tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeanfrancois Arcand <jfarc...@apache.org>
Subject Re: Tomcat + Hibernate2 + Security Manager
Date Tue, 27 Jan 2004 17:14:16 GMT


Webmaster wrote:

>Hi all,
>
>I know this is a little bit out of topic, but the general concept is useful for everybody.
>
>I run tomcat with security manager for a dozen users. Recently, people started to use
the hibernate 2 which requires some funky permissions.
>
>I had to put these lines in the 'global' permission to make it work:
>
>grant {
>
>...
>
>  permission java.lang.RuntimePermission "accessDeclaredMembers";
>  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
>  permission java.lang.RuntimePermission "defineCGLIBClassInJavaPackage";
>
>...
>}
>
>Note: I DID test using a codebase like:
>
>grant codeBase "file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/-" { 
>....
>
>but the classes hibernate creates after reflection stop obeying the security manager.
>  
>
Do you have the exception? Which Tomcat version are you using?


>Are there any security risks on a security setup with those 3 lines for all classes in
the JVM ?
>  
>

Yes. It will now allow a Servlet to "load" tomcat internal classes and 
"maybe" do malicious things. 

-- Jeanfrancois


>Thanks
>Renato.
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message