tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jfarc...@apache.org
Subject cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityConfig.java SecurityClassLoad.java
Date Mon, 04 Nov 2002 05:16:23 GMT
jfarcand    2002/11/03 21:16:23

  Modified:    catalina/src/share/org/apache/catalina/security
                        SecurityConfig.java SecurityClassLoad.java
  Log:
  Use the catalina.properties file to customize the package protection/access. This new security
m
  echanism enable the customization, at runtime, of which package should be protected.
  
  the following package will be protected by default:
  
  o.a.catalina
  o.a.jasper(*)
  o.a.coyote
  o.a.tomcat.util
  
  (*) Tomcat 5 is broken when a JSP use a class from jsp20el.jar and when the SecurityManager
is t
  urned on. Even if you remove all the protection, Tomcat fail to properly runs the example.
  
  o.a.coyote.tomcat5 has been securized in order to support package protection.
  
  Revision  Changes    Path
  1.4       +48 -14    jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityConfig.java
  
  Index: SecurityConfig.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityConfig.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- SecurityConfig.java	24 Oct 2002 02:43:20 -0000	1.3
  +++ SecurityConfig.java	4 Nov 2002 05:16:23 -0000	1.4
  @@ -59,6 +59,7 @@
   package org.apache.catalina.security;
   
   import java.security.Security;
  +import org.apache.catalina.startup.CatalinaProperties;
   
   /**
    * Util class to protect Catalina against package access and insertion.
  @@ -68,27 +69,51 @@
    */
   public final class SecurityConfig{
       private static SecurityConfig singleton = null;
  +
  +    private static org.apache.commons.logging.Log log=
  +        org.apache.commons.logging.LogFactory.getLog( SecurityConfig.class );
  +
       
  -    private final static String PACKAGE_ACCESS =  "org.apache.catalina." 
  -                                                + ",org.apache.jasper."
  +    private final static String PACKAGE_ACCESS =  "sun.,"
  +                                                + "org.apache.catalina." 
                                                   + ",org.apache.jsp."
  -                                                + ",org.apache.jk.";
  +                                                + ",org.apache.coyote."
  +                                                + ",org.apache.tomcat.";
       
  -    private final static String PACKAGE_DEFINITION= "java."
  +    private final static String PACKAGE_DEFINITION= "java.,sun."
                                                   + ",org.apache.catalina." 
  -                                                + ",org.apache.jasper."
                                                   + ",org.apache.coyote."
  -                                                + ",org.apache.jsp."
  -                                                + ",org.apache.jk.";
  +                                                + ",org.apache.tomcat."
  +                                                + ",org.apache.jsp.";
  +    /**
  +     * List of protected package from conf/catalina.properties
  +     */
  +    private String packageDefinition;
  +    
  +    
  +    /**
  +     * List of protected package from conf/catalina.properties
  +     */
  +    private String packageAccess; 
  +    
  +    
       /**
        * Create a single instance of this class.
        */
  -    private SecurityConfig(){   
  +    private SecurityConfig(){  
  +        try{
  +            packageDefinition = CatalinaProperties.getProperty("package.definition");
  +            packageAccess = CatalinaProperties.getProperty("package.access");
  +        } catch (java.lang.Exception ex){
  +            if (log.isDebugEnabled()){
  +                log.debug("Unable to load properties using CatalinaProperties", ex); 
  +            }            
  +        }
       }
       
       
       /**
  -     * Retuens the singleton instance of that class.
  +     * Returns the singleton instance of that class.
        * @return an instance of that class.
        */
       public static SecurityConfig newInstance(){
  @@ -103,7 +128,12 @@
        * Set the security package.access value.
        */
       public void setPackageAccess(){
  -        setSecurityProperty("package.access", PACKAGE_ACCESS);        
  +        // If catalina.properties is missing, protect all by default.
  +        if (packageAccess == null){
  +            setSecurityProperty("package.access", PACKAGE_ACCESS);   
  +        } else {
  +            setSecurityProperty("package.access", packageAccess);   
  +        }
       }
       
       
  @@ -111,7 +141,12 @@
        * Set the security package.definition value.
        */
        public void setPackageDefinition(){
  -        setSecurityProperty("package.definition", PACKAGE_DEFINITION);
  +        // If catalina.properties is missing, protect all by default.
  +         if (packageDefinition == null){
  +            setSecurityProperty("package.definition", PACKAGE_DEFINITION);
  +         } else {
  +            setSecurityProperty("package.definition", packageDefinition);
  +         }
       }
        
        
  @@ -122,10 +157,9 @@
       private final void setSecurityProperty(String properties, String packageList){
           if (System.getSecurityManager() != null){
               String definition = Security.getProperty(properties);
  -            if( definition != null && definition.length() > 0 )
  +            if( definition != null && definition.length() > 0 ){
                   definition += ",";
  -            else
  -                definition = "sun.,";
  +            }
   
               Security.setProperty(properties,
                   // FIX ME package "javax." was removed to prevent HotSpot
  
  
  
  1.2       +88 -7     jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java
  
  Index: SecurityClassLoad.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityClassLoad.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- SecurityClassLoad.java	18 Oct 2002 21:29:29 -0000	1.1
  +++ SecurityClassLoad.java	4 Nov 2002 05:16:23 -0000	1.2
  @@ -70,6 +70,7 @@
    * RuntimePermission does not trigger an AccessControlException.
    *
    * @author Glenn L. Nielsen
  + * @author Jean-Francois Arcand
    * @version $Revision$ $Date$
    */
   
  @@ -78,9 +79,21 @@
       public static void securityClassLoad(ClassLoader loader)
           throws Exception {
   
  -        if( System.getSecurityManager() == null )
  +        if( System.getSecurityManager() == null ){
               return;
  -
  +        }
  +        
  +        loadCorePackage(loader);
  +        loadLoaderPackage(loader);
  +        loadSessionPackage(loader);
  +        loadUtilPackage(loader);
  +        loadJavaxPackage(loader);
  +        loadCoyotePackage(loader);        
  +    }
  +    
  +    
  +    private final static void loadCorePackage(ClassLoader loader)
  +        throws Exception {
           String basePackage = "org.apache.catalina.";
           loader.loadClass
               (basePackage +
  @@ -109,18 +122,86 @@
           loader.loadClass
               (basePackage +
                "core.ContainerBase$PrivilegedAddChild");
  +    }
  +    
  +    
  +    private final static void loadLoaderPackage(ClassLoader loader)
  +        throws Exception {
  +        String basePackage = "org.apache.catalina.";
           loader.loadClass
               (basePackage +
                "loader.WebappClassLoader$PrivilegedFindResource");
  +    }
  +    
  +    
  +    private final static void loadSessionPackage(ClassLoader loader)
  +        throws Exception {
  +        String basePackage = "org.apache.catalina.";
           loader.loadClass
               (basePackage + "session.StandardSession");
  +    }
  +    
  +    
  +    private final static void loadUtilPackage(ClassLoader loader)
  +        throws Exception {
  +        String basePackage = "org.apache.catalina.";
           loader.loadClass
               (basePackage + "util.CookieTools");
           loader.loadClass
               (basePackage + "util.URL");
           loader.loadClass(basePackage + "util.Enumerator");
  +    }
  +    
  +    
  +    private final static void loadJavaxPackage(ClassLoader loader)
  +        throws Exception {
           loader.loadClass("javax.servlet.http.Cookie");
  -
       }
  +    
  +    
  +    private final static void loadCoyotePackage(ClassLoader loader)
  +        throws Exception {
  +        String basePackage = "org.apache.coyote.tomcat5.";
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteRequestFacade$GetAttributePrivilegedAction");
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteRequestFacade$GetParameterMapPrivilegedAction");
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteRequestFacade$GetRequestDispatcherPrivilegedAction");
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteRequestFacade$GetParameterPrivilegedAction");
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteRequestFacade$GetParameterNamesPrivilegedAction");
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteRequestFacade$GetParameterValuePrivilegedAction");
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteRequestFacade$GetCharacterEncodingPrivilegedAction");
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteRequestFacade$GetHeadersPrivilegedAction");
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteRequestFacade$GetHeaderNamesPrivilegedAction");  
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteRequestFacade$GetCookiesPrivilegedAction");
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteRequestFacade$GetLocalePrivilegedAction");
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteRequestFacade$GetLocalesPrivilegedAction");
  +        loader.loadClass
  +            (basePackage +
  +             "CoyoteResponseFacade$SetContentTypePrivilegedAction");
  +    }
  +
   }
   
  
  
  

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message