You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Petr Hracek <ph...@gmail.com> on 2011/11/07 12:06:19 UTC
Catalina.policy file for security option
Dear tomcat users,
I have try to configure my really old tomcat5 configuration (for using
-security).
but tomcat is not running. On my system tomcat5 is run only as servlet
engine and not as web server.
Do you have any example catalina.policy file?
My catalina.policy file is:
// ========== SYSTEM CODE PERMISSIONS =========================================
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the launcher code
grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the commons-logging API
grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the JMX server
grant codeBase "file:${catalina.home}/bin/jmx.jar" {
permission java.security.AllPermission;
};
// These permissions apply to JULI
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.util.PropertyPermission
"java.util.logging.config.class", "read";
permission java.util.PropertyPermission
"java.util.logging.config.file", "read";
permission java.io.FilePermission
"${java.home}${file.separator}lib${file.separator}logging.properties",
"read";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.io.FilePermission
"${catalina.base}${file.separator}conf${file.separator}logging.properties",
"read";
permission java.util.PropertyPermission "catalina.base", "read";
permission java.util.logging.LoggingPermission "control";
permission java.io.FilePermission
"${catalina.base}${file.separator}logs", "read, write";
permission java.io.FilePermission
"${catalina.base}${file.separator}logs${file.separator}*", "read,
write";
permission java.lang.RuntimePermission "getClassLoader";
// To enable per context logging configuration, permit read
access to the appropriate file.
// Be sure that the logging configuration is secure before
enabling such access
// eg for the examples web application:
// permission java.io.FilePermission
"${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
"read";
};
// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "common" directory
grant codeBase "file:${catalina.home}/common/-" {
permission java.security.AllPermission;
};
// These permissions apply to the container's core code, plus any additional
// libraries installed in the "server" directory
grant codeBase "file:${catalina.home}/server/-" {
permission java.security.AllPermission;
};
// The permissions granted to the balancer WEB-INF/classes and
WEB-INF/lib directory
grant codeBase "file:${catalina.home}/webapps/balancer/-" {
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.util.digester";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat.util.digester.*";
};
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.naming.*", "read";
permission java.util.PropertyPermission "javax.sql.*", "read";
// OS Specific properties to allow read access
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
// JVM properties to allow read access
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission
"java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission
"java.vm.specification.version", "read";
permission java.util.PropertyPermission
"java.vm.specification.vendor", "read";
permission java.util.PropertyPermission
"java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
// Required for OpenJMX
permission java.lang.RuntimePermission "getAttribute";
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
// Precompiled JSPs need access to this package.
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.runtime.*";
// Precompiled JSPs need access to this system property.
permission java.util.PropertyPermission
"org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
};
My server.xml configuration file is:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
/>
<Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
<!-- Global JNDI resources -->
<GlobalNamingResources>
<!-- Test entry for demonstration purposes -->
<Environment name="simpleValue" type="java.lang.Integer" value="30"/>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- Define the Tomcat Stand-Alone Service -->
<Service name="Catalina">
<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
<Connector port="8080" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
<!-- Note : To disable connection timeouts, set connectionTimeout value
to 0 -->
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009"
enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" address="127.0.0.1" />
<!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
<!-- See proxy documentation for more information about using this. -->
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<!-- Define the default virtual host
Note: XML Schema validation will not work with Xerces 2.2.
-->
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!--
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="localhost_access_log." suffix=".txt"
pattern="common" resolveHosts="false"/>
-->
<!--
<Valve className="org.apache.catalina.valves.FastCommonAccessLogValve"
directory="logs" prefix="localhost_access_log." suffix=".txt"
pattern="common" resolveHosts="false"/>
-->
</Host>
</Engine>
</Service>
</Server>
Thank you in advance.
If any logs will be need I can provide of course.
--
Best Regards / S pozdravem
Petr Hracek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Catalina.policy file for security option
Posted by Petr Hracek <ph...@gmail.com>.
I have move during the starting of catalina in security nd now I am in
the stage that in catalina.out log files I have:
access: access allowed (java.io.FilePermission
/usr/share/tomcat5/common/classes/log4j.properties read)
access: access denied (java.io.FilePermission
/usr/share/tomcat5/common/classes/log4j.properties read)
access: access denied (javax.management.MBeanPermission
org.apache.commons.modeler.BaseModelMBean#-[Catalina:J2EEApplication=none,J2EEServer=none,j2eeType=WebModule,name=//localhost/PM]
registerMBean)
access: access allowed (java.lang.RuntimePermission setContextClassLoader)
access: access denied (javax.management.MBeanPermission
org.apache.commons.modeler.BaseModelMBean#-[Catalina:J2EEApplication=none,J2EEServer=none,j2eeType=WebModule,name=//localhost/PM]
registerMBean)
access: access allowed (java.io.FilePermission
/usr/share/tomcat5/server/lib/catalina.jar read)
access: access denied (java.io.FilePermission
/usr/share/tomcat5/server/lib/catalina.jar read)
access: access denied (javax.management.MBeanPermission
org.apache.commons.modeler.BaseModelMBean#-[null:port=8080,type=ProtocolHandler]
registerMBean)
access: access allowed (java.net.SocketPermission localhost:8080 listen,resolve)
access: access allowed (java.lang.RuntimePermission shutdownHooks)
access: access allowed (java.net.SocketPermission localhost:8005 listen,resolve)
access: access allowed (java.lang.RuntimePermission exitVM.1)
access: access allowed (java.lang.RuntimePermission shutdownHooks)
access: access allowed (java.util.logging.LoggingPermission control)
But in output lsof -i | grep java is not mentioned and tomcat.
Dne 8. listopadu 2011 14:15 Petr Hracek <ph...@gmail.com> napsal(a):
> When I have set CATALINA_OPTS to:
> linux:/var/log/tomcat5/base # echo $CATALINA_OPTS
> -Djava.security.debug=all
> linux:/var/log/tomcat5/base #
>
> in log I see:
> domain 1 ProtectionDomain
> CodeSource=CodeSource, url=file:/usr/share/tomcat5/bin/bootstrap.jar,
> <no certificates>
> ClassLoader=sun.misc.Launcher$AppClassLoader@8e208e2
> <no principals>
> Permissions:
> static: java.security.Permissions@8930893 (
> (java.io.FilePermission /usr/share/tomcat5/bin/bootstrap.jar read)
> (java.lang.RuntimePermission exitVM)
> )
>
>
> Dne 8. listopadu 2011 13:51 Petr Hracek <ph...@gmail.com> napsal(a):
>> Yes the tomcat should be run as a back-end server (AJP) with apache2-2.2.21.
>> I have add to the catalina.policy following permission:
>> permission javax.management.MBeanServerPermission "createMBeanServer";
>> permission javax.management.MBeamPermission
>> "com.javamonitor.mbeans.*","*";
>> permission javax.management.MBeanTrustPermission "register";
>> permission javax.management.MBeanServerPermission "findMBeanServer";
>> permission java.net.SocketPermission "java-monitor.com:80", "connect";
>> permission java.net.SocketPermission "java-monitor.com:80", "resolve";
>>
>> In the log of catalina.out I see:
>> log4j:WARN No appenders could be found for logger
>> (org.apache.catalina.startup.Embedded).
>> log4j:WARN Please initialize the log4j system properly.
>>
>> But as in ps -ef | grep java and lsof -i | grep java I did not see any
>> 8009 and 8005 port or even that tomcat5 is not starting.
>>
>> Where could be a problem?
>>
>> Dne 7. listopadu 2011 12:29 André Warnier <aw...@ice-sa.com> napsal(a):
>>> Petr Hracek wrote:
>>>>
>>>> Dear tomcat users,
>>>>
>>>> I have try to configure my really old tomcat5 configuration (for using
>>>> -security).
>>>> but tomcat is not running.
>>>
>>> Petr,
>>> can you be a bit more specific ? what is not running ? does it start ? does
>>> it crash after starting ? is it just not answering requests ? are there
>>> error messages anywhere ?
>>>
>>> On my system tomcat5 is run only as servlet
>>>>
>>>> engine and not as web server.
>>>>
>>> Do you mean for example that it runs as a back-end server (through AJP
>>> e.g.), with a front-end webserver serving all static content ?
>>>
>>>
>>>
>>>> Do you have any example catalina.policy file?
>>>> My catalina.policy file is:
>>>> // ========== SYSTEM CODE PERMISSIONS
>>>> =========================================
>>>>
>>>>
>>>> // These permissions apply to javac
>>>> grant codeBase "file:${java.home}/lib/-" {
>>>> permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to all shared system extensions
>>>> grant codeBase "file:${java.home}/jre/lib/ext/-" {
>>>> permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to javac when ${java.home] points at
>>>> $JAVA_HOME/jre
>>>> grant codeBase "file:${java.home}/../lib/-" {
>>>> permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to all shared system extensions when
>>>> // ${java.home} points at $JAVA_HOME/jre
>>>> grant codeBase "file:${java.home}/lib/ext/-" {
>>>> permission java.security.AllPermission;
>>>> };
>>>> // ========== CATALINA CODE PERMISSIONS
>>>> =======================================
>>>>
>>>>
>>>> // These permissions apply to the launcher code
>>>> grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
>>>> permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to the daemon code
>>>> grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
>>>> permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to the commons-logging API
>>>> grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" {
>>>> permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to the server startup code
>>>> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
>>>> permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to the JMX server
>>>> grant codeBase "file:${catalina.home}/bin/jmx.jar" {
>>>> permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to JULI
>>>> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
>>>> permission java.util.PropertyPermission
>>>> "java.util.logging.config.class", "read";
>>>> permission java.util.PropertyPermission
>>>> "java.util.logging.config.file", "read";
>>>> permission java.io.FilePermission
>>>> "${java.home}${file.separator}lib${file.separator}logging.properties",
>>>> "read";
>>>> permission java.lang.RuntimePermission "shutdownHooks";
>>>> permission java.io.FilePermission
>>>>
>>>> "${catalina.base}${file.separator}conf${file.separator}logging.properties",
>>>> "read";
>>>> permission java.util.PropertyPermission "catalina.base", "read";
>>>> permission java.util.logging.LoggingPermission "control";
>>>> permission java.io.FilePermission
>>>> "${catalina.base}${file.separator}logs", "read, write";
>>>> permission java.io.FilePermission
>>>> "${catalina.base}${file.separator}logs${file.separator}*", "read,
>>>> write";
>>>> permission java.lang.RuntimePermission "getClassLoader";
>>>> // To enable per context logging configuration, permit read
>>>> access to the appropriate file.
>>>> // Be sure that the logging configuration is secure before
>>>> enabling such access
>>>> // eg for the examples web application:
>>>> // permission java.io.FilePermission
>>>>
>>>> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
>>>> "read";
>>>> };
>>>>
>>>> // These permissions apply to the servlet API classes
>>>> // and those that are shared across all class loaders
>>>> // located in the "common" directory
>>>> grant codeBase "file:${catalina.home}/common/-" {
>>>> permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to the container's core code, plus any
>>>> additional
>>>> // libraries installed in the "server" directory
>>>> grant codeBase "file:${catalina.home}/server/-" {
>>>> permission java.security.AllPermission;
>>>> };
>>>>
>>>> // The permissions granted to the balancer WEB-INF/classes and
>>>> WEB-INF/lib directory
>>>> grant codeBase "file:${catalina.home}/webapps/balancer/-" {
>>>> permission java.lang.RuntimePermission
>>>> "accessClassInPackage.org.apache.tomcat.util.digester";
>>>> permission java.lang.RuntimePermission
>>>> "accessClassInPackage.org.apache.tomcat.util.digester.*";
>>>> };
>>>> // ========== WEB APPLICATION PERMISSIONS
>>>> =====================================
>>>>
>>>>
>>>> // These permissions are granted by default to all web applications
>>>> // In addition, a web application will be given a read FilePermission
>>>> // and JndiPermission for all files and directories in its document root.
>>>> grant {
>>>> // Required for JNDI lookup of named JDBC DataSource's and
>>>> // javamail named MimePart DataSource used to send mail
>>>> permission java.util.PropertyPermission "java.home", "read";
>>>> permission java.util.PropertyPermission "java.naming.*", "read";
>>>> permission java.util.PropertyPermission "javax.sql.*", "read";
>>>>
>>>> // OS Specific properties to allow read access
>>>> permission java.util.PropertyPermission "os.name", "read";
>>>> permission java.util.PropertyPermission "os.version", "read";
>>>> permission java.util.PropertyPermission "os.arch", "read";
>>>> permission java.util.PropertyPermission "file.separator", "read";
>>>> permission java.util.PropertyPermission "path.separator", "read";
>>>> permission java.util.PropertyPermission "line.separator", "read";
>>>>
>>>> // JVM properties to allow read access
>>>> permission java.util.PropertyPermission "java.version", "read";
>>>> permission java.util.PropertyPermission "java.vendor", "read";
>>>> permission java.util.PropertyPermission "java.vendor.url", "read";
>>>> permission java.util.PropertyPermission "java.class.version", "read";
>>>> permission java.util.PropertyPermission
>>>> "java.specification.version", "read";
>>>> permission java.util.PropertyPermission "java.specification.vendor",
>>>> "read";
>>>> permission java.util.PropertyPermission "java.specification.name",
>>>> "read";
>>>>
>>>> permission java.util.PropertyPermission
>>>> "java.vm.specification.version", "read";
>>>> permission java.util.PropertyPermission
>>>> "java.vm.specification.vendor", "read";
>>>> permission java.util.PropertyPermission
>>>> "java.vm.specification.name", "read";
>>>> permission java.util.PropertyPermission "java.vm.version", "read";
>>>> permission java.util.PropertyPermission "java.vm.vendor", "read";
>>>> permission java.util.PropertyPermission "java.vm.name", "read";
>>>>
>>>> // Required for OpenJMX
>>>> permission java.lang.RuntimePermission "getAttribute";
>>>>
>>>> // Allow read of JAXP compliant XML parser debug
>>>> permission java.util.PropertyPermission "jaxp.debug", "read";
>>>>
>>>> // Precompiled JSPs need access to this package.
>>>> permission java.lang.RuntimePermission
>>>> "accessClassInPackage.org.apache.jasper.runtime";
>>>> permission java.lang.RuntimePermission
>>>> "accessClassInPackage.org.apache.jasper.runtime.*";
>>>>
>>>> // Precompiled JSPs need access to this system property.
>>>> permission java.util.PropertyPermission
>>>> "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
>>>> };
>>>>
>>>>
>>>> My server.xml configuration file is:
>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>> <!--
>>>> Licensed to the Apache Software Foundation (ASF) under one or more
>>>> contributor license agreements. See the NOTICE file distributed with
>>>> this work for additional information regarding copyright ownership.
>>>> The ASF licenses this file to You under the Apache License, Version 2.0
>>>> (the "License"); you may not use this file except in compliance with
>>>> the License. You may obtain a copy of the License at
>>>>
>>>> http://www.apache.org/licenses/LICENSE-2.0
>>>>
>>>> Unless required by applicable law or agreed to in writing, software
>>>> distributed under the License is distributed on an "AS IS" BASIS,
>>>> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>>>> See the License for the specific language governing permissions and
>>>> limitations under the License.
>>>> -->
>>>>
>>>> <Server port="8005" shutdown="SHUTDOWN">
>>>>
>>>> <Listener className="org.apache.catalina.core.AprLifecycleListener" />
>>>> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
>>>> />
>>>> <Listener
>>>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
>>>> />
>>>> <Listener
>>>> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
>>>>
>>>> <!-- Global JNDI resources -->
>>>> <GlobalNamingResources>
>>>>
>>>> <!-- Test entry for demonstration purposes -->
>>>> <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>>>>
>>>> <!-- Editable user database that can also be used by
>>>> UserDatabaseRealm to authenticate users -->
>>>> <Resource name="UserDatabase" auth="Container"
>>>> type="org.apache.catalina.UserDatabase"
>>>> description="User database that can be updated and saved"
>>>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>>>> pathname="conf/tomcat-users.xml" />
>>>>
>>>> </GlobalNamingResources>
>>>>
>>>> <!-- Define the Tomcat Stand-Alone Service -->
>>>> <Service name="Catalina">
>>>>
>>>> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
>>>> <Connector port="8080" maxHttpHeaderSize="8192"
>>>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>>>> enableLookups="false" redirectPort="8443" acceptCount="100"
>>>> connectionTimeout="20000" disableUploadTimeout="true" />
>>>> <!-- Note : To disable connection timeouts, set connectionTimeout value
>>>> to 0 -->
>>>>
>>>> <!-- Define an AJP 1.3 Connector on port 8009 -->
>>>> <Connector port="8009"
>>>> enableLookups="false" redirectPort="8443"
>>>> protocol="AJP/1.3" address="127.0.0.1" />
>>>>
>>>> <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
>>>> <!-- See proxy documentation for more information about using this. -->
>>>> <Engine name="Catalina" defaultHost="localhost">
>>>>
>>>> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>>>> resourceName="UserDatabase"/>
>>>>
>>>> <!-- Define the default virtual host
>>>> Note: XML Schema validation will not work with Xerces 2.2.
>>>> -->
>>>> <Host name="localhost" appBase="webapps"
>>>> unpackWARs="true" autoDeploy="true"
>>>> xmlValidation="false" xmlNamespaceAware="false">
>>>>
>>>>
>>>> <!--
>>>> <Valve className="org.apache.catalina.authenticator.SingleSignOn"
>>>> />
>>>> -->
>>>>
>>>> <!--
>>>> <Valve className="org.apache.catalina.valves.AccessLogValve"
>>>> directory="logs" prefix="localhost_access_log."
>>>> suffix=".txt"
>>>> pattern="common" resolveHosts="false"/>
>>>> -->
>>>> <!--
>>>> <Valve
>>>> className="org.apache.catalina.valves.FastCommonAccessLogValve"
>>>> directory="logs" prefix="localhost_access_log."
>>>> suffix=".txt"
>>>> pattern="common" resolveHosts="false"/>
>>>> -->
>>>> </Host>
>>>>
>>>> </Engine>
>>>>
>>>> </Service>
>>>>
>>>> </Server>
>>>>
>>>> Thank you in advance.
>>>> If any logs will be need I can provide of course.
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>>
>> --
>> Best Regards / S pozdravem
>> Petr Hracek
>>
>
>
>
> --
> Best Regards / S pozdravem
> Petr Hracek
>
--
Best Regards / S pozdravem
Petr Hracek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Catalina.policy file for security option
Posted by Petr Hracek <ph...@gmail.com>.
When I have set CATALINA_OPTS to:
linux:/var/log/tomcat5/base # echo $CATALINA_OPTS
-Djava.security.debug=all
linux:/var/log/tomcat5/base #
in log I see:
domain 1 ProtectionDomain
CodeSource=CodeSource, url=file:/usr/share/tomcat5/bin/bootstrap.jar,
<no certificates>
ClassLoader=sun.misc.Launcher$AppClassLoader@8e208e2
<no principals>
Permissions:
static: java.security.Permissions@8930893 (
(java.io.FilePermission /usr/share/tomcat5/bin/bootstrap.jar read)
(java.lang.RuntimePermission exitVM)
)
Dne 8. listopadu 2011 13:51 Petr Hracek <ph...@gmail.com> napsal(a):
> Yes the tomcat should be run as a back-end server (AJP) with apache2-2.2.21.
> I have add to the catalina.policy following permission:
> permission javax.management.MBeanServerPermission "createMBeanServer";
> permission javax.management.MBeamPermission
> "com.javamonitor.mbeans.*","*";
> permission javax.management.MBeanTrustPermission "register";
> permission javax.management.MBeanServerPermission "findMBeanServer";
> permission java.net.SocketPermission "java-monitor.com:80", "connect";
> permission java.net.SocketPermission "java-monitor.com:80", "resolve";
>
> In the log of catalina.out I see:
> log4j:WARN No appenders could be found for logger
> (org.apache.catalina.startup.Embedded).
> log4j:WARN Please initialize the log4j system properly.
>
> But as in ps -ef | grep java and lsof -i | grep java I did not see any
> 8009 and 8005 port or even that tomcat5 is not starting.
>
> Where could be a problem?
>
> Dne 7. listopadu 2011 12:29 André Warnier <aw...@ice-sa.com> napsal(a):
>> Petr Hracek wrote:
>>>
>>> Dear tomcat users,
>>>
>>> I have try to configure my really old tomcat5 configuration (for using
>>> -security).
>>> but tomcat is not running.
>>
>> Petr,
>> can you be a bit more specific ? what is not running ? does it start ? does
>> it crash after starting ? is it just not answering requests ? are there
>> error messages anywhere ?
>>
>> On my system tomcat5 is run only as servlet
>>>
>>> engine and not as web server.
>>>
>> Do you mean for example that it runs as a back-end server (through AJP
>> e.g.), with a front-end webserver serving all static content ?
>>
>>
>>
>>> Do you have any example catalina.policy file?
>>> My catalina.policy file is:
>>> // ========== SYSTEM CODE PERMISSIONS
>>> =========================================
>>>
>>>
>>> // These permissions apply to javac
>>> grant codeBase "file:${java.home}/lib/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to all shared system extensions
>>> grant codeBase "file:${java.home}/jre/lib/ext/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to javac when ${java.home] points at
>>> $JAVA_HOME/jre
>>> grant codeBase "file:${java.home}/../lib/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to all shared system extensions when
>>> // ${java.home} points at $JAVA_HOME/jre
>>> grant codeBase "file:${java.home}/lib/ext/-" {
>>> permission java.security.AllPermission;
>>> };
>>> // ========== CATALINA CODE PERMISSIONS
>>> =======================================
>>>
>>>
>>> // These permissions apply to the launcher code
>>> grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the daemon code
>>> grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the commons-logging API
>>> grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the server startup code
>>> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the JMX server
>>> grant codeBase "file:${catalina.home}/bin/jmx.jar" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to JULI
>>> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
>>> permission java.util.PropertyPermission
>>> "java.util.logging.config.class", "read";
>>> permission java.util.PropertyPermission
>>> "java.util.logging.config.file", "read";
>>> permission java.io.FilePermission
>>> "${java.home}${file.separator}lib${file.separator}logging.properties",
>>> "read";
>>> permission java.lang.RuntimePermission "shutdownHooks";
>>> permission java.io.FilePermission
>>>
>>> "${catalina.base}${file.separator}conf${file.separator}logging.properties",
>>> "read";
>>> permission java.util.PropertyPermission "catalina.base", "read";
>>> permission java.util.logging.LoggingPermission "control";
>>> permission java.io.FilePermission
>>> "${catalina.base}${file.separator}logs", "read, write";
>>> permission java.io.FilePermission
>>> "${catalina.base}${file.separator}logs${file.separator}*", "read,
>>> write";
>>> permission java.lang.RuntimePermission "getClassLoader";
>>> // To enable per context logging configuration, permit read
>>> access to the appropriate file.
>>> // Be sure that the logging configuration is secure before
>>> enabling such access
>>> // eg for the examples web application:
>>> // permission java.io.FilePermission
>>>
>>> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
>>> "read";
>>> };
>>>
>>> // These permissions apply to the servlet API classes
>>> // and those that are shared across all class loaders
>>> // located in the "common" directory
>>> grant codeBase "file:${catalina.home}/common/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // These permissions apply to the container's core code, plus any
>>> additional
>>> // libraries installed in the "server" directory
>>> grant codeBase "file:${catalina.home}/server/-" {
>>> permission java.security.AllPermission;
>>> };
>>>
>>> // The permissions granted to the balancer WEB-INF/classes and
>>> WEB-INF/lib directory
>>> grant codeBase "file:${catalina.home}/webapps/balancer/-" {
>>> permission java.lang.RuntimePermission
>>> "accessClassInPackage.org.apache.tomcat.util.digester";
>>> permission java.lang.RuntimePermission
>>> "accessClassInPackage.org.apache.tomcat.util.digester.*";
>>> };
>>> // ========== WEB APPLICATION PERMISSIONS
>>> =====================================
>>>
>>>
>>> // These permissions are granted by default to all web applications
>>> // In addition, a web application will be given a read FilePermission
>>> // and JndiPermission for all files and directories in its document root.
>>> grant {
>>> // Required for JNDI lookup of named JDBC DataSource's and
>>> // javamail named MimePart DataSource used to send mail
>>> permission java.util.PropertyPermission "java.home", "read";
>>> permission java.util.PropertyPermission "java.naming.*", "read";
>>> permission java.util.PropertyPermission "javax.sql.*", "read";
>>>
>>> // OS Specific properties to allow read access
>>> permission java.util.PropertyPermission "os.name", "read";
>>> permission java.util.PropertyPermission "os.version", "read";
>>> permission java.util.PropertyPermission "os.arch", "read";
>>> permission java.util.PropertyPermission "file.separator", "read";
>>> permission java.util.PropertyPermission "path.separator", "read";
>>> permission java.util.PropertyPermission "line.separator", "read";
>>>
>>> // JVM properties to allow read access
>>> permission java.util.PropertyPermission "java.version", "read";
>>> permission java.util.PropertyPermission "java.vendor", "read";
>>> permission java.util.PropertyPermission "java.vendor.url", "read";
>>> permission java.util.PropertyPermission "java.class.version", "read";
>>> permission java.util.PropertyPermission
>>> "java.specification.version", "read";
>>> permission java.util.PropertyPermission "java.specification.vendor",
>>> "read";
>>> permission java.util.PropertyPermission "java.specification.name",
>>> "read";
>>>
>>> permission java.util.PropertyPermission
>>> "java.vm.specification.version", "read";
>>> permission java.util.PropertyPermission
>>> "java.vm.specification.vendor", "read";
>>> permission java.util.PropertyPermission
>>> "java.vm.specification.name", "read";
>>> permission java.util.PropertyPermission "java.vm.version", "read";
>>> permission java.util.PropertyPermission "java.vm.vendor", "read";
>>> permission java.util.PropertyPermission "java.vm.name", "read";
>>>
>>> // Required for OpenJMX
>>> permission java.lang.RuntimePermission "getAttribute";
>>>
>>> // Allow read of JAXP compliant XML parser debug
>>> permission java.util.PropertyPermission "jaxp.debug", "read";
>>>
>>> // Precompiled JSPs need access to this package.
>>> permission java.lang.RuntimePermission
>>> "accessClassInPackage.org.apache.jasper.runtime";
>>> permission java.lang.RuntimePermission
>>> "accessClassInPackage.org.apache.jasper.runtime.*";
>>>
>>> // Precompiled JSPs need access to this system property.
>>> permission java.util.PropertyPermission
>>> "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
>>> };
>>>
>>>
>>> My server.xml configuration file is:
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <!--
>>> Licensed to the Apache Software Foundation (ASF) under one or more
>>> contributor license agreements. See the NOTICE file distributed with
>>> this work for additional information regarding copyright ownership.
>>> The ASF licenses this file to You under the Apache License, Version 2.0
>>> (the "License"); you may not use this file except in compliance with
>>> the License. You may obtain a copy of the License at
>>>
>>> http://www.apache.org/licenses/LICENSE-2.0
>>>
>>> Unless required by applicable law or agreed to in writing, software
>>> distributed under the License is distributed on an "AS IS" BASIS,
>>> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>>> See the License for the specific language governing permissions and
>>> limitations under the License.
>>> -->
>>>
>>> <Server port="8005" shutdown="SHUTDOWN">
>>>
>>> <Listener className="org.apache.catalina.core.AprLifecycleListener" />
>>> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
>>> />
>>> <Listener
>>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
>>> />
>>> <Listener
>>> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
>>>
>>> <!-- Global JNDI resources -->
>>> <GlobalNamingResources>
>>>
>>> <!-- Test entry for demonstration purposes -->
>>> <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>>>
>>> <!-- Editable user database that can also be used by
>>> UserDatabaseRealm to authenticate users -->
>>> <Resource name="UserDatabase" auth="Container"
>>> type="org.apache.catalina.UserDatabase"
>>> description="User database that can be updated and saved"
>>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>>> pathname="conf/tomcat-users.xml" />
>>>
>>> </GlobalNamingResources>
>>>
>>> <!-- Define the Tomcat Stand-Alone Service -->
>>> <Service name="Catalina">
>>>
>>> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
>>> <Connector port="8080" maxHttpHeaderSize="8192"
>>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>>> enableLookups="false" redirectPort="8443" acceptCount="100"
>>> connectionTimeout="20000" disableUploadTimeout="true" />
>>> <!-- Note : To disable connection timeouts, set connectionTimeout value
>>> to 0 -->
>>>
>>> <!-- Define an AJP 1.3 Connector on port 8009 -->
>>> <Connector port="8009"
>>> enableLookups="false" redirectPort="8443"
>>> protocol="AJP/1.3" address="127.0.0.1" />
>>>
>>> <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
>>> <!-- See proxy documentation for more information about using this. -->
>>> <Engine name="Catalina" defaultHost="localhost">
>>>
>>> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>>> resourceName="UserDatabase"/>
>>>
>>> <!-- Define the default virtual host
>>> Note: XML Schema validation will not work with Xerces 2.2.
>>> -->
>>> <Host name="localhost" appBase="webapps"
>>> unpackWARs="true" autoDeploy="true"
>>> xmlValidation="false" xmlNamespaceAware="false">
>>>
>>>
>>> <!--
>>> <Valve className="org.apache.catalina.authenticator.SingleSignOn"
>>> />
>>> -->
>>>
>>> <!--
>>> <Valve className="org.apache.catalina.valves.AccessLogValve"
>>> directory="logs" prefix="localhost_access_log."
>>> suffix=".txt"
>>> pattern="common" resolveHosts="false"/>
>>> -->
>>> <!--
>>> <Valve
>>> className="org.apache.catalina.valves.FastCommonAccessLogValve"
>>> directory="logs" prefix="localhost_access_log."
>>> suffix=".txt"
>>> pattern="common" resolveHosts="false"/>
>>> -->
>>> </Host>
>>>
>>> </Engine>
>>>
>>> </Service>
>>>
>>> </Server>
>>>
>>> Thank you in advance.
>>> If any logs will be need I can provide of course.
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
>
> --
> Best Regards / S pozdravem
> Petr Hracek
>
--
Best Regards / S pozdravem
Petr Hracek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Catalina.policy file for security option
Posted by Petr Hracek <ph...@gmail.com>.
Yes the tomcat should be run as a back-end server (AJP) with apache2-2.2.21.
I have add to the catalina.policy following permission:
permission javax.management.MBeanServerPermission "createMBeanServer";
permission javax.management.MBeamPermission
"com.javamonitor.mbeans.*","*";
permission javax.management.MBeanTrustPermission "register";
permission javax.management.MBeanServerPermission "findMBeanServer";
permission java.net.SocketPermission "java-monitor.com:80", "connect";
permission java.net.SocketPermission "java-monitor.com:80", "resolve";
In the log of catalina.out I see:
log4j:WARN No appenders could be found for logger
(org.apache.catalina.startup.Embedded).
log4j:WARN Please initialize the log4j system properly.
But as in ps -ef | grep java and lsof -i | grep java I did not see any
8009 and 8005 port or even that tomcat5 is not starting.
Where could be a problem?
Dne 7. listopadu 2011 12:29 André Warnier <aw...@ice-sa.com> napsal(a):
> Petr Hracek wrote:
>>
>> Dear tomcat users,
>>
>> I have try to configure my really old tomcat5 configuration (for using
>> -security).
>> but tomcat is not running.
>
> Petr,
> can you be a bit more specific ? what is not running ? does it start ? does
> it crash after starting ? is it just not answering requests ? are there
> error messages anywhere ?
>
> On my system tomcat5 is run only as servlet
>>
>> engine and not as web server.
>>
> Do you mean for example that it runs as a back-end server (through AJP
> e.g.), with a front-end webserver serving all static content ?
>
>
>
>> Do you have any example catalina.policy file?
>> My catalina.policy file is:
>> // ========== SYSTEM CODE PERMISSIONS
>> =========================================
>>
>>
>> // These permissions apply to javac
>> grant codeBase "file:${java.home}/lib/-" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to all shared system extensions
>> grant codeBase "file:${java.home}/jre/lib/ext/-" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to javac when ${java.home] points at
>> $JAVA_HOME/jre
>> grant codeBase "file:${java.home}/../lib/-" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to all shared system extensions when
>> // ${java.home} points at $JAVA_HOME/jre
>> grant codeBase "file:${java.home}/lib/ext/-" {
>> permission java.security.AllPermission;
>> };
>> // ========== CATALINA CODE PERMISSIONS
>> =======================================
>>
>>
>> // These permissions apply to the launcher code
>> grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the daemon code
>> grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the commons-logging API
>> grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the server startup code
>> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the JMX server
>> grant codeBase "file:${catalina.home}/bin/jmx.jar" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to JULI
>> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
>> permission java.util.PropertyPermission
>> "java.util.logging.config.class", "read";
>> permission java.util.PropertyPermission
>> "java.util.logging.config.file", "read";
>> permission java.io.FilePermission
>> "${java.home}${file.separator}lib${file.separator}logging.properties",
>> "read";
>> permission java.lang.RuntimePermission "shutdownHooks";
>> permission java.io.FilePermission
>>
>> "${catalina.base}${file.separator}conf${file.separator}logging.properties",
>> "read";
>> permission java.util.PropertyPermission "catalina.base", "read";
>> permission java.util.logging.LoggingPermission "control";
>> permission java.io.FilePermission
>> "${catalina.base}${file.separator}logs", "read, write";
>> permission java.io.FilePermission
>> "${catalina.base}${file.separator}logs${file.separator}*", "read,
>> write";
>> permission java.lang.RuntimePermission "getClassLoader";
>> // To enable per context logging configuration, permit read
>> access to the appropriate file.
>> // Be sure that the logging configuration is secure before
>> enabling such access
>> // eg for the examples web application:
>> // permission java.io.FilePermission
>>
>> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
>> "read";
>> };
>>
>> // These permissions apply to the servlet API classes
>> // and those that are shared across all class loaders
>> // located in the "common" directory
>> grant codeBase "file:${catalina.home}/common/-" {
>> permission java.security.AllPermission;
>> };
>>
>> // These permissions apply to the container's core code, plus any
>> additional
>> // libraries installed in the "server" directory
>> grant codeBase "file:${catalina.home}/server/-" {
>> permission java.security.AllPermission;
>> };
>>
>> // The permissions granted to the balancer WEB-INF/classes and
>> WEB-INF/lib directory
>> grant codeBase "file:${catalina.home}/webapps/balancer/-" {
>> permission java.lang.RuntimePermission
>> "accessClassInPackage.org.apache.tomcat.util.digester";
>> permission java.lang.RuntimePermission
>> "accessClassInPackage.org.apache.tomcat.util.digester.*";
>> };
>> // ========== WEB APPLICATION PERMISSIONS
>> =====================================
>>
>>
>> // These permissions are granted by default to all web applications
>> // In addition, a web application will be given a read FilePermission
>> // and JndiPermission for all files and directories in its document root.
>> grant {
>> // Required for JNDI lookup of named JDBC DataSource's and
>> // javamail named MimePart DataSource used to send mail
>> permission java.util.PropertyPermission "java.home", "read";
>> permission java.util.PropertyPermission "java.naming.*", "read";
>> permission java.util.PropertyPermission "javax.sql.*", "read";
>>
>> // OS Specific properties to allow read access
>> permission java.util.PropertyPermission "os.name", "read";
>> permission java.util.PropertyPermission "os.version", "read";
>> permission java.util.PropertyPermission "os.arch", "read";
>> permission java.util.PropertyPermission "file.separator", "read";
>> permission java.util.PropertyPermission "path.separator", "read";
>> permission java.util.PropertyPermission "line.separator", "read";
>>
>> // JVM properties to allow read access
>> permission java.util.PropertyPermission "java.version", "read";
>> permission java.util.PropertyPermission "java.vendor", "read";
>> permission java.util.PropertyPermission "java.vendor.url", "read";
>> permission java.util.PropertyPermission "java.class.version", "read";
>> permission java.util.PropertyPermission
>> "java.specification.version", "read";
>> permission java.util.PropertyPermission "java.specification.vendor",
>> "read";
>> permission java.util.PropertyPermission "java.specification.name",
>> "read";
>>
>> permission java.util.PropertyPermission
>> "java.vm.specification.version", "read";
>> permission java.util.PropertyPermission
>> "java.vm.specification.vendor", "read";
>> permission java.util.PropertyPermission
>> "java.vm.specification.name", "read";
>> permission java.util.PropertyPermission "java.vm.version", "read";
>> permission java.util.PropertyPermission "java.vm.vendor", "read";
>> permission java.util.PropertyPermission "java.vm.name", "read";
>>
>> // Required for OpenJMX
>> permission java.lang.RuntimePermission "getAttribute";
>>
>> // Allow read of JAXP compliant XML parser debug
>> permission java.util.PropertyPermission "jaxp.debug", "read";
>>
>> // Precompiled JSPs need access to this package.
>> permission java.lang.RuntimePermission
>> "accessClassInPackage.org.apache.jasper.runtime";
>> permission java.lang.RuntimePermission
>> "accessClassInPackage.org.apache.jasper.runtime.*";
>>
>> // Precompiled JSPs need access to this system property.
>> permission java.util.PropertyPermission
>> "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
>> };
>>
>>
>> My server.xml configuration file is:
>> <?xml version="1.0" encoding="UTF-8"?>
>> <!--
>> Licensed to the Apache Software Foundation (ASF) under one or more
>> contributor license agreements. See the NOTICE file distributed with
>> this work for additional information regarding copyright ownership.
>> The ASF licenses this file to You under the Apache License, Version 2.0
>> (the "License"); you may not use this file except in compliance with
>> the License. You may obtain a copy of the License at
>>
>> http://www.apache.org/licenses/LICENSE-2.0
>>
>> Unless required by applicable law or agreed to in writing, software
>> distributed under the License is distributed on an "AS IS" BASIS,
>> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>> See the License for the specific language governing permissions and
>> limitations under the License.
>> -->
>>
>> <Server port="8005" shutdown="SHUTDOWN">
>>
>> <Listener className="org.apache.catalina.core.AprLifecycleListener" />
>> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
>> />
>> <Listener
>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
>> />
>> <Listener
>> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
>>
>> <!-- Global JNDI resources -->
>> <GlobalNamingResources>
>>
>> <!-- Test entry for demonstration purposes -->
>> <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>>
>> <!-- Editable user database that can also be used by
>> UserDatabaseRealm to authenticate users -->
>> <Resource name="UserDatabase" auth="Container"
>> type="org.apache.catalina.UserDatabase"
>> description="User database that can be updated and saved"
>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>> pathname="conf/tomcat-users.xml" />
>>
>> </GlobalNamingResources>
>>
>> <!-- Define the Tomcat Stand-Alone Service -->
>> <Service name="Catalina">
>>
>> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
>> <Connector port="8080" maxHttpHeaderSize="8192"
>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> enableLookups="false" redirectPort="8443" acceptCount="100"
>> connectionTimeout="20000" disableUploadTimeout="true" />
>> <!-- Note : To disable connection timeouts, set connectionTimeout value
>> to 0 -->
>>
>> <!-- Define an AJP 1.3 Connector on port 8009 -->
>> <Connector port="8009"
>> enableLookups="false" redirectPort="8443"
>> protocol="AJP/1.3" address="127.0.0.1" />
>>
>> <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
>> <!-- See proxy documentation for more information about using this. -->
>> <Engine name="Catalina" defaultHost="localhost">
>>
>> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>> resourceName="UserDatabase"/>
>>
>> <!-- Define the default virtual host
>> Note: XML Schema validation will not work with Xerces 2.2.
>> -->
>> <Host name="localhost" appBase="webapps"
>> unpackWARs="true" autoDeploy="true"
>> xmlValidation="false" xmlNamespaceAware="false">
>>
>>
>> <!--
>> <Valve className="org.apache.catalina.authenticator.SingleSignOn"
>> />
>> -->
>>
>> <!--
>> <Valve className="org.apache.catalina.valves.AccessLogValve"
>> directory="logs" prefix="localhost_access_log."
>> suffix=".txt"
>> pattern="common" resolveHosts="false"/>
>> -->
>> <!--
>> <Valve
>> className="org.apache.catalina.valves.FastCommonAccessLogValve"
>> directory="logs" prefix="localhost_access_log."
>> suffix=".txt"
>> pattern="common" resolveHosts="false"/>
>> -->
>> </Host>
>>
>> </Engine>
>>
>> </Service>
>>
>> </Server>
>>
>> Thank you in advance.
>> If any logs will be need I can provide of course.
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Best Regards / S pozdravem
Petr Hracek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Catalina.policy file for security option
Posted by André Warnier <aw...@ice-sa.com>.
Petr Hracek wrote:
> Dear tomcat users,
>
> I have try to configure my really old tomcat5 configuration (for using
> -security).
> but tomcat is not running.
Petr,
can you be a bit more specific ? what is not running ? does it start ? does it crash after
starting ? is it just not answering requests ? are there error messages anywhere ?
On my system tomcat5 is run only as servlet
> engine and not as web server.
>
Do you mean for example that it runs as a back-end server (through AJP e.g.), with a
front-end webserver serving all static content ?
> Do you have any example catalina.policy file?
> My catalina.policy file is:
> // ========== SYSTEM CODE PERMISSIONS =========================================
>
>
> // These permissions apply to javac
> grant codeBase "file:${java.home}/lib/-" {
> permission java.security.AllPermission;
> };
>
> // These permissions apply to all shared system extensions
> grant codeBase "file:${java.home}/jre/lib/ext/-" {
> permission java.security.AllPermission;
> };
>
> // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
> grant codeBase "file:${java.home}/../lib/-" {
> permission java.security.AllPermission;
> };
>
> // These permissions apply to all shared system extensions when
> // ${java.home} points at $JAVA_HOME/jre
> grant codeBase "file:${java.home}/lib/ext/-" {
> permission java.security.AllPermission;
> };
> // ========== CATALINA CODE PERMISSIONS =======================================
>
>
> // These permissions apply to the launcher code
> grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
> permission java.security.AllPermission;
> };
>
> // These permissions apply to the daemon code
> grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
> permission java.security.AllPermission;
> };
>
> // These permissions apply to the commons-logging API
> grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" {
> permission java.security.AllPermission;
> };
>
> // These permissions apply to the server startup code
> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
> permission java.security.AllPermission;
> };
>
> // These permissions apply to the JMX server
> grant codeBase "file:${catalina.home}/bin/jmx.jar" {
> permission java.security.AllPermission;
> };
>
> // These permissions apply to JULI
> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
> permission java.util.PropertyPermission
> "java.util.logging.config.class", "read";
> permission java.util.PropertyPermission
> "java.util.logging.config.file", "read";
> permission java.io.FilePermission
> "${java.home}${file.separator}lib${file.separator}logging.properties",
> "read";
> permission java.lang.RuntimePermission "shutdownHooks";
> permission java.io.FilePermission
> "${catalina.base}${file.separator}conf${file.separator}logging.properties",
> "read";
> permission java.util.PropertyPermission "catalina.base", "read";
> permission java.util.logging.LoggingPermission "control";
> permission java.io.FilePermission
> "${catalina.base}${file.separator}logs", "read, write";
> permission java.io.FilePermission
> "${catalina.base}${file.separator}logs${file.separator}*", "read,
> write";
> permission java.lang.RuntimePermission "getClassLoader";
> // To enable per context logging configuration, permit read
> access to the appropriate file.
> // Be sure that the logging configuration is secure before
> enabling such access
> // eg for the examples web application:
> // permission java.io.FilePermission
> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
> "read";
> };
>
> // These permissions apply to the servlet API classes
> // and those that are shared across all class loaders
> // located in the "common" directory
> grant codeBase "file:${catalina.home}/common/-" {
> permission java.security.AllPermission;
> };
>
> // These permissions apply to the container's core code, plus any additional
> // libraries installed in the "server" directory
> grant codeBase "file:${catalina.home}/server/-" {
> permission java.security.AllPermission;
> };
>
> // The permissions granted to the balancer WEB-INF/classes and
> WEB-INF/lib directory
> grant codeBase "file:${catalina.home}/webapps/balancer/-" {
> permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat.util.digester";
> permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat.util.digester.*";
> };
> // ========== WEB APPLICATION PERMISSIONS =====================================
>
>
> // These permissions are granted by default to all web applications
> // In addition, a web application will be given a read FilePermission
> // and JndiPermission for all files and directories in its document root.
> grant {
> // Required for JNDI lookup of named JDBC DataSource's and
> // javamail named MimePart DataSource used to send mail
> permission java.util.PropertyPermission "java.home", "read";
> permission java.util.PropertyPermission "java.naming.*", "read";
> permission java.util.PropertyPermission "javax.sql.*", "read";
>
> // OS Specific properties to allow read access
> permission java.util.PropertyPermission "os.name", "read";
> permission java.util.PropertyPermission "os.version", "read";
> permission java.util.PropertyPermission "os.arch", "read";
> permission java.util.PropertyPermission "file.separator", "read";
> permission java.util.PropertyPermission "path.separator", "read";
> permission java.util.PropertyPermission "line.separator", "read";
>
> // JVM properties to allow read access
> permission java.util.PropertyPermission "java.version", "read";
> permission java.util.PropertyPermission "java.vendor", "read";
> permission java.util.PropertyPermission "java.vendor.url", "read";
> permission java.util.PropertyPermission "java.class.version", "read";
> permission java.util.PropertyPermission
> "java.specification.version", "read";
> permission java.util.PropertyPermission "java.specification.vendor", "read";
> permission java.util.PropertyPermission "java.specification.name", "read";
>
> permission java.util.PropertyPermission
> "java.vm.specification.version", "read";
> permission java.util.PropertyPermission
> "java.vm.specification.vendor", "read";
> permission java.util.PropertyPermission
> "java.vm.specification.name", "read";
> permission java.util.PropertyPermission "java.vm.version", "read";
> permission java.util.PropertyPermission "java.vm.vendor", "read";
> permission java.util.PropertyPermission "java.vm.name", "read";
>
> // Required for OpenJMX
> permission java.lang.RuntimePermission "getAttribute";
>
> // Allow read of JAXP compliant XML parser debug
> permission java.util.PropertyPermission "jaxp.debug", "read";
>
> // Precompiled JSPs need access to this package.
> permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.jasper.runtime";
> permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.jasper.runtime.*";
>
> // Precompiled JSPs need access to this system property.
> permission java.util.PropertyPermission
> "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
> };
>
>
> My server.xml configuration file is:
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> Licensed to the Apache Software Foundation (ASF) under one or more
> contributor license agreements. See the NOTICE file distributed with
> this work for additional information regarding copyright ownership.
> The ASF licenses this file to You under the Apache License, Version 2.0
> (the "License"); you may not use this file except in compliance with
> the License. You may obtain a copy of the License at
>
> http://www.apache.org/licenses/LICENSE-2.0
>
> Unless required by applicable law or agreed to in writing, software
> distributed under the License is distributed on an "AS IS" BASIS,
> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> See the License for the specific language governing permissions and
> limitations under the License.
> -->
>
> <Server port="8005" shutdown="SHUTDOWN">
>
> <Listener className="org.apache.catalina.core.AprLifecycleListener" />
> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
> />
> <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
>
> <!-- Global JNDI resources -->
> <GlobalNamingResources>
>
> <!-- Test entry for demonstration purposes -->
> <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>
> <!-- Editable user database that can also be used by
> UserDatabaseRealm to authenticate users -->
> <Resource name="UserDatabase" auth="Container"
> type="org.apache.catalina.UserDatabase"
> description="User database that can be updated and saved"
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> pathname="conf/tomcat-users.xml" />
>
> </GlobalNamingResources>
>
> <!-- Define the Tomcat Stand-Alone Service -->
> <Service name="Catalina">
>
> <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
> <Connector port="8080" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" redirectPort="8443" acceptCount="100"
> connectionTimeout="20000" disableUploadTimeout="true" />
> <!-- Note : To disable connection timeouts, set connectionTimeout value
> to 0 -->
>
> <!-- Define an AJP 1.3 Connector on port 8009 -->
> <Connector port="8009"
> enableLookups="false" redirectPort="8443"
> protocol="AJP/1.3" address="127.0.0.1" />
>
> <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
> <!-- See proxy documentation for more information about using this. -->
> <Engine name="Catalina" defaultHost="localhost">
>
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
>
> <!-- Define the default virtual host
> Note: XML Schema validation will not work with Xerces 2.2.
> -->
> <Host name="localhost" appBase="webapps"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
>
>
> <!--
> <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
> -->
>
> <!--
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs" prefix="localhost_access_log." suffix=".txt"
> pattern="common" resolveHosts="false"/>
> -->
> <!--
> <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve"
> directory="logs" prefix="localhost_access_log." suffix=".txt"
> pattern="common" resolveHosts="false"/>
> -->
> </Host>
>
> </Engine>
>
> </Service>
>
> </Server>
>
> Thank you in advance.
> If any logs will be need I can provide of course.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org