tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Policy files
Date Wed, 24 Apr 2013 20:20:56 GMT
Hash: SHA256


On 4/24/13 1:51 PM, Christian Beikov wrote:
> Yes we are talking about security manager policies.

Good :)

There's a lot about Spring that I don't know about, so I was just
checking that you weren't talking about some crazy IoC thing or
annotation-driven magic that no mere mortal can follow.

> So there is no possibility to just push the policy file to the 
> WebappClassLoader?

Nope: the SecurityManager applies to the whole JVM. But, the policy
can bless certain JARs, etc. as being privileged. So, you make Tomcat
and whatever code you wrote privileged and then leave all the student
code to run under the heavy-handed security policy.

> As stated in the reply to Matrin Gainty there do exist methods to
> restrict the webapp, but unfortunately no method for supplying a
> policy file.

Right: you can control the deployment descriptor(s) but not really
much else.

> So this means I have to parse the policy file myself and add the 
> permissions manually to the classloader?

Uh... I don't think that's possible. I must admit I'm no ClassLoader
ninja, but I don't think there's a way to tell a ClassLoader anything
about security policies.

What kinds of operations are you trying to restrict?

> Are there any options in the context.xml I could set for specifying
> a webapp local policy so that I don't have to fiddle around with
> how tomcat is called? I know how to apply a policy at runtime, but
> don't know how this affects tomcat when I apply it e.g. in a 
> ServletContextListener.

I think I'd have to understand more about what you are trying to do in
order to be helpful. The SecurityManager applies its policies globally
and you can't customize anything on a per-ClassLoader basis. You can
do it on a per-codebase basis, but you have to know the URL(s) of the
codebase(s) in advance.

> Would be cool if there was an option to do that kind of stuff.

Yes, I rather think it would be cool to specify a security policy on a
per-ClassLoader basis, but there are definitely some thorny issues
there otherwise I think Sun/Oracle would have implemented that
capability by now.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message