Security Policy problem - need to specify ALL jar files with a codebase wildcard

[Neale Rudd <ne...@metawerx.net>]

Hi,

We are having trouble using security policies (catalina.policy) to
grant access to a codebase that has multiple jar files.

I am able to get folder-based codebases to work correctly:
eg: grant "file://d:/webapps/-"

This successfully grants access to all the permissions I
set, which works fine for Servlets and JSP files, but JAR
files in the WEB-INF/lib folder cannot access the
permissions.

Using a jar:file URL works:
For example:  jar:file:/D:/webapps/ROOT/WEB-INF/lib/myjar.jar!/

However:  jar:file:/D:/webapps/-
... fails being an invalid JAR URL as it doesn't end in "!/"

While this works on a file-by-file workaround, it means we have
to set the permissions for every jar file, in every context of the
webapps folder in order to enforce the security policy effectively.

As we host different customers uploading different applications,
and different contexts, this makes the security policies unusable
for JAR files.

Is there a way to specify these as a wildcard URL
like the server libraries do?

eg:
grant codeBase "file:${catalina.home}/lib/-" {
  permission java.security.AllPermission;
};

Any suggestions?


FURTHER NOTES - For Tomcat Developers
=======================================
I have investigated this further with policy dumps of the security
logs, and jave noticed Tomcat creates CodeSource objects
using the "jar:file:/jar-path.jar!/" url format when deploying jar
files
from the webapps folder.  When deploying the system jar files
however, it seems to use the "file:/jar-file.jar" format, which allows
the master permissions (catalina.home/lib/-) to work as wildcards.


Thanks in advance,
Neale Rudd
metawerx
http://www.metawerx.net




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>