tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeanfrancois Arcand <jfarc...@apache.org>
Subject Re: Tomcat + Hibernate2 + Security Manager
Date Wed, 28 Jan 2004 16:54:45 GMT


Webmaster wrote:

>Hi !
>
>
>On Tue, 27 Jan 2004 12:14:16 -0500, Jeanfrancois Arcand <jfarcand@apache.org> escreveu:
>
>  
>
>>De: Jeanfrancois Arcand <jfarcand@apache.org>
>>Data: Tue, 27 Jan 2004 12:14:16 -0500
>>Para: Tomcat Users List <tomcat-user@jakarta.apache.org>
>>Assunto: Re: Tomcat + Hibernate2 + Security Manager
>>
>>
>>
>>Webmaster wrote:
>>
>>    
>>
>>>Hi all,
>>>
>>>I know this is a little bit out of topic, but the general concept is useful for
everybody.
>>>
>>>I run tomcat with security manager for a dozen users. Recently, people started
to use the hibernate 2 which requires some funky permissions.
>>>
>>>I had to put these lines in the 'global' permission to make it work:
>>>
>>>grant {
>>>
>>>...
>>>
>>> permission java.lang.RuntimePermission "accessDeclaredMembers";
>>> permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
>>> permission java.lang.RuntimePermission "defineCGLIBClassInJavaPackage";
>>>
>>>...
>>>}
>>>
>>>Note: I DID test using a codebase like:
>>>
>>>grant codeBase "file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/-"
{ 
>>>....
>>>
>>>but the classes hibernate creates after reflection stop obeying the security manager.
>>> 
>>>
>>>      
>>>
>>Do you have the exception? Which Tomcat version are you using?
>>    
>>
>
>I'm using 4.1.29. The classes that hibernate creates dinamically are the ones that don't
follow the codebase anymore, it's like they have a 'null' codebase after they are created.
>
>  
>
>>>Are there any security risks on a security setup with those 3 lines for all classes
in the JVM ?
>>> 
>>>
>>>      
>>>
>>Yes. It will now allow a Servlet to "load" tomcat internal classes and 
>>"maybe" do malicious things. 
>>    
>>
>
>Right now, my clients don't have permissions to read the classes in /server/lib directory
( I don't give file io permission to this directory, only to /common/lib ). Would that be
enough to stop these malicious things ?
>  
>
Yes. But you should only grant those permission to the Hibernate jar 
files, not the entire folder.

-- Jeanfrancois

>  
>
>>-- Jeanfrancois
>>
>>
>>    
>>
>>>Thanks
>>>Renato.
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>> 
>>>
>>>      
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>
>>    
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message