You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/10/05 09:50:39 UTC
svn commit: r1763377 - in /tomcat/trunk: conf/
java/org/apache/catalina/webresources/ webapps/docs/
Author: markt
Date: Wed Oct 5 09:50:39 2016
New Revision: 1763377
URL: http://svn.apache.org/viewvc?rev=1763377&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60087
Refactor the web resources handling to use the Tomcat specific 'war:file:...' URL protocol to refer to WAR files and their contents rather than the standard 'jar:file:...' form since some components of the JRE, such as JAR verification, give unexpected results when the standard form is used. A side-effect of the refactoring is that when using packed WARs, it is now possible to reference a WAR and/or specific JARs within a WAR in the security policy file used when running under a SecurityManager.
Added:
tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java (with props)
tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java (with props)
tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java (with props)
tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java (with props)
Modified:
tomcat/trunk/conf/catalina.policy
tomcat/trunk/java/org/apache/catalina/webresources/JarResource.java
tomcat/trunk/java/org/apache/catalina/webresources/JarResourceSet.java
tomcat/trunk/java/org/apache/catalina/webresources/JarWarResource.java
tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/security-manager-howto.xml
Modified: tomcat/trunk/conf/catalina.policy
URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/catalina.policy?rev=1763377&r1=1763376&r2=1763377&view=diff
==============================================================================
--- tomcat/trunk/conf/catalina.policy (original)
+++ tomcat/trunk/conf/catalina.policy Wed Oct 5 09:50:39 2016
@@ -245,3 +245,13 @@ grant codeBase "file:${catalina.home}/we
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
+// To grant permissions for web applications using packed WAR files, use the
+// Tomcat specific WAR url scheme.
+//
+// The permissions granted to the entire web application
+// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/-" {
+// };
+//
+// The permissions granted to a specific JAR
+// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" {
+// };
\ No newline at end of file
Added: tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java?rev=1763377&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java (added)
+++ tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java Wed Oct 5 09:50:39 2016
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.webresources;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+
+public abstract class AbstractSingleArchiveResource extends AbstractArchiveResource {
+
+ protected AbstractSingleArchiveResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath,
+ String baseUrl, JarEntry jarEntry, String codeBaseUrl) {
+ super(archiveResourceSet, webAppPath, baseUrl, jarEntry, codeBaseUrl);
+ }
+
+
+ @Override
+ protected JarInputStreamWrapper getJarInputStreamWrapper() {
+ JarFile jarFile = null;
+ try {
+ jarFile = getArchiveResourceSet().openJarFile();
+ // Need to create a new JarEntry so the certificates can be read
+ JarEntry jarEntry = jarFile.getJarEntry(getResource().getName());
+ InputStream is = jarFile.getInputStream(jarEntry);
+ return new JarInputStreamWrapper(jarEntry, is);
+ } catch (IOException e) {
+ if (getLog().isDebugEnabled()) {
+ getLog().debug(sm.getString("jarResource.getInputStreamFail",
+ getResource().getName(), getBaseUrl()), e);
+ }
+ if (jarFile != null) {
+ getArchiveResourceSet().closeJarFile();
+ }
+ return null;
+ }
+ }
+}
Propchange: tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java?rev=1763377&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java (added)
+++ tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java Wed Oct 5 09:50:39 2016
@@ -0,0 +1,122 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.webresources;
+
+import java.io.File;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
+
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.WebResourceRoot;
+import org.apache.tomcat.util.buf.UriUtil;
+
+/**
+ * Base class for a {@link org.apache.catalina.WebResourceSet} based on a
+ * single, rather than nested, archive.
+ */
+public abstract class AbstractSingleArchiveResourceSet extends AbstractArchiveResourceSet {
+
+ /**
+ * A no argument constructor is required for this to work with the digester.
+ */
+ public AbstractSingleArchiveResourceSet() {
+ }
+
+
+ public AbstractSingleArchiveResourceSet(WebResourceRoot root, String webAppMount, String base,
+ String internalPath) throws IllegalArgumentException {
+ setRoot(root);
+ setWebAppMount(webAppMount);
+ setBase(base);
+ setInternalPath(internalPath);
+
+ if (getRoot().getState().isAvailable()) {
+ try {
+ start();
+ } catch (LifecycleException e) {
+ throw new IllegalStateException(e);
+ }
+ }
+ }
+
+
+ @Override
+ protected HashMap<String,JarEntry> getArchiveEntries(boolean single) {
+ synchronized (archiveLock) {
+ if (archiveEntries == null && !single) {
+ JarFile jarFile = null;
+ archiveEntries = new HashMap<>();
+ try {
+ jarFile = openJarFile();
+ Enumeration<JarEntry> entries = jarFile.entries();
+ while (entries.hasMoreElements()) {
+ JarEntry entry = entries.nextElement();
+ archiveEntries.put(entry.getName(), entry);
+ }
+ } catch (IOException ioe) {
+ // Should never happen
+ archiveEntries = null;
+ throw new IllegalStateException(ioe);
+ } finally {
+ if (jarFile != null) {
+ closeJarFile();
+ }
+ }
+ }
+ return archiveEntries;
+ }
+ }
+
+
+ @Override
+ protected JarEntry getArchiveEntry(String pathInArchive) {
+ JarFile jarFile = null;
+ try {
+ jarFile = openJarFile();
+ return jarFile.getJarEntry(pathInArchive);
+ } catch (IOException ioe) {
+ // Should never happen
+ throw new IllegalStateException(ioe);
+ } finally {
+ if (jarFile != null) {
+ closeJarFile();
+ }
+ }
+ }
+
+
+ //-------------------------------------------------------- Lifecycle methods
+ @Override
+ protected void initInternal() throws LifecycleException {
+
+ try (JarFile jarFile = new JarFile(getBase())) {
+ setManifest(jarFile.getManifest());
+ } catch (IOException ioe) {
+ throw new IllegalArgumentException(ioe);
+ }
+
+ try {
+ setBaseUrl(UriUtil.buildJarSafeUrl(new File(getBase())));
+ } catch (MalformedURLException e) {
+ throw new IllegalArgumentException(e);
+ }
+ }
+}
Propchange: tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: tomcat/trunk/java/org/apache/catalina/webresources/JarResource.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/JarResource.java?rev=1763377&r1=1763376&r2=1763377&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/JarResource.java (original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/JarResource.java Wed Oct 5 09:50:39 2016
@@ -16,10 +16,7 @@
*/
package org.apache.catalina.webresources;
-import java.io.IOException;
-import java.io.InputStream;
import java.util.jar.JarEntry;
-import java.util.jar.JarFile;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
@@ -28,35 +25,16 @@ import org.apache.juli.logging.LogFactor
* Represents a single resource (file or directory) that is located within a
* JAR.
*/
-public class JarResource extends AbstractArchiveResource {
+public class JarResource extends AbstractSingleArchiveResource {
private static final Log log = LogFactory.getLog(JarResource.class);
+
public JarResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath,
String baseUrl, JarEntry jarEntry) {
super(archiveResourceSet, webAppPath, "jar:" + baseUrl, jarEntry, baseUrl);
}
- @Override
- protected JarInputStreamWrapper getJarInputStreamWrapper() {
- JarFile jarFile = null;
- try {
- jarFile = getArchiveResourceSet().openJarFile();
- // Need to create a new JarEntry so the certificates can be read
- JarEntry jarEntry = jarFile.getJarEntry(getResource().getName());
- InputStream is = jarFile.getInputStream(jarEntry);
- return new JarInputStreamWrapper(jarEntry, is);
- } catch (IOException e) {
- if (log.isDebugEnabled()) {
- log.debug(sm.getString("jarResource.getInputStreamFail",
- getResource().getName(), getBaseUrl()), e);
- }
- if (jarFile != null) {
- getArchiveResourceSet().closeJarFile();
- }
- return null;
- }
- }
@Override
protected Log getLog() {
Modified: tomcat/trunk/java/org/apache/catalina/webresources/JarResourceSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/JarResourceSet.java?rev=1763377&r1=1763376&r2=1763377&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/JarResourceSet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/JarResourceSet.java Wed Oct 5 09:50:39 2016
@@ -16,24 +16,16 @@
*/
package org.apache.catalina.webresources;
-import java.io.File;
-import java.io.IOException;
-import java.net.MalformedURLException;
-import java.util.Enumeration;
-import java.util.HashMap;
import java.util.jar.JarEntry;
-import java.util.jar.JarFile;
import java.util.jar.Manifest;
-import org.apache.catalina.LifecycleException;
import org.apache.catalina.WebResource;
import org.apache.catalina.WebResourceRoot;
-import org.apache.tomcat.util.buf.UriUtil;
/**
* Represents a {@link org.apache.catalina.WebResourceSet} based on a JAR file.
*/
-public class JarResourceSet extends AbstractArchiveResourceSet {
+public class JarResourceSet extends AbstractSingleArchiveResourceSet {
/**
* A no argument constructor is required for this to work with the digester.
@@ -41,6 +33,7 @@ public class JarResourceSet extends Abst
public JarResourceSet() {
}
+
/**
* Creates a new {@link org.apache.catalina.WebResourceSet} based on a JAR
* file.
@@ -63,86 +56,13 @@ public class JarResourceSet extends Abst
*/
public JarResourceSet(WebResourceRoot root, String webAppMount, String base,
String internalPath) throws IllegalArgumentException {
- setRoot(root);
- setWebAppMount(webAppMount);
- setBase(base);
- setInternalPath(internalPath);
-
- if (getRoot().getState().isAvailable()) {
- try {
- start();
- } catch (LifecycleException e) {
- throw new IllegalStateException(e);
- }
- }
+ super(root, webAppMount, base, internalPath);
}
+
@Override
protected WebResource createArchiveResource(JarEntry jarEntry,
String webAppPath, Manifest manifest) {
return new JarResource(this, webAppPath, getBaseUrlString(), jarEntry);
}
-
-
- @Override
- protected HashMap<String,JarEntry> getArchiveEntries(boolean single) {
- synchronized (archiveLock) {
- if (archiveEntries == null && !single) {
- JarFile jarFile = null;
- archiveEntries = new HashMap<>();
- try {
- jarFile = openJarFile();
- Enumeration<JarEntry> entries = jarFile.entries();
- while (entries.hasMoreElements()) {
- JarEntry entry = entries.nextElement();
- archiveEntries.put(entry.getName(), entry);
- }
- } catch (IOException ioe) {
- // Should never happen
- archiveEntries = null;
- throw new IllegalStateException(ioe);
- } finally {
- if (jarFile != null) {
- closeJarFile();
- }
- }
- }
- return archiveEntries;
- }
- }
-
-
- @Override
- protected JarEntry getArchiveEntry(String pathInArchive) {
- JarFile jarFile = null;
- try {
- jarFile = openJarFile();
- return jarFile.getJarEntry(pathInArchive);
- } catch (IOException ioe) {
- // Should never happen
- throw new IllegalStateException(ioe);
- } finally {
- if (jarFile != null) {
- closeJarFile();
- }
- }
- }
-
-
- //-------------------------------------------------------- Lifecycle methods
- @Override
- protected void initInternal() throws LifecycleException {
-
- try (JarFile jarFile = new JarFile(getBase())) {
- setManifest(jarFile.getManifest());
- } catch (IOException ioe) {
- throw new IllegalArgumentException(ioe);
- }
-
- try {
- setBaseUrl(UriUtil.buildJarSafeUrl(new File(getBase())));
- } catch (MalformedURLException e) {
- throw new IllegalArgumentException(e);
- }
- }
}
Modified: tomcat/trunk/java/org/apache/catalina/webresources/JarWarResource.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/JarWarResource.java?rev=1763377&r1=1763376&r2=1763377&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/JarWarResource.java (original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/JarWarResource.java Wed Oct 5 09:50:39 2016
@@ -37,8 +37,9 @@ public class JarWarResource extends Abst
public JarWarResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath,
String baseUrl, JarEntry jarEntry, String archivePath) {
- super(archiveResourceSet, webAppPath, "jar:war:" + baseUrl + "*/" + archivePath,
- jarEntry, "jar:" + baseUrl + "!/" + archivePath);
+
+ super(archiveResourceSet, webAppPath, "jar:war:" + baseUrl + "*/" + archivePath + "!/",
+ jarEntry, "war:" + baseUrl + "*/" + archivePath);
this.archivePath = archivePath;
}
Modified: tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java?rev=1763377&r1=1763376&r2=1763377&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java (original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java Wed Oct 5 09:50:39 2016
@@ -727,7 +727,7 @@ public class StandardRoot extends Lifecy
if (f.isDirectory()) {
mainResourceSet = new DirResourceSet(this, "/", f.getAbsolutePath(), "/");
} else if(f.isFile() && docBase.endsWith(".war")) {
- mainResourceSet = new JarResourceSet(this, "/", f.getAbsolutePath(), "/");
+ mainResourceSet = new WarResourceSet(this, "/", f.getAbsolutePath());
} else {
throw new IllegalArgumentException(
sm.getString("standardRoot.startInvalidMain",
@@ -800,9 +800,14 @@ public class StandardRoot extends Lifecy
BaseLocation(URL url) {
File f = null;
- if ("jar".equals(url.getProtocol())) {
+ if ("jar".equals(url.getProtocol()) || "war".equals(url.getProtocol())) {
String jarUrl = url.toString();
- int endOfFileUrl = jarUrl.indexOf("!/");
+ int endOfFileUrl = -1;
+ if ("jar".equals(url.getProtocol())) {
+ endOfFileUrl = jarUrl.indexOf("!/");
+ } else {
+ endOfFileUrl = jarUrl.indexOf("*/");
+ }
String fileUrl = jarUrl.substring(4, endOfFileUrl);
try {
f = new File(new URL(fileUrl).toURI());
Added: tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java?rev=1763377&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java (added)
+++ tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java Wed Oct 5 09:50:39 2016
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.webresources;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.jar.JarEntry;
+
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+
+/**
+ * Represents a single resource (file or directory) that is located within a
+ * WAR.
+ */
+public class WarResource extends AbstractSingleArchiveResource {
+
+ private static final Log log = LogFactory.getLog(WarResource.class);
+
+
+ public WarResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath,
+ String baseUrl, JarEntry jarEntry) {
+ super(archiveResourceSet, webAppPath, "war:" + baseUrl, jarEntry, baseUrl);
+ }
+
+
+ @Override
+ public URL getURL() {
+ String url = getBaseUrl() + "*/" + getResource().getName();
+ try {
+ return new URL(url);
+ } catch (MalformedURLException e) {
+ if (getLog().isDebugEnabled()) {
+ getLog().debug(sm.getString("fileResource.getUrlFail", url), e);
+ }
+ return null;
+ }
+ }
+
+
+ @Override
+ protected Log getLog() {
+ return log;
+ }
+}
Propchange: tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java?rev=1763377&view=auto
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java (added)
+++ tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java Wed Oct 5 09:50:39 2016
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.webresources;
+
+import java.util.jar.JarEntry;
+import java.util.jar.Manifest;
+
+import org.apache.catalina.WebResource;
+import org.apache.catalina.WebResourceRoot;
+
+/**
+ * Represents a {@link org.apache.catalina.WebResourceSet} based on a WAR file.
+ */
+public class WarResourceSet extends AbstractSingleArchiveResourceSet {
+
+ /**
+ * A no argument constructor is required for this to work with the digester.
+ */
+ public WarResourceSet() {
+ }
+
+
+ /**
+ * Creates a new {@link org.apache.catalina.WebResourceSet} based on a WAR
+ * file.
+ *
+ * @param root The {@link WebResourceRoot} this new
+ * {@link org.apache.catalina.WebResourceSet} will
+ * be added to.
+ * @param webAppMount The path within the web application at which this
+ * {@link org.apache.catalina.WebResourceSet} will
+ * be mounted.
+ * @param base The absolute path to the WAR file on the file system
+ * from which the resources will be served.
+ *
+ * @throws IllegalArgumentException if the webAppMount is not valid (valid
+ * paths must start with '/')
+ */
+ public WarResourceSet(WebResourceRoot root, String webAppMount, String base)
+ throws IllegalArgumentException {
+ super(root, webAppMount, base, "/");
+ }
+
+
+ @Override
+ protected WebResource createArchiveResource(JarEntry jarEntry,
+ String webAppPath, Manifest manifest) {
+ return new WarResource(this, webAppPath, getBaseUrlString(), jarEntry);
+ }
+}
Propchange: tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1763377&r1=1763376&r2=1763377&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Oct 5 09:50:39 2016
@@ -60,6 +60,16 @@
test cases by Santhana Preethiand a patch by Tiago Oliveira. (markt)
</fix>
<fix>
+ <bug>60087</bug>: Refactor the web resources handling to use the Tomcat
+ specific <code>war:file:...</code> URL protocol to refer to WAR files
+ and their contents rather than the standard <code>jar:file:...</code>
+ form since some components of the JRE, such as JAR verification, give
+ unexpected results when the standard form is used. A side-effect of the
+ refactoring is that when using packed WARs, it is now possible to
+ reference a WAR and/or specific JARs within a WAR in the security policy
+ file used when running under a <code>SecurityManager</code>. (markt)
+ </fix>
+ <fix>
<bug>60116</bug>: Fix a problem with the rewrite valve that caused back
references evaluated in conditions to be forced to lower case when using
the <code>NC</code> flag. (markt)
Modified: tomcat/trunk/webapps/docs/security-manager-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-manager-howto.xml?rev=1763377&r1=1763376&r2=1763377&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-manager-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-manager-howto.xml Wed Oct 5 09:50:39 2016
@@ -154,7 +154,33 @@ grant [signedBy <signer>,] [codeBase <co
<source>$CATALINA_HOME/bin/catalina.sh start -security (Unix)
%CATALINA_HOME%\bin\catalina start -security (Windows)</source>
+ <subsection name="Permissions for packed WAR files">
+
+ <p>When using packed WAR files, it is necessary to use Tomcat's custom war
+ URL protocol to asisgn permissions to web application code.</p>
+
+ <p>To assign permissions to the entire web application the entry in the
+ policy file would look like this:</p>
+
+<source><![CDATA[// Example policy file entry
+grant codeBase "war:file:${catalina.base}/webapps/examples.war*/-" {
+ ...
+};
+]]></source>
+
+ <p>To assign permissions to a single JAR within the web application the
+ entry in the policy file would look like this:</p>
+
+<source><![CDATA[// Example policy file entry
+grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" {
+ ...
+};
+]]></source>
+
+ </subsection>
+
</section>
+
<section name="Configuring Package Protection in Tomcat">
<p>Starting with Tomcat 5, it is now possible to configure which Tomcat
internal package are protected against package definition and access. See
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org