You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cr...@locus.apache.org on 2000/09/02 02:06:19 UTC
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
craigmcc 00/09/01 17:06:18
Modified: catalina/src/bin catalina.bat catalina.sh
Added: catalina/src/conf catalina.policy
Log:
The beginnings of support for running web apps in Catalina under a
security manager. NOTE: you cannot actually start Catalina with security
enabled yet, because the appropriate ProtectionDomains are not
initialized, so don't bother trying (unless you want to help implement
this feature -- then you are quite welcome :-).
Revision Changes Path
1.3 +12 -4 jakarta-tomcat-4.0/catalina/src/bin/catalina.bat
Index: catalina.bat
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/bin/catalina.bat,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- catalina.bat 2000/08/12 00:26:50 1.2
+++ catalina.bat 2000/09/02 00:06:18 1.3
@@ -12,7 +12,7 @@
rem
rem JAVA_HOME Must point at your Java Development Kit installation.
rem
-rem $Id: catalina.bat,v 1.2 2000/08/12 00:26:50 remm Exp $
+rem $Id: catalina.bat,v 1.3 2000/09/02 00:06:18 craigmcc Exp $
rem ---------------------------------------------------------------------------
@@ -69,12 +69,20 @@
goto finish
:doRun
-java %CATALINA_OPTS% -Xbootclasspath:%BP% -Dcatalina.home=%CATALINA_HOME% org.apache.catalina.startup.Bootstrap %2 %3 %4 %5 %6 %7 %8 %9 start
+if "%2" == "-security" goto doRunSecure
+java %CATALINA_OPTS% -Xbootclasspath:%BP% -Dcatalina.home="%CATALINA_HOME%" org.apache.catalina.startup.Bootstrap %2 %3 %4 %5 %6 %7 %8 %9 start
goto cleanup
-
+:doRunSecure
+java %CATALINA_OPTS% -Djava.security.manager -Djava.security.policy=="%CATALINA_HOME%/conf/catalina.policy" -Xbootclasspath:%BP% -Dcatalina.home="%CATALINA_HOME%" org.apache.catalina.startup.Bootstrap %3 %4 %5 %6 %7 %8 %9 start
+goto cleanup
:doStart
-start java %CATALINA_OPTS% -Xbootclasspath:%BP% -Dcatalina.home=%CATALINA_HOME% org.apache.catalina.startup.Bootstrap %2 %3 %4 %5 %6 %7 %8 %9 start
+if "%2" == "-security" goto doStartSecure
+start java %CATALINA_OPTS% -Xbootclasspath:%BP% -Dcatalina.home="%CATALINA_HOME%" org.apache.catalina.startup.Bootstrap %2 %3 %4 %5 %6 %7 %8 %9 start
+goto cleanup
+:doStartSecure
+echo Using Security Manager
+start java %CATALINA_OPTS% -Djava.security.manager -Djava.security.policy=="%CATALINA_HOME%/conf/catalina.policy" -Xbootclasspath:%BP% -Dcatalina.home="%CATALINA_HOME%" org.apache.catalina.startup.Bootstrap %3 %4 %5 %6 %7 %8 %9 start
goto cleanup
:doStop
1.3 +53 -18 jakarta-tomcat-4.0/catalina/src/bin/catalina.sh
Index: catalina.sh
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/bin/catalina.sh,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- catalina.sh 2000/08/12 01:40:44 1.2
+++ catalina.sh 2000/09/02 00:06:18 1.3
@@ -12,7 +12,7 @@
#
# JAVA_HOME Must point at your Java Development Kit installation.
#
-# $Id: catalina.sh,v 1.2 2000/08/12 01:40:44 craigmcc Exp $
+# $Id: catalina.sh,v 1.3 2000/09/02 00:06:18 craigmcc Exp $
# -----------------------------------------------------------------------------
@@ -66,11 +66,22 @@
shift
pushd $CATALINA_HOME
- jdb \
- -sourcepath ../../jakarta-tomcat-4.0/catalina/src/share \
- -Xbootclasspath:$BP \
- -classpath $CP -Dcatalina.home=$CATALINA_HOME \
- org.apache.catalina.startup.Bootstrap "$@" start
+ if [ "$1" = "-security" ] ; then
+ shift
+ jdb \
+ $CATALINA_OPTS \
+ -sourcepath ../../jakarta-tomcat-4.0/catalina/src/share \
+ -Xbootclasspath:$BP \
+ -classpath $CP -Dcatalina.home=$CATALINA_HOME \
+ org.apache.catalina.startup.Bootstrap "$@" start
+ else
+ jdb \
+ $CATALINA_OPTS \
+ -sourcepath ../../jakarta-tomcat-4.0/catalina/src/share \
+ -Xbootclasspath:$BP \
+ -classpath $CP -Dcatalina.home=$CATALINA_HOME \
+ org.apache.catalina.startup.Bootstrap "$@" start
+ fi
popd
elif [ "$1" = "embedded" ] ; then
@@ -95,18 +106,39 @@
elif [ "$1" = "run" ] ; then
shift
- java $CATALINA_OPTS -Xbootclasspath:$BP -classpath $CP \
- -Dcatalina.home=$CATALINA_HOME \
- org.apache.catalina.startup.Bootstrap "$@" start
+ if [ "$1" = "-security" ] ; then
+ echo Using Security Manager
+ shift
+ java $CATALINA_OPTS -Xbootclasspath:$BP -classpath $CP \
+ -Djava.security.manager \
+ -Djava.security.policy==$CATALINA_HOME/conf/catalina.policy \
+ -Dcatalina.home=$CATALINA_HOME \
+ org.apache.catalina.startup.Bootstrap "$@" start
+ else
+ java $CATALINA_OPTS -Xbootclasspath:$BP -classpath $CP \
+ -Dcatalina.home=$CATALINA_HOME \
+ org.apache.catalina.startup.Bootstrap "$@" start
+ fi
elif [ "$1" = "start" ] ; then
shift
touch $CATALINA_HOME/logs/catalina.out
- java $CATALINA_OPTS -Xbootclasspath:$BP -classpath $CP \
- -Dcatalina.home=$CATALINA_HOME \
- org.apache.catalina.startup.Bootstrap "$@" start \
- >> $CATALINA_HOME/logs/catalina.out 2>&1 &
+ if [ "$1" = "-security" ] ; then
+ echo Using Security Manager
+ shift
+ java $CATALINA_OPTS -Xbootclasspath:$BP -classpath $CP \
+ -Djava.security.manager \
+ -Djava.security.policy==$CATALINA_HOME/conf/catalina.policy \
+ -Dcatalina.home=$CATALINA_HOME \
+ org.apache.catalina.startup.Bootstrap "$@" start \
+ >> $CATALINA_HOME/logs/catalina.out 2>&1 &
+ else
+ java $CATALINA_OPTS -Xbootclasspath:$BP -classpath $CP \
+ -Dcatalina.home=$CATALINA_HOME \
+ org.apache.catalina.startup.Bootstrap "$@" start \
+ >> $CATALINA_HOME/logs/catalina.out 2>&1 &
+ fi
elif [ "$1" = "stop" ] ; then
@@ -119,11 +151,14 @@
echo "Usage: catalina.sh ( env | run | start | stop)"
echo "Commands:"
- echo " debug - Start Catalina in a debugger"
- echo " env - Set up environment variables that Catalina would use"
- echo " run - Start Catalina in the current window"
- echo " start - Start Catalina in a separate window"
- echo " stop - Stop Catalina"
+ echo " debug Start Catalina in a debugger"
+ echo " debug -security Debug Catalina with a security manager"
+ echo " env Set up environment variables that would be used"
+ echo " run Start Catalina in the current window"
+ echo " run -security Start in the current window with security manager"
+ echo " start Start Catalina in a separate window"
+ echo " start -security Start in a separate window with security manager"
+ echo " stop - Stop Catalina"
exit 1
fi
1.1 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy
Index: catalina.policy
===================================================================
// ============================================================================
// catalina.policy - Security Policy Permissions for Tomcat 4.0
//
// This file contains a default set of security policies to be enforced (by the
// JVM) when Catalina is executed with the "-security" option. In addition
// to the permissions granted here, the following additional permissions are
// granted to the codebase specific to each web application:
// * Read and write access to the configured temporary directory
// * Read access to the document root directory
//
// $Id: catalina.policy,v 1.1 2000/09/02 00:06:18 craigmcc Exp $
// ============================================================================
// ========== SYSTEM CODE PERMISSIONS =========================================
// These permissions apply to the Java Virtual Machine's core code
grant codebase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codebase "file:${java.home}/jre/lib/ext/*" {
permission java.security.AllPermission;
};
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the servlet container's core code, plus any
// libraries installed in the "server" directory
grant codebase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${catalina.home}/server/-" {
permission java.security.AllPermission;
};
// These permissions apply to all extension libraries (including Jasper,
// if present) installed in the "lib" directory
grant codebase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications
grant {
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
};
// Also by default, each web application is granted a set of permissions based
// on its document root. These permission additions are hard coded into
// Catalina, and can not be adjusted in this file. Conceptually, the additions
// for a given web application look like this:
//
// grant codebase "file:${doc.root}/-" {
// permission java.io.FilePermission "${doc.root}", "read";
// permission java.io.FilePermission "${work.dir}", "read,write,delete";
// };
// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application. For instance, assume that the standard "exmamples" application
// included a JDBC driver that needed to establish a network connection to the
// corresponding database. You might create a "grant" entry like this:
//
// grant codebase "file:${catalina.home}/webapps/examples/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// }