tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Petr Hracek <phrac...@gmail.com>
Subject Re: Catalina.policy file for security option
Date Wed, 09 Nov 2011 13:54:57 GMT
I have move during the starting of catalina in security nd now I am in
the stage that in catalina.out log files I have:

access: access allowed (java.io.FilePermission
/usr/share/tomcat5/common/classes/log4j.properties read)
access: access denied (java.io.FilePermission
/usr/share/tomcat5/common/classes/log4j.properties read)
access: access denied (javax.management.MBeanPermission
org.apache.commons.modeler.BaseModelMBean#-[Catalina:J2EEApplication=none,J2EEServer=none,j2eeType=WebModule,name=//localhost/PM]
registerMBean)
access: access allowed (java.lang.RuntimePermission setContextClassLoader)
access: access denied (javax.management.MBeanPermission
org.apache.commons.modeler.BaseModelMBean#-[Catalina:J2EEApplication=none,J2EEServer=none,j2eeType=WebModule,name=//localhost/PM]
registerMBean)
access: access allowed (java.io.FilePermission
/usr/share/tomcat5/server/lib/catalina.jar read)
access: access denied (java.io.FilePermission
/usr/share/tomcat5/server/lib/catalina.jar read)
access: access denied (javax.management.MBeanPermission
org.apache.commons.modeler.BaseModelMBean#-[null:port=8080,type=ProtocolHandler]
registerMBean)
access: access allowed (java.net.SocketPermission localhost:8080 listen,resolve)
access: access allowed (java.lang.RuntimePermission shutdownHooks)
access: access allowed (java.net.SocketPermission localhost:8005 listen,resolve)
access: access allowed (java.lang.RuntimePermission exitVM.1)
access: access allowed (java.lang.RuntimePermission shutdownHooks)
access: access allowed (java.util.logging.LoggingPermission control)

But in output lsof -i | grep java is not mentioned and tomcat.

Dne 8. listopadu 2011 14:15 Petr Hracek <phracek2@gmail.com> napsal(a):
> When I have set CATALINA_OPTS to:
> linux:/var/log/tomcat5/base # echo $CATALINA_OPTS
> -Djava.security.debug=all
> linux:/var/log/tomcat5/base #
>
> in log I see:
> domain 1 ProtectionDomain
> CodeSource=CodeSource, url=file:/usr/share/tomcat5/bin/bootstrap.jar,
> <no certificates>
> ClassLoader=sun.misc.Launcher$AppClassLoader@8e208e2
> <no principals>
> Permissions:
>                static: java.security.Permissions@8930893 (
>  (java.io.FilePermission /usr/share/tomcat5/bin/bootstrap.jar read)
>  (java.lang.RuntimePermission exitVM)
> )
>
>
> Dne 8. listopadu 2011 13:51 Petr Hracek <phracek2@gmail.com> napsal(a):
>> Yes the tomcat should be run as a back-end server (AJP) with apache2-2.2.21.
>> I have add to the catalina.policy following permission:
>>        permission javax.management.MBeanServerPermission "createMBeanServer";
>>        permission javax.management.MBeamPermission
>> "com.javamonitor.mbeans.*","*";
>>        permission javax.management.MBeanTrustPermission "register";
>>        permission javax.management.MBeanServerPermission "findMBeanServer";
>>        permission java.net.SocketPermission "java-monitor.com:80", "connect";
>>        permission java.net.SocketPermission "java-monitor.com:80", "resolve";
>>
>> In the log of catalina.out I see:
>> log4j:WARN No appenders could be found for logger
>> (org.apache.catalina.startup.Embedded).
>> log4j:WARN Please initialize the log4j system properly.
>>
>> But as in ps -ef | grep java and lsof -i | grep java I did not see any
>> 8009 and 8005 port or even that tomcat5 is not starting.
>>
>> Where could be a problem?
>>
>> Dne 7. listopadu 2011 12:29 André Warnier <aw@ice-sa.com> napsal(a):
>>> Petr Hracek wrote:
>>>>
>>>> Dear tomcat users,
>>>>
>>>> I have try to configure my really old tomcat5 configuration (for using
>>>> -security).
>>>> but tomcat is not running.
>>>
>>> Petr,
>>> can you be a bit more specific ? what is not running ? does it start ? does
>>> it crash after starting ? is it just not answering requests ? are there
>>> error messages anywhere ?
>>>
>>> On my system tomcat5 is run only as servlet
>>>>
>>>> engine and not as web server.
>>>>
>>> Do you mean for example that it runs as a back-end server (through AJP
>>> e.g.), with a front-end webserver serving all static content ?
>>>
>>>
>>>
>>>> Do you have any example catalina.policy file?
>>>> My catalina.policy file is:
>>>> // ========== SYSTEM CODE PERMISSIONS
>>>> =========================================
>>>>
>>>>
>>>> // These permissions apply to javac
>>>> grant codeBase "file:${java.home}/lib/-" {
>>>>        permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to all shared system extensions
>>>> grant codeBase "file:${java.home}/jre/lib/ext/-" {
>>>>        permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to javac when ${java.home] points at
>>>> $JAVA_HOME/jre
>>>> grant codeBase "file:${java.home}/../lib/-" {
>>>>        permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to all shared system extensions when
>>>> // ${java.home} points at $JAVA_HOME/jre
>>>> grant codeBase "file:${java.home}/lib/ext/-" {
>>>>        permission java.security.AllPermission;
>>>> };
>>>> // ========== CATALINA CODE PERMISSIONS
>>>> =======================================
>>>>
>>>>
>>>> // These permissions apply to the launcher code
>>>> grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
>>>>        permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to the daemon code
>>>> grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
>>>>        permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to the commons-logging API
>>>> grant codeBase "file:${catalina.home}/bin/commons-logging-api-1.1.1.jar"
{
>>>>        permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to the server startup code
>>>> grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
>>>>        permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to the JMX server
>>>> grant codeBase "file:${catalina.home}/bin/jmx.jar" {
>>>>        permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to JULI
>>>> grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
>>>>        permission java.util.PropertyPermission
>>>> "java.util.logging.config.class", "read";
>>>>        permission java.util.PropertyPermission
>>>> "java.util.logging.config.file", "read";
>>>>        permission java.io.FilePermission
>>>> "${java.home}${file.separator}lib${file.separator}logging.properties",
>>>> "read";
>>>>        permission java.lang.RuntimePermission "shutdownHooks";
>>>>        permission java.io.FilePermission
>>>>
>>>> "${catalina.base}${file.separator}conf${file.separator}logging.properties",
>>>> "read";
>>>>        permission java.util.PropertyPermission "catalina.base", "read";
>>>>        permission java.util.logging.LoggingPermission "control";
>>>>        permission java.io.FilePermission
>>>> "${catalina.base}${file.separator}logs", "read, write";
>>>>        permission java.io.FilePermission
>>>> "${catalina.base}${file.separator}logs${file.separator}*", "read,
>>>> write";
>>>>        permission java.lang.RuntimePermission "getClassLoader";
>>>>        // To enable per context logging configuration, permit read
>>>> access to the appropriate file.
>>>>        // Be sure that the logging configuration is secure before
>>>> enabling such access
>>>>        // eg for the examples web application:
>>>>        // permission java.io.FilePermission
>>>>
>>>> "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
>>>> "read";
>>>> };
>>>>
>>>> // These permissions apply to the servlet API classes
>>>> // and those that are shared across all class loaders
>>>> // located in the "common" directory
>>>> grant codeBase "file:${catalina.home}/common/-" {
>>>>        permission java.security.AllPermission;
>>>> };
>>>>
>>>> // These permissions apply to the container's core code, plus any
>>>> additional
>>>> // libraries installed in the "server" directory
>>>> grant codeBase "file:${catalina.home}/server/-" {
>>>>        permission java.security.AllPermission;
>>>> };
>>>>
>>>> // The permissions granted to the balancer WEB-INF/classes and
>>>> WEB-INF/lib directory
>>>> grant codeBase "file:${catalina.home}/webapps/balancer/-" {
>>>>        permission java.lang.RuntimePermission
>>>> "accessClassInPackage.org.apache.tomcat.util.digester";
>>>>        permission java.lang.RuntimePermission
>>>> "accessClassInPackage.org.apache.tomcat.util.digester.*";
>>>> };
>>>> // ========== WEB APPLICATION PERMISSIONS
>>>> =====================================
>>>>
>>>>
>>>> // These permissions are granted by default to all web applications
>>>> // In addition, a web application will be given a read FilePermission
>>>> // and JndiPermission for all files and directories in its document root.
>>>> grant {
>>>>    // Required for JNDI lookup of named JDBC DataSource's and
>>>>    // javamail named MimePart DataSource used to send mail
>>>>    permission java.util.PropertyPermission "java.home", "read";
>>>>    permission java.util.PropertyPermission "java.naming.*", "read";
>>>>    permission java.util.PropertyPermission "javax.sql.*", "read";
>>>>
>>>>    // OS Specific properties to allow read access
>>>>    permission java.util.PropertyPermission "os.name", "read";
>>>>    permission java.util.PropertyPermission "os.version", "read";
>>>>    permission java.util.PropertyPermission "os.arch", "read";
>>>>    permission java.util.PropertyPermission "file.separator", "read";
>>>>    permission java.util.PropertyPermission "path.separator", "read";
>>>>    permission java.util.PropertyPermission "line.separator", "read";
>>>>
>>>>    // JVM properties to allow read access
>>>>    permission java.util.PropertyPermission "java.version", "read";
>>>>    permission java.util.PropertyPermission "java.vendor", "read";
>>>>    permission java.util.PropertyPermission "java.vendor.url", "read";
>>>>    permission java.util.PropertyPermission "java.class.version", "read";
>>>>    permission java.util.PropertyPermission
>>>> "java.specification.version", "read";
>>>>    permission java.util.PropertyPermission "java.specification.vendor",
>>>> "read";
>>>>    permission java.util.PropertyPermission "java.specification.name",
>>>> "read";
>>>>
>>>>    permission java.util.PropertyPermission
>>>> "java.vm.specification.version", "read";
>>>>    permission java.util.PropertyPermission
>>>> "java.vm.specification.vendor", "read";
>>>>    permission java.util.PropertyPermission
>>>> "java.vm.specification.name", "read";
>>>>    permission java.util.PropertyPermission "java.vm.version", "read";
>>>>    permission java.util.PropertyPermission "java.vm.vendor", "read";
>>>>    permission java.util.PropertyPermission "java.vm.name", "read";
>>>>
>>>>    // Required for OpenJMX
>>>>    permission java.lang.RuntimePermission "getAttribute";
>>>>
>>>>    // Allow read of JAXP compliant XML parser debug
>>>>    permission java.util.PropertyPermission "jaxp.debug", "read";
>>>>
>>>>    // Precompiled JSPs need access to this package.
>>>>    permission java.lang.RuntimePermission
>>>> "accessClassInPackage.org.apache.jasper.runtime";
>>>>    permission java.lang.RuntimePermission
>>>> "accessClassInPackage.org.apache.jasper.runtime.*";
>>>>
>>>>    // Precompiled JSPs need access to this system property.
>>>>    permission java.util.PropertyPermission
>>>> "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
>>>> };
>>>>
>>>>
>>>> My server.xml configuration file is:
>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>> <!--
>>>>  Licensed to the Apache Software Foundation (ASF) under one or more
>>>>  contributor license agreements.  See the NOTICE file distributed with
>>>>  this work for additional information regarding copyright ownership.
>>>>  The ASF licenses this file to You under the Apache License, Version 2.0
>>>>  (the "License"); you may not use this file except in compliance with
>>>>  the License.  You may obtain a copy of the License at
>>>>
>>>>      http://www.apache.org/licenses/LICENSE-2.0
>>>>
>>>>  Unless required by applicable law or agreed to in writing, software
>>>>  distributed under the License is distributed on an "AS IS" BASIS,
>>>>  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>>>>  See the License for the specific language governing permissions and
>>>>  limitations under the License.
>>>> -->
>>>>
>>>> <Server port="8005" shutdown="SHUTDOWN">
>>>>
>>>>  <Listener className="org.apache.catalina.core.AprLifecycleListener"
/>
>>>>  <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
>>>> />
>>>>  <Listener
>>>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
>>>> />
>>>>  <Listener
>>>> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
>>>>
>>>>  <!-- Global JNDI resources -->
>>>>  <GlobalNamingResources>
>>>>
>>>>    <!-- Test entry for demonstration purposes -->
>>>>    <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>>>>
>>>>    <!-- Editable user database that can also be used by
>>>>         UserDatabaseRealm to authenticate users -->
>>>>    <Resource name="UserDatabase" auth="Container"
>>>>              type="org.apache.catalina.UserDatabase"
>>>>       description="User database that can be updated and saved"
>>>>           factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>>>>          pathname="conf/tomcat-users.xml" />
>>>>
>>>>  </GlobalNamingResources>
>>>>
>>>>  <!-- Define the Tomcat Stand-Alone Service -->
>>>>  <Service name="Catalina">
>>>>
>>>>    <!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->
>>>>    <Connector port="8080" maxHttpHeaderSize="8192"
>>>>               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>>>>               enableLookups="false" redirectPort="8443" acceptCount="100"
>>>>               connectionTimeout="20000" disableUploadTimeout="true"
/>
>>>>    <!-- Note : To disable connection timeouts, set connectionTimeout
value
>>>>     to 0 -->
>>>>
>>>>    <!-- Define an AJP 1.3 Connector on port 8009 -->
>>>>    <Connector port="8009"
>>>>               enableLookups="false" redirectPort="8443"
>>>> protocol="AJP/1.3" address="127.0.0.1" />
>>>>
>>>>    <!-- Define a Proxied HTTP/1.1 Connector on port 8082 -->
>>>>    <!-- See proxy documentation for more information about using this.
-->
>>>>    <Engine name="Catalina" defaultHost="localhost">
>>>>
>>>>      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>>>>             resourceName="UserDatabase"/>
>>>>
>>>>      <!-- Define the default virtual host
>>>>           Note: XML Schema validation will not work with Xerces 2.2.
>>>>       -->
>>>>      <Host name="localhost" appBase="webapps"
>>>>       unpackWARs="true" autoDeploy="true"
>>>>       xmlValidation="false" xmlNamespaceAware="false">
>>>>
>>>>
>>>>        <!--
>>>>        <Valve className="org.apache.catalina.authenticator.SingleSignOn"
>>>> />
>>>>        -->
>>>>
>>>>        <!--
>>>>        <Valve className="org.apache.catalina.valves.AccessLogValve"
>>>>                 directory="logs"  prefix="localhost_access_log."
>>>> suffix=".txt"
>>>>                 pattern="common" resolveHosts="false"/>
>>>>        -->
>>>>        <!--
>>>>        <Valve
>>>> className="org.apache.catalina.valves.FastCommonAccessLogValve"
>>>>                 directory="logs"  prefix="localhost_access_log."
>>>> suffix=".txt"
>>>>                 pattern="common" resolveHosts="false"/>
>>>>        -->
>>>>      </Host>
>>>>
>>>>    </Engine>
>>>>
>>>>  </Service>
>>>>
>>>> </Server>
>>>>
>>>> Thank you in advance.
>>>> If any logs will be need I can provide of course.
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>>
>> --
>> Best Regards / S pozdravem
>> Petr Hracek
>>
>
>
>
> --
> Best Regards / S pozdravem
> Petr Hracek
>



-- 
Best Regards / S pozdravem
Petr Hracek

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message