You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Stefan Mayr <st...@mayr-stefan.de> on 2016/08/09 17:29:04 UTC
Code signing WAR and verification
Hi,
two colleagues came with an idea that our new java platform should only
run signed code. In the java world I've only seen signed java applets.
From a bit of internet research it looks like any JAR, WAR or EAR can
be signed with jarsigner (maybe all zip files?).
Some sources indicate that this is supported or verified in WebLogic. So
how about Tomcat? Is there any verification of signed code or are there
any configuration flags to enable/enforce/disable this?
I would guess the signature is ignored. Am I wrong?
Thank you,
Stefan Mayr
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Code signing WAR and verification
Posted by Mark Thomas <ma...@apache.org>.
On 14 February 2017 13:55:33 GMT+00:00, ramnar <ra...@gmail.com> wrote:
>Is this feature implemented in tomcat 8 or still in pipeline
https://bz.apache.org/bugzilla/show_bug.cgi?id=52489
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Code signing WAR and verification
Posted by ramnar <ra...@gmail.com>.
Is this feature implemented in tomcat 8 or still in pipeline
--
View this message in context: http://tomcat.10.x6.nabble.com/Code-signing-WAR-and-verification-tp5053711p5060436.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Code signing WAR and verification
Posted by Stefan Mayr <st...@mayr-stefan.de>.
Am 09.08.2016 um 19:48 schrieb Mark Thomas:
> On 09/08/2016 18:29, Stefan Mayr wrote:
>> Hi,
>>
>> two colleagues came with an idea that our new java platform should only
>> run signed code. In the java world I've only seen signed java applets.
>> From a bit of internet research it looks like any JAR, WAR or EAR can be
>> signed with jarsigner (maybe all zip files?).
>>
>> Some sources indicate that this is supported or verified in WebLogic. So
>> how about Tomcat? Is there any verification of signed code or are there
>> any configuration flags to enable/enforce/disable this?
>>
>> I would guess the signature is ignored. Am I wrong?
>
> You are correct. Signatures on a WAR will be ignored.
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=52489
I don't see a signature verification in the patch. But from the
description it might be enough to trigger the SecurityManager somehow.
> I'm far from convinced that the proposed patch on that issue is sufficient.
>
> I'm also not convinced that there is a standard for signing WARs. Some
> authoritative references (i.e. to official Java SE or Java EE docs)
> would be very helpful.
>
> Mark
Specs are hard to find. For jars a nice description can be found in [1].
The servlet spec [2] mentions that "Web applications can be packaged and
signed into a Web ARchive format (WAR) file using the standard Java
archive tools." But when I ran over the servlet spec I did not find a
description how the servlet container should handle signed war files. Or
is this delegated to the security manager? This is still a mystery to
me. Especially when I think of think of JSPs and their on-demand
compilation. What can be the magic phrase we should look for?
Stefan Mayr
[1]
http://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File
[2]
http://download.oracle.com/otndocs/jcp/servlet-2.4-fr-spec-oth-JSpec/
see SRV.9.6
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Code signing WAR and verification
Posted by Mark Thomas <ma...@apache.org>.
On 09/08/2016 18:29, Stefan Mayr wrote:
> Hi,
>
> two colleagues came with an idea that our new java platform should only
> run signed code. In the java world I've only seen signed java applets.
> From a bit of internet research it looks like any JAR, WAR or EAR can be
> signed with jarsigner (maybe all zip files?).
>
> Some sources indicate that this is supported or verified in WebLogic. So
> how about Tomcat? Is there any verification of signed code or are there
> any configuration flags to enable/enforce/disable this?
>
> I would guess the signature is ignored. Am I wrong?
You are correct. Signatures on a WAR will be ignored.
https://bz.apache.org/bugzilla/show_bug.cgi?id=52489
I'm far from convinced that the proposed patch on that issue is sufficient.
I'm also not convinced that there is a standard for signing WARs. Some
authoritative references (i.e. to official Java SE or Java EE docs)
would be very helpful.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org