You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/01/19 17:51:47 UTC
[tomcat] branch main updated: Complete (hopefully) the security manager clean-up
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 223e62b613 Complete (hopefully) the security manager clean-up
223e62b613 is described below
commit 223e62b61389020b82c7132658996e07edec791f
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 19 17:51:38 2023 +0000
Complete (hopefully) the security manager clean-up
---
RELEASE-NOTES | 11 ------
java/jakarta/el/BeanELResolver.java | 5 +--
java/org/apache/catalina/WebResource.java | 7 +++-
.../catalina/core/ApplicationFilterConfig.java | 2 --
.../apache/catalina/loader/JdbcLeakPrevention.java | 4 ---
.../catalina/loader/WebappClassLoaderBase.java | 8 ++---
.../webresources/AbstractArchiveResource.java | 25 +++++--------
.../AbstractSingleArchiveResource.java | 11 ++++--
.../catalina/webresources/CachedResource.java | 5 ---
.../catalina/webresources/EmptyResource.java | 5 ---
.../apache/catalina/webresources/FileResource.java | 9 -----
.../apache/catalina/webresources/JarResource.java | 2 +-
.../catalina/webresources/JarResourceRoot.java | 11 ------
.../catalina/webresources/JarWarResource.java | 2 +-
.../apache/catalina/webresources/WarResource.java | 2 +-
webapps/docs/config/ajp.xml | 3 +-
webapps/docs/config/host.xml | 9 +----
webapps/docs/config/http.xml | 3 +-
webapps/docs/security-howto.xml | 41 +++-------------------
19 files changed, 37 insertions(+), 128 deletions(-)
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 74ce5f0742..28680c7743 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -28,7 +28,6 @@ CONTENTS:
* API Stability
* Bundled APIs
* Web application reloading and static fields in shared libraries
-* Security manager URLs
* Symlinking static resources
* Viewing the Tomcat Change Log
* Cryptographic software notice
@@ -111,16 +110,6 @@ and putting them in the shared classloader instead (JARs should be put in the
"lib" folder, and classes should be put in the "classes" folder).
-======================
-Security manager URLs:
-======================
-In order to grant security permissions to JARs located inside the
-web application repository, use URLs of the following format
-in your policy file:
-
-file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar
-
-
============================
Symlinking static resources:
============================
diff --git a/java/jakarta/el/BeanELResolver.java b/java/jakarta/el/BeanELResolver.java
index 9b99ef50db..37f37d2769 100644
--- a/java/jakarta/el/BeanELResolver.java
+++ b/java/jakarta/el/BeanELResolver.java
@@ -198,10 +198,7 @@ public class BeanELResolver extends ELResolver {
this.properties.put(pd.getName(), new BeanProperty(type, pd));
}
/*
- * Populating from any interfaces solves two distinct problems:
- * 1. When running under a security manager, classes may be
- * unaccessible but have accessible interfaces.
- * 2. It causes default methods to be included.
+ * Populating from any interfaces causes default methods to be included.
*/
populateFromInterfaces(type);
} catch (IntrospectionException ie) {
diff --git a/java/org/apache/catalina/WebResource.java b/java/org/apache/catalina/WebResource.java
index 2c8b05da51..f8b85a2fc4 100644
--- a/java/org/apache/catalina/WebResource.java
+++ b/java/org/apache/catalina/WebResource.java
@@ -145,8 +145,13 @@ public interface WebResource {
* @return the code base for this resource that will be used when looking up the
* assigned permissions for the code base in the security policy file when
* running under a security manager.
+ *
+ * @deprecated Unused. Will be removed in Tomcat 12 onwards.
*/
- URL getCodeBase();
+ @Deprecated
+ default URL getCodeBase() {
+ return null;
+ }
/**
* @return a reference to the WebResourceRoot of which this WebResource is a
diff --git a/java/org/apache/catalina/core/ApplicationFilterConfig.java b/java/org/apache/catalina/core/ApplicationFilterConfig.java
index ac8626bb34..0fcac1fd9e 100644
--- a/java/org/apache/catalina/core/ApplicationFilterConfig.java
+++ b/java/org/apache/catalina/core/ApplicationFilterConfig.java
@@ -84,7 +84,6 @@ public final class ApplicationFilterConfig implements FilterConfig, Serializable
* instantiating the filter object
* @exception ServletException if thrown by the filter's init() method
* @throws NamingException If a JNDI lookup fails
- * @throws SecurityException If a security manager prevents the creation
* @throws IllegalArgumentException If the provided configuration is not
* valid
*/
@@ -233,7 +232,6 @@ public final class ApplicationFilterConfig implements FilterConfig, Serializable
* @exception ServletException if thrown by the filter's init() method
* @throws NamingException If a JNDI lookup fails
* @throws ReflectiveOperationException If the creation of the filter fails
- * @throws SecurityException If a security manager prevents the creation
* @throws IllegalArgumentException If the provided configuration is not
* valid
*/
diff --git a/java/org/apache/catalina/loader/JdbcLeakPrevention.java b/java/org/apache/catalina/loader/JdbcLeakPrevention.java
index adbf8f2b03..1c89c5abac 100644
--- a/java/org/apache/catalina/loader/JdbcLeakPrevention.java
+++ b/java/org/apache/catalina/loader/JdbcLeakPrevention.java
@@ -32,10 +32,6 @@ import java.util.Set;
* {@link WebappClassLoaderBase#clearReferences()} for details - but the short
* version is do not just create a new instance of this class with the new
* keyword.
- *
- * Since this class is loaded by {@link WebappClassLoaderBase}, it cannot refer
- * to any internal Tomcat classes as that will cause the security manager to
- * complain.
*/
public class JdbcLeakPrevention {
diff --git a/java/org/apache/catalina/loader/WebappClassLoaderBase.java b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
index 1de7b7ac73..48c12ca716 100644
--- a/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ b/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -103,9 +103,6 @@ import org.apache.tomcat.util.threads.ThreadPoolExecutor;
* <strong>IMPLEMENTATION NOTE</strong> - Local repositories are searched in
* the order they are added via the initial constructor.
* <p>
- * <strong>IMPLEMENTATION NOTE</strong> - No check for sealing violations or
- * security is made unless a security manager is present.
- * <p>
* <strong>IMPLEMENTATION NOTE</strong> - As of 8.0, this class
* loader implements {@link InstrumentableClassLoader}, permitting web
* application classes to instrument other classes in the same web
@@ -2254,7 +2251,6 @@ public abstract class WebappClassLoaderBase extends URLClassLoader
return null;
}
Manifest manifest = resource.getManifest();
- URL codeBase = resource.getCodeBase();
Certificate[] certificates = resource.getCertificates();
if (transformers.size() > 0) {
@@ -2297,7 +2293,7 @@ public abstract class WebappClassLoaderBase extends URLClassLoader
if (manifest == null) {
definePackage(packageName, null, null, null, null, null, null, null);
} else {
- definePackage(packageName, manifest, codeBase);
+ definePackage(packageName, manifest, null);
}
} catch (IllegalArgumentException e) {
// Ignore: normal error due to dual definition of package
@@ -2308,7 +2304,7 @@ public abstract class WebappClassLoaderBase extends URLClassLoader
try {
clazz = defineClass(name, binaryContent, 0,
- binaryContent.length, new CodeSource(codeBase, certificates));
+ binaryContent.length, new CodeSource(null, certificates));
} catch (UnsupportedClassVersionError ucve) {
throw new UnsupportedClassVersionError(
ucve.getLocalizedMessage() + " " +
diff --git a/java/org/apache/catalina/webresources/AbstractArchiveResource.java b/java/org/apache/catalina/webresources/AbstractArchiveResource.java
index 8e4daffddc..03009670f8 100644
--- a/java/org/apache/catalina/webresources/AbstractArchiveResource.java
+++ b/java/org/apache/catalina/webresources/AbstractArchiveResource.java
@@ -35,18 +35,23 @@ public abstract class AbstractArchiveResource extends AbstractResource {
private final AbstractArchiveResourceSet archiveResourceSet;
private final String baseUrl;
private final JarEntry resource;
- private final String codeBaseUrl;
private final String name;
private boolean readCerts = false;
private Certificate[] certificates;
- protected AbstractArchiveResource(AbstractArchiveResourceSet archiveResourceSet,
- String webAppPath, String baseUrl, JarEntry jarEntry, String codeBaseUrl) {
+
+ @Deprecated
+ protected AbstractArchiveResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath,
+ String baseUrl, JarEntry jarEntry, @SuppressWarnings("unused") String codeBaseUrl) {
+ this(archiveResourceSet, webAppPath, baseUrl, jarEntry);
+ }
+
+ protected AbstractArchiveResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath,
+ String baseUrl, JarEntry jarEntry) {
super(archiveResourceSet.getRoot(), webAppPath);
this.archiveResourceSet = archiveResourceSet;
this.baseUrl = baseUrl;
this.resource = jarEntry;
- this.codeBaseUrl = codeBaseUrl;
String resourceName = resource.getName();
if (resourceName.charAt(resourceName.length() - 1) == '/') {
@@ -153,18 +158,6 @@ public abstract class AbstractArchiveResource extends AbstractResource {
}
}
- @Override
- public URL getCodeBase() {
- try {
- return new URI(codeBaseUrl).toURL();
- } catch (MalformedURLException | URISyntaxException e) {
- if (getLog().isDebugEnabled()) {
- getLog().debug(sm.getString("fileResource.getUrlFail", codeBaseUrl), e);
- }
- return null;
- }
- }
-
@Override
public final byte[] getContent() {
long len = getContentLength();
diff --git a/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java b/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java
index ee9b686ee1..ebb2ae2c27 100644
--- a/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java
+++ b/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java
@@ -23,9 +23,16 @@ import java.util.jar.JarFile;
public abstract class AbstractSingleArchiveResource extends AbstractArchiveResource {
+
+ @Deprecated
+ protected AbstractSingleArchiveResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath,
+ String baseUrl, JarEntry jarEntry, @SuppressWarnings("unused") String codeBaseUrl) {
+ this(archiveResourceSet, webAppPath, baseUrl, jarEntry);
+ }
+
protected AbstractSingleArchiveResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath,
- String baseUrl, JarEntry jarEntry, String codeBaseUrl) {
- super(archiveResourceSet, webAppPath, baseUrl, jarEntry, codeBaseUrl);
+ String baseUrl, JarEntry jarEntry) {
+ super(archiveResourceSet, webAppPath, baseUrl, jarEntry);
}
diff --git a/java/org/apache/catalina/webresources/CachedResource.java b/java/org/apache/catalina/webresources/CachedResource.java
index 516effdeff..9f9a81d79c 100644
--- a/java/org/apache/catalina/webresources/CachedResource.java
+++ b/java/org/apache/catalina/webresources/CachedResource.java
@@ -361,11 +361,6 @@ public class CachedResource implements WebResource {
}
}
- @Override
- public URL getCodeBase() {
- return webResource.getCodeBase();
- }
-
@Override
public Certificate[] getCertificates() {
return webResource.getCertificates();
diff --git a/java/org/apache/catalina/webresources/EmptyResource.java b/java/org/apache/catalina/webresources/EmptyResource.java
index 7b35876bc1..99393fe1f5 100644
--- a/java/org/apache/catalina/webresources/EmptyResource.java
+++ b/java/org/apache/catalina/webresources/EmptyResource.java
@@ -150,11 +150,6 @@ public class EmptyResource implements WebResource {
return null;
}
- @Override
- public URL getCodeBase() {
- return null;
- }
-
@Override
public Certificate[] getCertificates() {
return null;
diff --git a/java/org/apache/catalina/webresources/FileResource.java b/java/org/apache/catalina/webresources/FileResource.java
index babe1905a7..8cfd49b39e 100644
--- a/java/org/apache/catalina/webresources/FileResource.java
+++ b/java/org/apache/catalina/webresources/FileResource.java
@@ -271,15 +271,6 @@ public class FileResource extends AbstractResource {
}
}
- @Override
- public URL getCodeBase() {
- if (getWebappPath().startsWith("/WEB-INF/classes/") && name.endsWith(".class")) {
- return getWebResourceRoot().getResource("/WEB-INF/classes/").getURL();
- } else {
- return getURL();
- }
- }
-
@Override
public Certificate[] getCertificates() {
return null;
diff --git a/java/org/apache/catalina/webresources/JarResource.java b/java/org/apache/catalina/webresources/JarResource.java
index 23eb6d8d52..265a2f79da 100644
--- a/java/org/apache/catalina/webresources/JarResource.java
+++ b/java/org/apache/catalina/webresources/JarResource.java
@@ -32,7 +32,7 @@ public class JarResource extends AbstractSingleArchiveResource {
public JarResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath,
String baseUrl, JarEntry jarEntry) {
- super(archiveResourceSet, webAppPath, "jar:" + baseUrl + "!/", jarEntry, baseUrl);
+ super(archiveResourceSet, webAppPath, "jar:" + baseUrl + "!/", jarEntry);
}
diff --git a/java/org/apache/catalina/webresources/JarResourceRoot.java b/java/org/apache/catalina/webresources/JarResourceRoot.java
index fc11a47b05..78f09c7241 100644
--- a/java/org/apache/catalina/webresources/JarResourceRoot.java
+++ b/java/org/apache/catalina/webresources/JarResourceRoot.java
@@ -135,17 +135,6 @@ public class JarResourceRoot extends AbstractResource {
}
}
- @Override
- public URL getCodeBase() {
- try {
- return new URI(baseUrl).toURL();
- } catch (MalformedURLException | URISyntaxException e) {
- if (getLog().isDebugEnabled()) {
- getLog().debug(sm.getString("fileResource.getUrlFail", baseUrl), e);
- }
- return null;
- }
- }
@Override
protected Log getLog() {
return log;
diff --git a/java/org/apache/catalina/webresources/JarWarResource.java b/java/org/apache/catalina/webresources/JarWarResource.java
index cce12338a8..8a42892c39 100644
--- a/java/org/apache/catalina/webresources/JarWarResource.java
+++ b/java/org/apache/catalina/webresources/JarWarResource.java
@@ -41,7 +41,7 @@ public class JarWarResource extends AbstractArchiveResource {
super(archiveResourceSet, webAppPath,
"jar:war:" + baseUrl + UriUtil.getWarSeparator() + archivePath + "!/",
- jarEntry, "war:" + baseUrl + UriUtil.getWarSeparator() + archivePath);
+ jarEntry);
this.archivePath = archivePath;
}
diff --git a/java/org/apache/catalina/webresources/WarResource.java b/java/org/apache/catalina/webresources/WarResource.java
index c6425311a3..b478d562cd 100644
--- a/java/org/apache/catalina/webresources/WarResource.java
+++ b/java/org/apache/catalina/webresources/WarResource.java
@@ -34,7 +34,7 @@ public class WarResource extends AbstractSingleArchiveResource {
public WarResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath,
String baseUrl, JarEntry jarEntry) {
super(archiveResourceSet, webAppPath, "war:" + baseUrl + UriUtil.getWarSeparator(),
- jarEntry, baseUrl);
+ jarEntry);
}
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index f4de8b0171..189d3ce167 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -107,8 +107,7 @@
of the facade objects that isolate the container internal request
processing objects. If set to <code>true</code> the facades will be
set for garbage collection after every request, otherwise they will be
- reused. This setting has no effect when the security manager is enabled.
- If not specified, this attribute is set to <code>true</code>.</p>
+ reused. If not specified, this attribute is set to <code>true</code>.</p>
</attribute>
<attribute name="enableLookups" required="false">
diff --git a/webapps/docs/config/host.xml b/webapps/docs/config/host.xml
index 344267fd7d..d77425b6a7 100644
--- a/webapps/docs/config/host.xml
+++ b/webapps/docs/config/host.xml
@@ -279,14 +279,7 @@
descriptor is present in <strong>xmlBase</strong> then the context will
fail to start in case the descriptor contains necessary configuration
for secure deployment (such as a RemoteAddrValve) which should not be
- ignored. The default is <code>true</code> unless a security manager is
- enabled when the default is <code>false</code>. When running under a
- security manager this may be enabled on a per web application basis by
- granting the
- <code>org.apache.catalina.security.DeployXmlPermission</code> to the web
- application. The Manager and Host Manager applications are granted this
- permission by default so that they continue to work when running under a
- security manager.</p>
+ ignored. The default is <code>true</code>.</p>
</attribute>
<attribute name="errorReportValveClass" required="false">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 17271cf979..a7e19570c6 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -103,8 +103,7 @@
of the facade objects that isolate the container internal request
processing objects. If set to <code>true</code> the facades will be
set for garbage collection after every request, otherwise they will be
- reused. This setting has no effect when the security manager is enabled.
- If not specified, this attribute is set to <code>true</code>.</p>
+ reused. If not specified, this attribute is set to <code>true</code>.</p>
</attribute>
<attribute name="enableLookups" required="false">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 65684cca67..d0cdf3e946 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -179,43 +179,10 @@
</section>
<section name="Security manager">
- <p>Enabling the security manager causes web applications to be run in a
- sandbox, significantly limiting a web application's ability to perform
- malicious actions such as calling System.exit(), establishing network
- connections or accessing the file system outside of the web application's
- root and temporary directories. However, it should be noted that there are
- some malicious actions, such as triggering high CPU consumption via an
- infinite loop, that the security manager cannot prevent.</p>
-
- <p>Enabling the security manager is usually done to limit the potential
- impact, should an attacker find a way to compromise a trusted web
- application . A security manager may also be used to reduce the risks of
- running untrusted web applications (e.g. in hosting environments) but it
- should be noted that the security manager only reduces the risks of
- running untrusted web applications, it does not eliminate them. If running
- multiple untrusted web applications, it is recommended that each web
- application is deployed to a separate Tomcat instance (and ideally separate
- hosts) to reduce the ability of a malicious web application impacting the
- availability of other applications.</p>
-
- <p>Tomcat is tested with the security manager enabled; but the majority of
- Tomcat users do not run with a security manager, so Tomcat is not as well
- user-tested in this configuration. There have been, and continue to be,
- bugs reported that are triggered by running under a security manager.</p>
-
- <p>The restrictions imposed by a security manager are likely to break most
- applications if the security manager is enabled. The security manager should
- not be used without extensive testing. Ideally, the use of a security
- manager should be introduced at the start of the development cycle as it can
- be time-consuming to track down and fix issues caused by enabling a security
- manager for a mature application.</p>
-
- <p>Enabling the security manager changes the defaults for the following
- settings:</p>
- <ul>
- <li>The default value for the <strong>deployXML</strong> attribute of the
- <strong>Host</strong> element is changed to <code>false</code>.</li>
- </ul>
+ <p>Support for running under a security manager has been removed for Tomcat
+ 11 onwards. Similar (arguably better) functionality maybe obtained by
+ running a single web application on a dedicated Tomcat instance in a
+ dedicated environment such as a container or VM.</p>
</section>
<section name="server.xml">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org