You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by la...@apache.org on 2001/10/21 18:51:01 UTC
cvs commit: jakarta-tomcat/src/doc tomcat-security.html
larryi 01/10/21 09:51:01
Modified: src/doc tomcat-security.html
Log:
Fixed typo.
Submitted by: Jeff Turner
Othe updates, including porting debugging information from Tomcat 4.0
document.
Revision Changes Path
1.4 +20 -9 jakarta-tomcat/src/doc/tomcat-security.html
Index: tomcat-security.html
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/doc/tomcat-security.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- tomcat-security.html 2000/08/28 19:05:27 1.3
+++ tomcat-security.html 2001/10/21 16:51:00 1.4
@@ -47,7 +47,7 @@
running in your browser, use of a SecurityManager while running Tomcat
can protect your server from trojan servlets, JSP's, JSP beans, and tag
libraries. Or even inadvertent mistakes.
-<p>Imagine if someone who is authorized to publish JSP's on your site invadvertently
+<p>Imagine if someone who is authorized to publish JSP's on your site inadvertently
included the following in their JSP:
<blockquote>
<pre><% System.exit(1); %></pre>
@@ -105,11 +105,11 @@
<a NAME="config"></a>Configuring Tomcat for use with a SecurityManager</h3>
<b>tomcat.policy</b>
<p>The security policies implemented by the Java SecurityManager are configured
-in the <b>tomcat.policy </b>file located in the tomcat conf directory.
+in the <b>tomcat.policy </b>file located in the tomcat <code>conf</code> directory.
The tomcat.policy file replaces any system java.policy file. The
tomcat.policy file can be edited by hand or you can use the <b>policytool
</b>application
-that comes with Java 1.2.
+that comes with Java 1.2, or later.
<p>Entries in the tomcat.policy file use the standard java.policy file
format as follows:
<table border=0><tr><td><pre>// Example policy file entry
@@ -205,15 +205,11 @@
permission java.util.PropertyPermission "*","read";
};</td></tr></table></pre>
-<p><br><b>server.xml</b>
-<p>Uncomment out the entry in server.xml for the ContextInterceptor which
-defines the class named PolicyInterceptor.
-<br>
<h3>
<a NAME="start"></a>Starting Tomcat with a SecurityManager</h3>
-Once you have configured the tomcat.policy and server.xml files for use
+Once you have configured the tomcat.policy for use
with a SecurityManager, Tomcat can be started with the SecurityManager
-in place by using the "-security" option to bin/startup.bat or bin/startup.sh.
+in place by adding the "-security" option to bin/startup.bat or bin/startup.sh.
<br>
<h3>
<a NAME="violation"></a>What happens when the SecurityManager detects a
@@ -224,6 +220,21 @@
<h2>
<a NAME="trouble"></a>Trouble shooting tomcat.policy configuration and
Security Violations</h2>
+You can turn on Java SecurityManager debug logging by setting the environmental
+variable:
+<pre>
+ TOMCAT_OPTS=-Djava.security.debug=all
+</pre>
+The debug output will be written to Tomcat's log file, or the console if no log
+file is defined.<br>
+<br><strong>Note:</strong> This gives the most complete debugging information,
+but generates many MB's of output, for less verbose security debug output, use:
+<pre>
+ TOMCAT_OPTS=-Djava.security.debug=access,failure
+</pre>
+Use the following shell command to determine all the security debug options
+available: <tt>java -Djava.security.debug=help</tt><br>
+<br>
<b>JSP Compile using JVM internal javac fails with AccessControlException
for RuntimePermission accessClassInPackage sun.tools.javac.</b>
<p>Check your JAVA_HOME/jre/lib/security/java.security file configuration.