You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by rz...@apache.org on 2022/02/17 07:47:34 UTC
[tomee] 01/03: Revert "TOMEE-3840 - Fix TomEE does not start with security enabled"
This is an automated email from the ASF dual-hosted git repository.
rzo1 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 4cb9f8b90ad7728454e20a448dd739a372714620
Author: Richard Zowalla <rz...@apache.org>
AuthorDate: Thu Feb 17 08:36:15 2022 +0100
Revert "TOMEE-3840 - Fix TomEE does not start with security enabled"
This reverts commit 18f174b6acb6873c41f7da73f8a1cd952be95e87.
---
.../src/main/resources/tomee/conf/catalina.policy | 4 -
.../src/main/resources/tomee/conf/catalina.policy | 4 -
.../src/main/resources/tomee/conf/catalina.policy | 4 -
.../src/main/resources/tomee/conf/catalina.policy | 4 -
tomee/apache-tomee/pom.xml | 3 -
.../src/main/assembly/tomee-microprofile.xml | 8 -
.../apache-tomee/src/main/assembly/tomee-plume.xml | 8 -
.../apache-tomee/src/main/assembly/tomee-plus.xml | 8 -
.../src/main/assembly/tomee-webprofile.xml | 8 -
.../src/main/resources/catalina.policy | 268 ---------------------
10 files changed, 319 deletions(-)
diff --git a/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy
index 1a081a3..7aab95d 100644
--- a/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy
+++ b/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy
@@ -94,10 +94,6 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
permission java.util.PropertyPermission "catalina.base", "read";
- // TOMEE-3840
- permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
-
// Note: To enable per context logging configuration, permit read access to
// the appropriate file. Be sure that the logging configuration is
// secure before enabling such access.
diff --git a/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy
index 1a081a3..7aab95d 100644
--- a/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy
+++ b/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy
@@ -94,10 +94,6 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
permission java.util.PropertyPermission "catalina.base", "read";
- // TOMEE-3840
- permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
-
// Note: To enable per context logging configuration, permit read access to
// the appropriate file. Be sure that the logging configuration is
// secure before enabling such access.
diff --git a/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy
index 1a081a3..7aab95d 100644
--- a/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy
+++ b/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy
@@ -94,10 +94,6 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
permission java.util.PropertyPermission "catalina.base", "read";
- // TOMEE-3840
- permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
-
// Note: To enable per context logging configuration, permit read access to
// the appropriate file. Be sure that the logging configuration is
// secure before enabling such access.
diff --git a/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy
index 1a081a3..7aab95d 100644
--- a/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy
+++ b/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy
@@ -94,10 +94,6 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
permission java.util.PropertyPermission "catalina.base", "read";
- // TOMEE-3840
- permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
-
// Note: To enable per context logging configuration, permit read access to
// the appropriate file. Be sure that the logging configuration is
// secure before enabling such access.
diff --git a/tomee/apache-tomee/pom.xml b/tomee/apache-tomee/pom.xml
index 8340c16..bfcccf4 100644
--- a/tomee/apache-tomee/pom.xml
+++ b/tomee/apache-tomee/pom.xml
@@ -159,9 +159,6 @@
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
- <excludes>
- <exclude>*.policy</exclude>
- </excludes>
</resource>
<resource>
<directory>src/main/resources</directory>
diff --git a/tomee/apache-tomee/src/main/assembly/tomee-microprofile.xml b/tomee/apache-tomee/src/main/assembly/tomee-microprofile.xml
index a7949d5..e026258 100644
--- a/tomee/apache-tomee/src/main/assembly/tomee-microprofile.xml
+++ b/tomee/apache-tomee/src/main/assembly/tomee-microprofile.xml
@@ -38,7 +38,6 @@
<exclude>NOTICE</exclude>
<exclude>**/bin/**/*</exclude>
<exclude>**/lib/tomcat-annotations-api*.jar</exclude>
- <exclude>**/conf/catalina.policy</exclude>
</excludes>
</fileSet>
<fileSet>
@@ -50,13 +49,6 @@
</fileSet>
<fileSet>
<directory>${project.basedir}/target/classes</directory>
- <outputDirectory>/apache-tomee-microprofile-${project.version}/conf</outputDirectory>
- <includes>
- <include>catalina.policy</include>
- </includes>
- </fileSet>
- <fileSet>
- <directory>${project.basedir}/target/classes</directory>
<outputDirectory>/apache-tomee-microprofile-${project.version}/bin</outputDirectory>
<includes>
<include>service.*</include>
diff --git a/tomee/apache-tomee/src/main/assembly/tomee-plume.xml b/tomee/apache-tomee/src/main/assembly/tomee-plume.xml
index d8f6763..0ba6892 100644
--- a/tomee/apache-tomee/src/main/assembly/tomee-plume.xml
+++ b/tomee/apache-tomee/src/main/assembly/tomee-plume.xml
@@ -38,7 +38,6 @@
<exclude>NOTICE</exclude>
<exclude>**/bin/**/*</exclude>
<exclude>**/lib/tomcat-annotations-api*.jar</exclude>
- <exclude>**/conf/catalina.policy</exclude>
</excludes>
</fileSet>
<fileSet>
@@ -50,13 +49,6 @@
</fileSet>
<fileSet>
<directory>${project.basedir}/target/classes</directory>
- <outputDirectory>/apache-tomee-plume-${project.version}/conf</outputDirectory>
- <includes>
- <include>catalina.policy</include>
- </includes>
- </fileSet>
- <fileSet>
- <directory>${project.basedir}/target/classes</directory>
<outputDirectory>/apache-tomee-plume-${project.version}/bin</outputDirectory>
<includes>
<include>service.*</include>
diff --git a/tomee/apache-tomee/src/main/assembly/tomee-plus.xml b/tomee/apache-tomee/src/main/assembly/tomee-plus.xml
index 57c63cb..5e1ac51 100644
--- a/tomee/apache-tomee/src/main/assembly/tomee-plus.xml
+++ b/tomee/apache-tomee/src/main/assembly/tomee-plus.xml
@@ -38,7 +38,6 @@
<exclude>NOTICE</exclude>
<exclude>**/bin/**/*</exclude>
<exclude>**/lib/tomcat-annotations-api*.jar</exclude>
- <exclude>**/conf/catalina.policy</exclude>
</excludes>
</fileSet>
<fileSet>
@@ -50,13 +49,6 @@
</fileSet>
<fileSet>
<directory>${project.basedir}/target/classes</directory>
- <outputDirectory>/apache-tomee-plus-${project.version}/conf</outputDirectory>
- <includes>
- <include>catalina.policy</include>
- </includes>
- </fileSet>
- <fileSet>
- <directory>${project.basedir}/target/classes</directory>
<outputDirectory>/apache-tomee-plus-${project.version}/bin</outputDirectory>
<includes>
<include>service.*</include>
diff --git a/tomee/apache-tomee/src/main/assembly/tomee-webprofile.xml b/tomee/apache-tomee/src/main/assembly/tomee-webprofile.xml
index 6602155..e84b860 100644
--- a/tomee/apache-tomee/src/main/assembly/tomee-webprofile.xml
+++ b/tomee/apache-tomee/src/main/assembly/tomee-webprofile.xml
@@ -38,7 +38,6 @@
<exclude>NOTICE</exclude>
<exclude>**/bin/**/*</exclude>
<exclude>**/lib/tomcat-annotations-api*.jar</exclude>
- <exclude>**/conf/catalina.policy</exclude>
</excludes>
</fileSet>
<fileSet>
@@ -50,13 +49,6 @@
</fileSet>
<fileSet>
<directory>${project.basedir}/target/classes</directory>
- <outputDirectory>/apache-tomee-webprofile-${project.version}/conf</outputDirectory>
- <includes>
- <include>catalina.policy</include>
- </includes>
- </fileSet>
- <fileSet>
- <directory>${project.basedir}/target/classes</directory>
<outputDirectory>/apache-tomee-webprofile-${project.version}/bin</outputDirectory>
<includes>
<include>service.*</include>
diff --git a/tomee/apache-tomee/src/main/resources/catalina.policy b/tomee/apache-tomee/src/main/resources/catalina.policy
deleted file mode 100644
index 1a081a3..0000000
--- a/tomee/apache-tomee/src/main/resources/catalina.policy
+++ /dev/null
@@ -1,268 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one or more
-// contributor license agreements. See the NOTICE file distributed with
-// this work for additional information regarding copyright ownership.
-// The ASF licenses this file to You under the Apache License, Version 2.0
-// (the "License"); you may not use this file except in compliance with
-// the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// ============================================================================
-// catalina.policy - Security Policy Permissions for Tomcat
-//
-// This file contains a default set of security policies to be enforced (by the
-// JVM) when Catalina is executed with the "-security" option. In addition
-// to the permissions granted here, the following additional permissions are
-// granted to each web application:
-//
-// * Read access to the web application's document root directory
-// * Read, write and delete access to the web application's working directory
-// ============================================================================
-
-
-// ========== SYSTEM CODE PERMISSIONS =========================================
-
-
-// These permissions apply to javac
-grant codeBase "file:${java.home}/lib/-" {
- permission java.security.AllPermission;
-};
-
-// These permissions apply to all shared system extensions
-grant codeBase "file:${java.home}/jre/lib/ext/-" {
- permission java.security.AllPermission;
-};
-
-// These permissions apply to javac when ${java.home} points at $JAVA_HOME/jre
-grant codeBase "file:${java.home}/../lib/-" {
- permission java.security.AllPermission;
-};
-
-// These permissions apply to all shared system extensions when
-// ${java.home} points at $JAVA_HOME/jre
-grant codeBase "file:${java.home}/lib/ext/-" {
- permission java.security.AllPermission;
-};
-
-// This permission is required when using javac to compile JSPs on Java 9
-// onwards
-//grant codeBase "jrt:/jdk.compiler" {
-// permission java.security.AllPermission;
-//};
-
-
-// ========== CATALINA CODE PERMISSIONS =======================================
-
-// These permissions apply to the daemon code
-grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
- permission java.security.AllPermission;
-};
-
-// These permissions apply to the logging API
-// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
-// update this section accordingly.
-// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
-grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
- permission java.io.FilePermission
- "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
-
- permission java.io.FilePermission
- "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
- permission java.io.FilePermission
- "${catalina.base}${file.separator}logs", "read, write";
- permission java.io.FilePermission
- "${catalina.base}${file.separator}logs${file.separator}*", "read, write, delete";
-
- permission java.lang.RuntimePermission "shutdownHooks";
- permission java.lang.RuntimePermission "getClassLoader";
- permission java.lang.RuntimePermission "setContextClassLoader";
-
- permission java.lang.management.ManagementPermission "monitor";
-
- permission java.util.logging.LoggingPermission "control";
-
- permission java.util.PropertyPermission "java.util.logging.config.class", "read";
- permission java.util.PropertyPermission "java.util.logging.config.file", "read";
- permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read";
- permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read";
- permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
- permission java.util.PropertyPermission "catalina.base", "read";
-
- // TOMEE-3840
- permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
-
- // Note: To enable per context logging configuration, permit read access to
- // the appropriate file. Be sure that the logging configuration is
- // secure before enabling such access.
- // E.g. for the examples web application (uncomment and unwrap
- // the following to be on a single line):
- // permission java.io.FilePermission "${catalina.base}${file.separator}
- // webapps${file.separator}examples${file.separator}WEB-INF
- // ${file.separator}classes${file.separator}logging.properties", "read";
-};
-
-// These permissions apply to the server startup code
-grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
- permission java.security.AllPermission;
-};
-
-// These permissions apply to the servlet API classes
-// and those that are shared across all class loaders
-// located in the "lib" directory
-grant codeBase "file:${catalina.home}/lib/-" {
- permission java.security.AllPermission;
-};
-
-
-// If using a per instance lib directory, i.e. ${catalina.base}/lib,
-// then the following permission will need to be uncommented
-// grant codeBase "file:${catalina.base}/lib/-" {
-// permission java.security.AllPermission;
-// };
-
-
-// ========== WEB APPLICATION PERMISSIONS =====================================
-
-
-// These permissions are granted by default to all web applications
-// In addition, a web application will be given a read FilePermission
-// for all files and directories in its document root.
-grant {
- // Required for JNDI lookup of named JDBC DataSource's and
- // javamail named MimePart DataSource used to send mail
- permission java.util.PropertyPermission "java.home", "read";
- permission java.util.PropertyPermission "java.naming.*", "read";
- permission java.util.PropertyPermission "javax.sql.*", "read";
-
- // OS Specific properties to allow read access
- permission java.util.PropertyPermission "os.name", "read";
- permission java.util.PropertyPermission "os.version", "read";
- permission java.util.PropertyPermission "os.arch", "read";
- permission java.util.PropertyPermission "file.separator", "read";
- permission java.util.PropertyPermission "path.separator", "read";
- permission java.util.PropertyPermission "line.separator", "read";
-
- // JVM properties to allow read access
- permission java.util.PropertyPermission "java.version", "read";
- permission java.util.PropertyPermission "java.vendor", "read";
- permission java.util.PropertyPermission "java.vendor.url", "read";
- permission java.util.PropertyPermission "java.class.version", "read";
- permission java.util.PropertyPermission "java.specification.version", "read";
- permission java.util.PropertyPermission "java.specification.vendor", "read";
- permission java.util.PropertyPermission "java.specification.name", "read";
-
- permission java.util.PropertyPermission "java.vm.specification.version", "read";
- permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
- permission java.util.PropertyPermission "java.vm.specification.name", "read";
- permission java.util.PropertyPermission "java.vm.version", "read";
- permission java.util.PropertyPermission "java.vm.vendor", "read";
- permission java.util.PropertyPermission "java.vm.name", "read";
-
- // Required for OpenJMX
- permission java.lang.RuntimePermission "getAttribute";
-
- // Allow read of JAXP compliant XML parser debug
- permission java.util.PropertyPermission "jaxp.debug", "read";
-
- // All JSPs need to be able to read this package
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
-
- // Precompiled JSPs need access to these packages.
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
- permission java.lang.RuntimePermission
- "accessClassInPackage.org.apache.jasper.runtime.*";
-
- // Applications using WebSocket need to be able to access these packages
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
-};
-
-
-// The Manager application needs access to the following packages to support the
-// session display functionality. It also requires the custom Tomcat
-// DeployXmlPermission to enable the use of META-INF/context.xml
-// These settings support the following configurations:
-// - default CATALINA_HOME == CATALINA_BASE
-// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
-// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
-grant codeBase "file:${catalina.base}/webapps/manager/-" {
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
- permission org.apache.catalina.security.DeployXmlPermission "manager";
-};
-grant codeBase "file:${catalina.home}/webapps/manager/-" {
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
- permission org.apache.catalina.security.DeployXmlPermission "manager";
-};
-
-// The Host Manager application needs the custom Tomcat DeployXmlPermission to
-// enable the use of META-INF/context.xml
-// These settings support the following configurations:
-// - default CATALINA_HOME == CATALINA_BASE
-// - CATALINA_HOME != CATALINA_BASE, per instance Host Manager in CATALINA_BASE
-// - CATALINA_HOME != CATALINA_BASE, shared Host Manager in CATALINA_HOME
-grant codeBase "file:${catalina.base}/webapps/host-manager/-" {
- permission org.apache.catalina.security.DeployXmlPermission "host-manager";
-};
-grant codeBase "file:${catalina.home}/webapps/host-manager/-" {
- permission org.apache.catalina.security.DeployXmlPermission "host-manager";
-};
-
-
-// You can assign additional permissions to particular web applications by
-// adding additional "grant" entries here, based on the code base for that
-// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
-//
-// Different permissions can be granted to JSP pages, classes loaded from
-// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
-// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
-//
-// For instance, assume that the standard "examples" application
-// included a JDBC driver that needed to establish a network connection to the
-// corresponding database and used the scrape taglib to get the weather from
-// the NOAA web server. You might create a "grant" entries like this:
-//
-// The permissions granted to the context root directory apply to JSP pages.
-// grant codeBase "file:${catalina.base}/webapps/examples/-" {
-// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-//
-// The permissions granted to the context WEB-INF/classes directory
-// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
-// };
-//
-// The permission granted to your JDBC driver
-// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
-// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-// };
-// The permission granted to the scrape taglib
-// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
-// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-
-// To grant permissions for web applications using packed WAR files, use the
-// Tomcat specific WAR url scheme.
-//
-// The permissions granted to the entire web application
-// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/-" {
-// };
-//
-// The permissions granted to a specific JAR
-// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" {
-// };
\ No newline at end of file