You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by gl...@apache.org on 2002/08/18 02:54:48 UTC
cvs commit: jakarta-tomcat-4.0/webapps/tomcat-docs security-manager-howto.xml
glenn 2002/08/17 17:54:48
Modified: webapps/tomcat-docs security-manager-howto.xml
Log:
Update security docs for pending release
Revision Changes Path
1.3 +68 -63 jakarta-tomcat-4.0/webapps/tomcat-docs/security-manager-howto.xml
Index: security-manager-howto.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/webapps/tomcat-docs/security-manager-howto.xml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- security-manager-howto.xml 13 May 2002 14:29:36 -0000 1.2
+++ security-manager-howto.xml 18 Aug 2002 00:54:48 -0000 1.3
@@ -154,7 +154,6 @@
//
// * Read access to the document root directory
//
-// $Id$
// ============================================================================
@@ -163,23 +162,23 @@
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
@@ -188,38 +187,39 @@
// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "common" directory
grant codeBase "file:${catalina.home}/common/-" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
// These permissions apply to the container's core code, plus any additional
// libraries installed in the "server" directory
grant codeBase "file:${catalina.home}/server/-" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
-// These permissions apply to the jasper page compiler
-// located in the "jasper" directory.
-grant codeBase "file:${catalina.home}/jasper/-" {
- permission java.security.AllPermission;
+// These permissions apply to the jasper page compiler.
+grant codeBase "file:${catalina.home}/shared/lib/jasper-compiler.jar" {
+ permission java.security.AllPermission;
};
-// These permissions apply to shared web application libraries
-// including the Jasper runtime library installed in the "lib" directory
-grant codeBase "file:${catalina.home}/lib/-" {
- permission java.security.AllPermission;
+// These permissions apply to the jasper JSP runtime
+grant codeBase "file:${catalina.home}/shared/lib/jasper-runtime.jar" {
+ permission java.security.AllPermission;
};
-// These permissions apply to shared web application classes
-// located in the "classes" directory
-grant codeBase "file:${catalina.home}/classes/-" {
- permission java.security.AllPermission;
+// These permissions apply to the privileged admin and manager web applications
+grant codeBase "file:${catalina.home}/server/webapps/admin/WEB-INF/classes/-" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${catalina.home}/server/webapps/admin/WEB-INF/lib/struts.jar" {
+ permission java.security.AllPermission;
};
// ========== WEB APPLICATION PERMISSIONS =====================================
@@ -229,41 +229,47 @@
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
- // Required for JNDI lookup of named JDBC DataSource's and
- // javamail named MimePart DataSource used to send mail
- permission java.util.PropertyPermission "java.home", "read";
- permission java.util.PropertyPermission "java.naming.*", "read";
- permission java.util.PropertyPermission "javax.sql.*", "read";
-
- // OS Specific properties to allow read access
- permission java.util.PropertyPermission "os.name", "read";
- permission java.util.PropertyPermission "os.version", "read";
- permission java.util.PropertyPermission "os.arch", "read";
- permission java.util.PropertyPermission "file.separator", "read";
- permission java.util.PropertyPermission "path.separator", "read";
- permission java.util.PropertyPermission "line.separator", "read";
-
- // JVM properties to allow read access
- permission java.util.PropertyPermission "java.version", "read";
- permission java.util.PropertyPermission "java.vendor", "read";
- permission java.util.PropertyPermission "java.vendor.url", "read";
- permission java.util.PropertyPermission "java.class.version", "read";
- permission java.util.PropertyPermission "java.specification.version", "read";
- permission java.util.PropertyPermission "java.specification.vendor", "read";
- permission java.util.PropertyPermission "java.specification.name", "read";
-
- permission java.util.PropertyPermission "java.vm.specification.version", "read";
- permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
- permission java.util.PropertyPermission "java.vm.specification.name", "read";
- permission java.util.PropertyPermission "java.vm.version", "read";
- permission java.util.PropertyPermission "java.vm.vendor", "read";
- permission java.util.PropertyPermission "java.vm.name", "read";
+ // Required for JNDI lookup of named JDBC DataSource's and
+ // javamail named MimePart DataSource used to send mail
+ permission java.util.PropertyPermission "java.home", "read";
+ permission java.util.PropertyPermission "java.naming.*", "read";
+ permission java.util.PropertyPermission "javax.sql.*", "read";
+
+ // OS Specific properties to allow read access
+ permission java.util.PropertyPermission "os.name", "read";
+ permission java.util.PropertyPermission "os.version", "read";
+ permission java.util.PropertyPermission "os.arch", "read";
+ permission java.util.PropertyPermission "file.separator", "read";
+ permission java.util.PropertyPermission "path.separator", "read";
+ permission java.util.PropertyPermission "line.separator", "read";
+
+ // JVM properties to allow read access
+ permission java.util.PropertyPermission "java.version", "read";
+ permission java.util.PropertyPermission "java.vendor", "read";
+ permission java.util.PropertyPermission "java.vendor.url", "read";
+ permission java.util.PropertyPermission "java.class.version", "read";
+ permission java.util.PropertyPermission "java.specification.version", "read";
+ permission java.util.PropertyPermission "java.specification.vendor", "read";
+ permission java.util.PropertyPermission "java.specification.name", "read";
+
+ permission java.util.PropertyPermission "java.vm.specification.version", "read";
+ permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
+ permission java.util.PropertyPermission "java.vm.specification.name", "read";
+ permission java.util.PropertyPermission "java.vm.version", "read";
+ permission java.util.PropertyPermission "java.vm.vendor", "read";
+ permission java.util.PropertyPermission "java.vm.name", "read";
+
+ // Required for getting BeanInfo
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.*";
- // Required for getting BeanInfo
- permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.*";
+ // Required for running servlets generated by JSPC
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
- // Allow read of JAXP compliant XML parser debug
- permission java.util.PropertyPermission "jaxp.debug", "read";
+ // Required for OpenJMX
+ permission java.lang.RuntimePermission "getAttribute";
+
+ // Allow read of JAXP compliant XML parser debug
+ permission java.util.PropertyPermission "jaxp.debug", "read";
};
@@ -282,8 +288,8 @@
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.home}/webapps/examples/-" {
-// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// The permissions granted to the context WEB-INF/classes directory
@@ -291,12 +297,12 @@
// };
//
// The permission granted to your JDBC driver
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar" {
-// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar" {
+// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// };
// The permission granted to the scrape taglib
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar" {
-// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar" {
+// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
</source>
@@ -326,20 +332,19 @@
way to do this is via the <code>CATALINA_OPTS</code> environment variable.
Execute this command:</p>
<source>
-export CATALINA_OPTS=-Djava.security.debug=all (Unix)
-set CATALINA_OPTS=-Djava.security.debug=all (Windows)
+export CATALINA_OPTS=-Djava.security.debug=access,failure (Unix)
+set CATALINA_OPTS=-Djava.security.debug=access,failure (Windows)
</source>
<p>before starting Tomcat.</p>
<p><strong>WARNING</strong> - This will generate <em>many megabytes</em>
of output! However, it can help you track down problems by searching
- for the word "FAILED" and determining which permission was being checked
+ for the word "denied" and determining which permission was being checked
for. See the Java security documentation for more options that you can
specify here as well.</p>
</section>
-
</body>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>