tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Catalina.policy file for security option
Date Mon, 07 Nov 2011 11:29:54 GMT
Petr Hracek wrote:
> Dear tomcat users,
> 
> I have try to configure my really old tomcat5 configuration (for using
> -security).
> but tomcat is not running. 
Petr,
can you be a bit more specific ? what is not running ? does it start ? does it crash after

starting ? is it just not answering requests ? are there error messages anywhere ?

On my system tomcat5 is run only as servlet
> engine and not as web server.
>
Do you mean for example that it runs as a back-end server (through AJP e.g.), with a 
front-end webserver serving all static content ?



> Do you have any example catalina.policy file?
> My catalina.policy file is:
> // ========== SYSTEM CODE PERMISSIONS =========================================
> 
> 
> // These permissions apply to javac
> grant codeBase "file:${java.home}/lib/-" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to all shared system extensions
> grant codeBase "file:${java.home}/jre/lib/ext/-" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
> grant codeBase "file:${java.home}/../lib/-" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to all shared system extensions when
> // ${java.home} points at $JAVA_HOME/jre
> grant codeBase "file:${java.home}/lib/ext/-" {
>         permission java.security.AllPermission;
> };
> // ========== CATALINA CODE PERMISSIONS =======================================
> 
> 
> // These permissions apply to the launcher code
> grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to the daemon code
> grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to the commons-logging API
> grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to the server startup code
> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to the JMX server
> grant codeBase "file:${catalina.home}/bin/jmx.jar" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to JULI
> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
>         permission java.util.PropertyPermission
> "java.util.logging.config.class", "read";
>         permission java.util.PropertyPermission
> "java.util.logging.config.file", "read";
>         permission java.io.FilePermission
> "${java.home}${file.separator}lib${file.separator}logging.properties",
> "read";
>         permission java.lang.RuntimePermission "shutdownHooks";
>         permission java.io.FilePermission
> "${catalina.base}${file.separator}conf${file.separator}logging.properties",
> "read";
>         permission java.util.PropertyPermission "catalina.base", "read";
>         permission java.util.logging.LoggingPermission "control";
>         permission java.io.FilePermission
> "${catalina.base}${file.separator}logs", "read, write";
>         permission java.io.FilePermission
> "${catalina.base}${file.separator}logs${file.separator}*", "read,
> write";
>         permission java.lang.RuntimePermission "getClassLoader";
>         // To enable per context logging configuration, permit read
> access to the appropriate file.
>         // Be sure that the logging configuration is secure before
> enabling such access
>         // eg for the examples web application:
>         // permission java.io.FilePermission
> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
> "read";
> };
> 
> // These permissions apply to the servlet API classes
> // and those that are shared across all class loaders
> // located in the "common" directory
> grant codeBase "file:${catalina.home}/common/-" {
>         permission java.security.AllPermission;
> };
> 
> // These permissions apply to the container's core code, plus any additional
> // libraries installed in the "server" directory
> grant codeBase "file:${catalina.home}/server/-" {
>         permission java.security.AllPermission;
> };
> 
> // The permissions granted to the balancer WEB-INF/classes and
> WEB-INF/lib directory
> grant codeBase "file:${catalina.home}/webapps/balancer/-" {
>         permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat.util.digester";
>         permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat.util.digester.*";
> };
> // ========== WEB APPLICATION PERMISSIONS =====================================
> 
> 
> // These permissions are granted by default to all web applications
> // In addition, a web application will be given a read FilePermission
> // and JndiPermission for all files and directories in its document root.
> grant {
>     // Required for JNDI lookup of named JDBC DataSource's and
>     // javamail named MimePart DataSource used to send mail
>     permission java.util.PropertyPermission "java.home", "read";
>     permission java.util.PropertyPermission "java.naming.*", "read";
>     permission java.util.PropertyPermission "javax.sql.*", "read";
> 
>     // OS Specific properties to allow read access
>     permission java.util.PropertyPermission "os.name", "read";
>     permission java.util.PropertyPermission "os.version", "read";
>     permission java.util.PropertyPermission "os.arch", "read";
>     permission java.util.PropertyPermission "file.separator", "read";
>     permission java.util.PropertyPermission "path.separator", "read";
>     permission java.util.PropertyPermission "line.separator", "read";
> 
>     // JVM properties to allow read access
>     permission java.util.PropertyPermission "java.version", "read";
>     permission java.util.PropertyPermission "java.vendor", "read";
>     permission java.util.PropertyPermission "java.vendor.url", "read";
>     permission java.util.PropertyPermission "java.class.version", "read";
>     permission java.util.PropertyPermission
> "java.specification.version", "read";
>     permission java.util.PropertyPermission "java.specification.vendor", "read";
>     permission java.util.PropertyPermission "java.specification.name", "read";
> 
>     permission java.util.PropertyPermission
> "java.vm.specification.version", "read";
>     permission java.util.PropertyPermission
> "java.vm.specification.vendor", "read";
>     permission java.util.PropertyPermission
> "java.vm.specification.name", "read";
>     permission java.util.PropertyPermission "java.vm.version", "read";
>     permission java.util.PropertyPermission "java.vm.vendor", "read";
>     permission java.util.PropertyPermission "java.vm.name", "read";
> 
>     // Required for OpenJMX
>     permission java.lang.RuntimePermission "getAttribute";
> 
>     // Allow read of JAXP compliant XML parser debug
>     permission java.util.PropertyPermission "jaxp.debug", "read";
> 
>     // Precompiled JSPs need access to this package.
>     permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.jasper.runtime";
>     permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.jasper.runtime.*";
> 
>     // Precompiled JSPs need access to this system property.
>     permission java.util.PropertyPermission
> "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
> };
> 
> 
> My server.xml configuration file is:
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
>   Licensed to the Apache Software Foundation (ASF) under one or more
>   contributor license agreements.  See the NOTICE file distributed with
>   this work for additional information regarding copyright ownership.
>   The ASF licenses this file to You under the Apache License, Version 2.0
>   (the "License"); you may not use this file except in compliance with
>   the License.  You may obtain a copy of the License at
> 
>       http://www.apache.org/licenses/LICENSE-2.0
> 
>   Unless required by applicable law or agreed to in writing, software
>   distributed under the License is distributed on an "AS IS" BASIS,
>   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>   See the License for the specific language governing permissions and
>   limitations under the License.
> -->
> 
> <Server port="8005" shutdown="SHUTDOWN">
> 
>   <Listener className="org.apache.catalina.core.AprLifecycleListener" />
>   <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
>   <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
> />
>   <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
> 
>   <!-- Global JNDI resources -->
>   <GlobalNamingResources>
> 
>     <!-- Test entry for demonstration purposes -->
>     <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
> 
>     <!-- Editable user database that can also be used by
>          UserDatabaseRealm to authenticate users -->
>     <Resource name="UserDatabase" auth="Container"
>               type="org.apache.catalina.UserDatabase"
>        description="User database that can be updated and saved"
>            factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>           pathname="conf/tomcat-users.xml" />
> 
>   </GlobalNamingResources>
> 
>   <!-- Define the Tomcat Stand-Alone Service -->
>   <Service name="Catalina">
> 
>     <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
>     <Connector port="8080" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" redirectPort="8443" acceptCount="100"
>                connectionTimeout="20000" disableUploadTimeout="true" />
>     <!-- Note : To disable connection timeouts, set connectionTimeout value
>      to 0 -->
> 
>     <!-- Define an AJP 1.3 Connector on port 8009 -->
>     <Connector port="8009"
>                enableLookups="false" redirectPort="8443"
> protocol="AJP/1.3" address="127.0.0.1" />
> 
>     <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
>     <!-- See proxy documentation for more information about using this. -->
>     <Engine name="Catalina" defaultHost="localhost">
> 
>       <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>              resourceName="UserDatabase"/>
> 
>       <!-- Define the default virtual host
>            Note: XML Schema validation will not work with Xerces 2.2.
>        -->
>       <Host name="localhost" appBase="webapps"
>        unpackWARs="true" autoDeploy="true"
>        xmlValidation="false" xmlNamespaceAware="false">
> 
> 
>         <!--
>         <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
>         -->
> 
>         <!--
>         <Valve className="org.apache.catalina.valves.AccessLogValve"
>                  directory="logs"  prefix="localhost_access_log." suffix=".txt"
>                  pattern="common" resolveHosts="false"/>
>         -->
>         <!--
>         <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve"
>                  directory="logs"  prefix="localhost_access_log." suffix=".txt"
>                  pattern="common" resolveHosts="false"/>
>         -->
>       </Host>
> 
>     </Engine>
> 
>   </Service>
> 
> </Server>
> 
> Thank you in advance.
> If any logs will be need I can provide of course.
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message