You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cr...@locus.apache.org on 2000/10/06 20:24:00 UTC
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
craigmcc 00/10/06 11:24:00
Modified: catalina/src/conf catalina.policy
Log:
Update the baseline security policy file. You can now start Tomcat 4.0 with
the -security option, as long as you remove the examples, webdav, and manager
web apps. (Catalina does not yet support per-webapp protection domains --
that is the next thing to be added.)
Revision Changes Path
1.2 +27 -14 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy
Index: catalina.policy
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- catalina.policy 2000/09/02 00:06:18 1.1
+++ catalina.policy 2000/10/06 18:23:59 1.2
@@ -8,7 +8,7 @@
// * Read and write access to the configured temporary directory
// * Read access to the document root directory
//
-// $Id: catalina.policy,v 1.1 2000/09/02 00:06:18 craigmcc Exp $
+// $Id: catalina.policy,v 1.2 2000/10/06 18:23:59 craigmcc Exp $
// ============================================================================
@@ -16,13 +16,13 @@
// These permissions apply to the Java Virtual Machine's core code
-grant codebase "file:${java.home}/lib/-" {
+grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
-grant codebase "file:${java.home}/jre/lib/ext/*" {
+grant codeBase "file:${java.home}/jre/lib/ext/*" {
permission java.security.AllPermission;
};
@@ -30,19 +30,26 @@
// ========== CATALINA CODE PERMISSIONS =======================================
-// These permissions apply to the servlet container's core code, plus any
-// libraries installed in the "server" directory
-grant codebase "file:${catalina.home}/bin/bootstrap.jar" {
+// These permissions apply to the server startup code, and the servlet API
+// classes that are shared across all class loaders
+grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
-grant codebase "file:${catalina.home}/server/-" {
+grant codeBase "file:${catalina.home}/bin/servlet.jar" {
permission java.security.AllPermission;
};
+// These permissions apply to the container's core code, plus any additional
+// libraries installed in the "server" directory
+grant codeBase "file:${catalina.home}/server/-" {
+ permission java.security.AllPermission;
+};
+
+
// These permissions apply to all extension libraries (including Jasper,
// if present) installed in the "lib" directory
-grant codebase "file:${catalina.home}/lib/-" {
+grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
@@ -79,21 +86,27 @@
// Also by default, each web application is granted a set of permissions based
// on its document root. These permission additions are hard coded into
// Catalina, and can not be adjusted in this file. Conceptually, the additions
-// for a given web application look like this:
+// for a given web application look like this, where "${doc.root}" is the
+// document root directory for this application, and "${work.dir}" is the
+// temporary work directory for this application:
//
-// grant codebase "file:${doc.root}/-" {
-// permission java.io.FilePermission "${doc.root}", "read";
-// permission java.io.FilePermission "${work.dir}", "read,write,delete";
+// grant codeBase "file:${doc.root}/WEB-INF/-" {
+// permission java.io.FilePermission "${doc.root}/-", "read";
+// permission java.io.FilePermission "${work.dir}/-", "read,write,delete";
+// };
+// grant codeBase "file:${work.dir}/-" {
+// permission java.io.FilePermission "${doc.root}/-", "read";
+// permission java.io.FilePermission "${work.dir}/-", "read,write,delete";
// };
// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
-// application. For instance, assume that the standard "exmamples" application
+// application. For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to the
// corresponding database. You might create a "grant" entry like this:
//
-// grant codebase "file:${catalina.home}/webapps/examples/-" {
+// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// }