+
+ // catalina.policy will be null if we couldn't read the file
+ if (catalinaPolicy == null) {
+ return;
+ }
+
+ //Add TomEE-specific policies (see TOMEE-3840)
+ try {
+ catalinaPolicy = Installers.replace(catalinaPolicy,
+ " permission java.util.PropertyPermission \"org.apache.juli.ClassLoaderLogManager.debug\", \"read\";",
+ " permission java.util.PropertyPermission \"org.apache.juli.ClassLoaderLogManager.debug\", \"read\";",
+ " permission java.util.PropertyPermission \"catalina.base\", \"read\";",
+ " permission java.util.PropertyPermission \"catalina.base\", \"read\";\n\n" +
+ " // TOMEE-3840\n" +
+ " permission java.util.PropertyPermission \"tomee.skip-tomcat-log\", \"read\";\n" +
+ " permission java.lang.RuntimePermission \"accessDeclaredMembers\";\n");
+
+ } catch (final IOException e) {
+ alerts.addError("Error adding TomEE specific policies to catalina.policy file", e);
+ }
+
+ // overwrite catalina.policy
+ if (Installers.writeAll(paths.getCatalinaPolicy(), catalinaPolicy, alerts)) {
+ alerts.addInfo("Add TomEE specific policies to catalina.policy");
+ }
+
+
}
private void installTomEEJuli(final Alerts alerts, final File loggingPropsFile, final String newLoggingProps) {
diff --git a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Paths.java b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Paths.java
index 34ac641..fe6ab19 100644
--- a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Paths.java
+++ b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Paths.java
@@ -527,4 +527,13 @@ public class Paths implements PathsInterface {
}
return new File(binDir, "setclasspath.bat");
}
+
+ @Override
+ public File getCatalinaPolicy() {
+ final File confDir = getCatalinaConfDir();
+ if (confDir == null) {
+ return null;
+ }
+ return new File(confDir, "catalina.policy");
+ }
}
diff --git a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/PathsInterface.java b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/PathsInterface.java
index 390a9c9..1bc0e2e 100644
--- a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/PathsInterface.java
+++ b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/PathsInterface.java
@@ -85,4 +85,6 @@ public interface PathsInterface {
File getSetClasspathSh();
File getSetClasspathBat();
+
+ File getCatalinaPolicy();
}