You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es> on 2013/11/11 16:25:00 UTC
Re: Restrict the use of JDK classes Tomcat 7 or 6
Hello,
I have been working with the Security Manager and I think it is a good
aproximation of what I need, thank you very much for the advice. I have
read that it is possible to create your own Permission class, but I haven't
found any documentation or example. Could anybody tell me where I can find
information about create a Permission class?
Thank you very much.
2013/10/23 Caldarale, Charles R <Ch...@unisys.com>
> > From: Christopher Schultz [mailto:chris@christopherschultz.net]
> > Subject: Re: Restrict the use of JDK classes Tomcat 7 or 6
>
> > When you say "Java classes", are you talking about re-defining
> > something like java.lang.String? If so, then the servlet spec (3.0:
> > 10.7.2) prohibits web applications from loading classes from any of
> > these packages from a web application class loader.
> > java.*
> > javax.*
> > Looking at current trunk, Tomcat appears to take a lazy view and just
> > look for these two classes:
> > javax.servlet.Servlet
> > javax.el.Expression
> > So it looks like you might be able to redefine java.lang.String if you
> > want.
>
> As I recall, the JVM itself prevents loading of java.* classes from
> anywhere other than the registered JRE jar locations. Not sure about
> javax.* classes.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail and
> its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Restrict the use of JDK classes Tomcat 7 or 6
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Analia,
On 11/11/13, 10:25 AM, ANALIA DE PEDRO SANTAMARIA wrote:
> I have been working with the Security Manager and I think it is a
> good aproximation of what I need, thank you very much for the
> advice. I have read that it is possible to create your own
> Permission class, but I haven't found any documentation or example.
> Could anybody tell me where I can find information about create a
> Permission class?
Try searching for "java custom SecurityManager" instead.
Writing your own Permission isn't going to help unless the
SecurityManager already knows how to check for that kind of
permission, and the code attempting to run under the SM understands
that it needs to request a privileged action.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJSgPiHAAoJEBzwKT+lPKRYlmYQAMNG0tbc5EzKjcm1Eqp12JdK
jD1l9CxtWe4cWIaLtzeRypb3SgP+HgrFkfk5p4wtjQb4WnWItLBq9JTIj23c1gvZ
ePHgySzchxWL8UPMRbiDDBnoLPn25Vk6Cy9wnanL7AMy/gBn9DggtY9PrJJEXEVm
EZ6HY1tQrmgW1C4U3621Rlw5HYEP3u9t2zhXCYe5m27jm4DtcBSyq+eedlI5fxKI
iFF4zEh+vdpE/+Xi3PDi8Ksg6iDoOANx09S1x5dUgdi/v8Agl1Cf7jUmOc75Vk+b
TpDvDb/et+fltfbzN7XGVK9cqzp5ZaDgtJ+tw2EBY5/FVl/QEr1utIjc5K8gdN1J
KYamOpp/qhfUIQGWN1sO2Pzzd+dmDlyqp5pRd2pxyZcwZhqpd4Gki+JcIpN4yaKu
R/dV92GU3SzyTRCFxZ8DZdCcck6CU/XQrvzL2horjtRoguMsGiU3KnE+AtnvS/CJ
X6D2FMPltk2o4NPM5mn8anDyLCNUOf3Z+8x5I4nA6nVYJXgSgr6XUNZUiinXjyJx
CWmJTMwaPqFiNvTNOuw3q3p7KCFppznzmHashbOrB3qgbf44evEcsVO5kanOgwGw
qMGT+YqCIjRUoaLsJxruzMd/JgmkiEYCf+2+BWruLhp/qa9Sh7MTOFHC/KnW+oUc
779tOTmWizs7tqxKXWR7
=ohPG
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Restrict the use of JDK classes Tomcat 7 or 6
Posted by ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es>.
Thank you very much. Your answer has helped me a lot.
2013/11/20 Aurélien Terrestris <at...@gmail.com>
> From what I understand in this doc, there is no specific resource
> management code anywhere and you must ensure that your application
> will call permission checking every time you are going to access the
> protected resource. Even for a web application, it must be considered
> as any other application, and it's in your own code to call such
> checking.
>
> The doc says : "Second, include these new classes with the application
> package." so include your class in your jar or war file.
>
> Yes, Tomcat is supposed to behave such any other JVM. However, you
> need to update the catalina.policy file for your own permission, and
> don't forget to call the security manager from the startup script (
> http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html )
>
> 2013/11/17 ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es>:
> > Thank you very much. I have been working in creating my own permission
> and
> > I have some questions:
> >
> > - In the Java documentation says it is necessary to add a checkPermission
> > in the application's resource management code. My question is, when we
> are
> > working with web applications, which is the application's resource
> > management code? And where is it?
> >
> > - When I create my own permission class, where do I have to store it? In
> > order to the Security manager can find it.
> >
> > - I have read that it is not necessary to modify the Security Manager,
> when
> > we are creating a new permission for secure the JVM. When we are working
> > with Tomcat, and not with the JVM directly, is it the same? Or is it
> > necessary to modify the Tomcat's Security Manager?
> >
> > Thank you very much.
> >
> >
> >
> > 2013/11/12 Aurélien Terrestris <at...@gmail.com>
> >
> >> Hello Analia
> >>
> >> I'm glad that you could play successfully with the Security Manager as
> >> I advised first :D
> >>
> >>
> >> About permissions, here you have a doc :
> >>
> >>
> >>
> http://docs.oracle.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc3.html#20211
> >>
> >> best regards
> >>
> >> 2013/11/11 ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es>:
> >> > Hello,
> >> >
> >> > I have been working with the Security Manager and I think it is a good
> >> > aproximation of what I need, thank you very much for the advice. I
> have
> >> > read that it is possible to create your own Permission class, but I
> >> haven't
> >> > found any documentation or example. Could anybody tell me where I can
> >> find
> >> > information about create a Permission class?
> >> >
> >> > Thank you very much.
> >> >
> >> >
> >> > 2013/10/23 Caldarale, Charles R <Ch...@unisys.com>
> >> >
> >> >> > From: Christopher Schultz [mailto:chris@christopherschultz.net]
> >> >> > Subject: Re: Restrict the use of JDK classes Tomcat 7 or 6
> >> >>
> >> >> > When you say "Java classes", are you talking about re-defining
> >> >> > something like java.lang.String? If so, then the servlet spec (3.0:
> >> >> > 10.7.2) prohibits web applications from loading classes from any of
> >> >> > these packages from a web application class loader.
> >> >> > java.*
> >> >> > javax.*
> >> >> > Looking at current trunk, Tomcat appears to take a lazy view and
> just
> >> >> > look for these two classes:
> >> >> > javax.servlet.Servlet
> >> >> > javax.el.Expression
> >> >> > So it looks like you might be able to redefine java.lang.String if
> you
> >> >> > want.
> >> >>
> >> >> As I recall, the JVM itself prevents loading of java.* classes from
> >> >> anywhere other than the registered JRE jar locations. Not sure about
> >> >> javax.* classes.
> >> >>
> >> >> - Chuck
> >> >>
> >> >>
> >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY
> >> >> MATERIAL and is thus for use only by the intended recipient. If you
> >> >> received this in error, please contact the sender and delete the
> e-mail
> >> and
> >> >> its attachments from all computers.
> >> >>
> >> >>
> >> >> ---------------------------------------------------------------------
> >> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >> >>
> >> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Restrict the use of JDK classes Tomcat 7 or 6
Posted by Aurélien Terrestris <at...@gmail.com>.
>From what I understand in this doc, there is no specific resource
management code anywhere and you must ensure that your application
will call permission checking every time you are going to access the
protected resource. Even for a web application, it must be considered
as any other application, and it's in your own code to call such
checking.
The doc says : "Second, include these new classes with the application
package." so include your class in your jar or war file.
Yes, Tomcat is supposed to behave such any other JVM. However, you
need to update the catalina.policy file for your own permission, and
don't forget to call the security manager from the startup script (
http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html )
2013/11/17 ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es>:
> Thank you very much. I have been working in creating my own permission and
> I have some questions:
>
> - In the Java documentation says it is necessary to add a checkPermission
> in the application's resource management code. My question is, when we are
> working with web applications, which is the application's resource
> management code? And where is it?
>
> - When I create my own permission class, where do I have to store it? In
> order to the Security manager can find it.
>
> - I have read that it is not necessary to modify the Security Manager, when
> we are creating a new permission for secure the JVM. When we are working
> with Tomcat, and not with the JVM directly, is it the same? Or is it
> necessary to modify the Tomcat's Security Manager?
>
> Thank you very much.
>
>
>
> 2013/11/12 Aurélien Terrestris <at...@gmail.com>
>
>> Hello Analia
>>
>> I'm glad that you could play successfully with the Security Manager as
>> I advised first :D
>>
>>
>> About permissions, here you have a doc :
>>
>>
>> http://docs.oracle.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc3.html#20211
>>
>> best regards
>>
>> 2013/11/11 ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es>:
>> > Hello,
>> >
>> > I have been working with the Security Manager and I think it is a good
>> > aproximation of what I need, thank you very much for the advice. I have
>> > read that it is possible to create your own Permission class, but I
>> haven't
>> > found any documentation or example. Could anybody tell me where I can
>> find
>> > information about create a Permission class?
>> >
>> > Thank you very much.
>> >
>> >
>> > 2013/10/23 Caldarale, Charles R <Ch...@unisys.com>
>> >
>> >> > From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> >> > Subject: Re: Restrict the use of JDK classes Tomcat 7 or 6
>> >>
>> >> > When you say "Java classes", are you talking about re-defining
>> >> > something like java.lang.String? If so, then the servlet spec (3.0:
>> >> > 10.7.2) prohibits web applications from loading classes from any of
>> >> > these packages from a web application class loader.
>> >> > java.*
>> >> > javax.*
>> >> > Looking at current trunk, Tomcat appears to take a lazy view and just
>> >> > look for these two classes:
>> >> > javax.servlet.Servlet
>> >> > javax.el.Expression
>> >> > So it looks like you might be able to redefine java.lang.String if you
>> >> > want.
>> >>
>> >> As I recall, the JVM itself prevents loading of java.* classes from
>> >> anywhere other than the registered JRE jar locations. Not sure about
>> >> javax.* classes.
>> >>
>> >> - Chuck
>> >>
>> >>
>> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> >> MATERIAL and is thus for use only by the intended recipient. If you
>> >> received this in error, please contact the sender and delete the e-mail
>> and
>> >> its attachments from all computers.
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> >> For additional commands, e-mail: users-help@tomcat.apache.org
>> >>
>> >>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Restrict the use of JDK classes Tomcat 7 or 6
Posted by ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es>.
Thank you very much. I have been working in creating my own permission and
I have some questions:
- In the Java documentation says it is necessary to add a checkPermission
in the application's resource management code. My question is, when we are
working with web applications, which is the application's resource
management code? And where is it?
- When I create my own permission class, where do I have to store it? In
order to the Security manager can find it.
- I have read that it is not necessary to modify the Security Manager, when
we are creating a new permission for secure the JVM. When we are working
with Tomcat, and not with the JVM directly, is it the same? Or is it
necessary to modify the Tomcat's Security Manager?
Thank you very much.
2013/11/12 Aurélien Terrestris <at...@gmail.com>
> Hello Analia
>
> I'm glad that you could play successfully with the Security Manager as
> I advised first :D
>
>
> About permissions, here you have a doc :
>
>
> http://docs.oracle.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc3.html#20211
>
> best regards
>
> 2013/11/11 ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es>:
> > Hello,
> >
> > I have been working with the Security Manager and I think it is a good
> > aproximation of what I need, thank you very much for the advice. I have
> > read that it is possible to create your own Permission class, but I
> haven't
> > found any documentation or example. Could anybody tell me where I can
> find
> > information about create a Permission class?
> >
> > Thank you very much.
> >
> >
> > 2013/10/23 Caldarale, Charles R <Ch...@unisys.com>
> >
> >> > From: Christopher Schultz [mailto:chris@christopherschultz.net]
> >> > Subject: Re: Restrict the use of JDK classes Tomcat 7 or 6
> >>
> >> > When you say "Java classes", are you talking about re-defining
> >> > something like java.lang.String? If so, then the servlet spec (3.0:
> >> > 10.7.2) prohibits web applications from loading classes from any of
> >> > these packages from a web application class loader.
> >> > java.*
> >> > javax.*
> >> > Looking at current trunk, Tomcat appears to take a lazy view and just
> >> > look for these two classes:
> >> > javax.servlet.Servlet
> >> > javax.el.Expression
> >> > So it looks like you might be able to redefine java.lang.String if you
> >> > want.
> >>
> >> As I recall, the JVM itself prevents loading of java.* classes from
> >> anywhere other than the registered JRE jar locations. Not sure about
> >> javax.* classes.
> >>
> >> - Chuck
> >>
> >>
> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> >> MATERIAL and is thus for use only by the intended recipient. If you
> >> received this in error, please contact the sender and delete the e-mail
> and
> >> its attachments from all computers.
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Fwd: Restrict the use of JDK classes Tomcat 7 or 6
Posted by Aurélien Terrestris <at...@gmail.com>.
Hello Analia
I'm glad that you could play successfully with the Security Manager as
I advised first :D
About permissions, here you have a doc :
http://docs.oracle.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc3.html#20211
best regards
2013/11/11 ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es>:
> Hello,
>
> I have been working with the Security Manager and I think it is a good
> aproximation of what I need, thank you very much for the advice. I have
> read that it is possible to create your own Permission class, but I haven't
> found any documentation or example. Could anybody tell me where I can find
> information about create a Permission class?
>
> Thank you very much.
>
>
> 2013/10/23 Caldarale, Charles R <Ch...@unisys.com>
>
>> > From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> > Subject: Re: Restrict the use of JDK classes Tomcat 7 or 6
>>
>> > When you say "Java classes", are you talking about re-defining
>> > something like java.lang.String? If so, then the servlet spec (3.0:
>> > 10.7.2) prohibits web applications from loading classes from any of
>> > these packages from a web application class loader.
>> > java.*
>> > javax.*
>> > Looking at current trunk, Tomcat appears to take a lazy view and just
>> > look for these two classes:
>> > javax.servlet.Servlet
>> > javax.el.Expression
>> > So it looks like you might be able to redefine java.lang.String if you
>> > want.
>>
>> As I recall, the JVM itself prevents loading of java.* classes from
>> anywhere other than the registered JRE jar locations. Not sure about
>> javax.* classes.
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail and
>> its attachments from all computers.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Restrict the use of JDK classes Tomcat 7 or 6
Posted by Aurélien Terrestris <at...@gmail.com>.
Hello Analia
I'm glad that you could play successfully with the Security Manager as
I advised first :D
About permissions, here you have a doc :
http://docs.oracle.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc3.html#20211
best regards
2013/11/11 ANALIA DE PEDRO SANTAMARIA <10...@alumnos.uc3m.es>:
> Hello,
>
> I have been working with the Security Manager and I think it is a good
> aproximation of what I need, thank you very much for the advice. I have
> read that it is possible to create your own Permission class, but I haven't
> found any documentation or example. Could anybody tell me where I can find
> information about create a Permission class?
>
> Thank you very much.
>
>
> 2013/10/23 Caldarale, Charles R <Ch...@unisys.com>
>
>> > From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> > Subject: Re: Restrict the use of JDK classes Tomcat 7 or 6
>>
>> > When you say "Java classes", are you talking about re-defining
>> > something like java.lang.String? If so, then the servlet spec (3.0:
>> > 10.7.2) prohibits web applications from loading classes from any of
>> > these packages from a web application class loader.
>> > java.*
>> > javax.*
>> > Looking at current trunk, Tomcat appears to take a lazy view and just
>> > look for these two classes:
>> > javax.servlet.Servlet
>> > javax.el.Expression
>> > So it looks like you might be able to redefine java.lang.String if you
>> > want.
>>
>> As I recall, the JVM itself prevents loading of java.* classes from
>> anywhere other than the registered JRE jar locations. Not sure about
>> javax.* classes.
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail and
>> its attachments from all computers.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org