You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by bu...@apache.org on 2004/04/05 11:35:30 UTC
DO NOT REPLY [Bug 28202] New: -
Tapestry 3.0 RC 1 in secure Tomcat 5
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28202>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=28202
Tapestry 3.0 RC 1 in secure Tomcat 5
Summary: Tapestry 3.0 RC 1 in secure Tomcat 5
Product: Tapestry
Version: 3.0
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: Major
Priority: Other
Component: Framework
AssignedTo: tapestry-dev@jakarta.apache.org
ReportedBy: mafor@portwise.com
Tapestry 3.0 RC 1 does not run properly in a secured Tomcat 5. However, I have
found a way to make this work. It involves some patches to Tapestry files and
a default set of java permissions. The java security manager uses a policy
file with static code bases to determine what protection domain a class should
belong to and subsequently what permission it is granted. A protection domain
consist of a code source, a class loader, an array of principals and a set of
permissions. Since Tapestry creates and loads classes dynamically the
dynamic classes must be set to belong to a defined protection domain,
currently this does not take place. The effect is that you cannot set
permissions to the dynamic classes in the policy file other than using
global permissions, which counteracts the whole idea of security.
However, this can easily be fixed by adding a protection domain to the
Tapestry class loader that loads the dynamic classes. The files in a need
for a patch is EnhancedClassLoader.java and EnhancedClass.java, see below.
All additions/changes are marked PATCH.
EnhancedClassLoader.java:
-------------------------
// PATCH: new import
import java.security.ProtectionDomain;
. . .
// PATCH: new parameter - protectionDomain
public Class defineClass(String enhancedClassName, byte[] byteCode,
ProtectionDomain protectionDomain)
{
try
{
// PATCH: forward protectDomain parameter to super class loader
return defineClass(enhancedClassName, byteCode, 0,
byteCode.length, protectionDomain);
}
catch (Throwable ex)
{
throw new ApplicationRuntimeException(
Tapestry.format(
"EnhancedClassLoader.unable-to-define-class",
enhancedClassName,
ex.getMessage()),
ex);
}
}
EnhancedClass.java:
-------------------
// PATCH: new import
import java.security.ProtectionDomain;
. . .
public Class createEnhancedSubclass()
{
performEnhancement();
ClassFabricator cf = getClassFabricator();
cf.commit();
String enhancedClassName = getClassName();
byte[] enhancedClassBytes = cf.getByteCode();
// PATCH: use protection domain of parent class
EnhancedClassLoader loader = _classFactory.getEnhancedClassLoader();
return loader.defineClass(enhancedClassName,
enhancedClassBytes,_parentClass.getProtectionDomain());
}
Now, to be able to run a Tapestry application in a secured Tomcat you'll
need a set of default permissions for a bunch of the included libraries.
Using a default Tomcat policy file you can add the following entries (based
on the assumption that the Tapestry libs are located in shared/lib). This is
the minimum set of permissions.
Catalina.policy:
----------------
// OGNL
grant codeBase "file:${catalina.home}/shared/lib/ognl-2.6.3.jar" {
permission java.io.FilePermission "${catalina.home}\\webapps\\myapp\\-",
"read";
permission ognl.OgnlInvokePermission "invoke.*";
permission java.util.PropertyPermission "ognl.*", "read";
permission java.lang.RuntimePermission "accessDeclaredMembers";
};
// Javassist
grant codeBase "file:${catalina.home}/shared/lib/javassist-2.5.1.jar" {
permission java.io.FilePermission
"${catalina.home}\\shared\\lib\\tapestry-3.0-rc-1.jar", "read";
permission java.io.FilePermission "${catalina.home}\\webapps\\myapp\\-",
"read";
permission java.io.FilePermission "${java.home}\\lib\\-", "read";
permission java.lang.RuntimePermission "createClassLoader";
};
// Tapestry
grant codeBase "file:${catalina.home}/shared/lib/tapestry-3.0-rc-1.jar" {
permission java.io.FilePermission "${catalina.home}\\webapps\\myapp\\-",
"read";
permission java.io.FilePermission "${java.home}\\lib\\-", "read";
permission ognl.OgnlInvokePermission "invoke.*";
permission java.util.PropertyPermission "ognl.*", "read";
permission java.util.PropertyPermission "org.apache.*", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "accessDeclaredMembers";
};
// BSF
grant codeBase "file:${catalina.home}/shared/lib/bsf-2.3.0.jar" {
permission java.util.PropertyPermission "org.apache.*", "read";
};
// BeanUtils
grant codeBase
"file:${catalina.home}/shared/lib/commons-beanutils-1.6.1.jar" {
permission java.io.FilePermission "${catalina.home}\\webapps\\myapp\\-",
"read";
};
// Digester
grant codeBase "file:${catalina.home}/shared/lib/commons-digester-1.5.jar" {
permission java.io.FilePermission
"${catalina.home}\\shared\\lib\\tapestry-3.0-rc-1.jar", "read";
permission java.io.FilePermission "${catalina.home}\\webapps\\myapp\\-",
"read";
};
// Web application
grant codeBase "file:${catalina.home}/webapps/myapp/-" {
permission java.io.FilePermission
"${catalina.home}\\shared\\lib\\tapestry-3.0-rc-1.jar", "read";
permission java.io.FilePermission "${java.home}\\lib\\-", "read";
permission ognl.OgnlInvokePermission "invoke.*";
permission java.util.PropertyPermission "org.apache.*", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "accessDeclaredMembers";
// Plus any other needed application permissions
};
I've tested this using J2SE 1.4.2, Tapestry 3.0 RC1 and Tomcat 5.0.19
together with a simple "Hello World" app. If you are going to run this on
Unix you need to adapt the path separators in the permission paths.
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org