tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Policy files
Date Wed, 24 Apr 2013 20:20:56 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Christian,

On 4/24/13 1:51 PM, Christian Beikov wrote:
> Yes we are talking about security manager policies.

Good :)

There's a lot about Spring that I don't know about, so I was just
checking that you weren't talking about some crazy IoC thing or
annotation-driven magic that no mere mortal can follow.

> So there is no possibility to just push the policy file to the 
> WebappClassLoader?

Nope: the SecurityManager applies to the whole JVM. But, the policy
can bless certain JARs, etc. as being privileged. So, you make Tomcat
and whatever code you wrote privileged and then leave all the student
code to run under the heavy-handed security policy.

> As stated in the reply to Matrin Gainty there do exist methods to
> restrict the webapp, but unfortunately no method for supplying a
> policy file.

Right: you can control the deployment descriptor(s) but not really
much else.

> So this means I have to parse the policy file myself and add the 
> permissions manually to the classloader?

Uh... I don't think that's possible. I must admit I'm no ClassLoader
ninja, but I don't think there's a way to tell a ClassLoader anything
about security policies.

What kinds of operations are you trying to restrict?

> Are there any options in the context.xml I could set for specifying
> a webapp local policy so that I don't have to fiddle around with
> how tomcat is called? I know how to apply a policy at runtime, but
> don't know how this affects tomcat when I apply it e.g. in a 
> ServletContextListener.

I think I'd have to understand more about what you are trying to do in
order to be helpful. The SecurityManager applies its policies globally
and you can't customize anything on a per-ClassLoader basis. You can
do it on a per-codebase basis, but you have to know the URL(s) of the
codebase(s) in advance.

> Would be cool if there was an option to do that kind of stuff.

Yes, I rather think it would be cool to specify a security policy on a
per-ClassLoader basis, but there are definitely some thorny issues
there otherwise I think Sun/Oracle would have implemented that
capability by now.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJReD6oAAoJEBzwKT+lPKRYDGAP/R9SjzcX0ENxQ5A7/N+S26M8
Jd5sNOisQ9mdVowygJAwppYDqtUalmMZ5qZTtsyYZYWKn3QpiML10Qr36elFZsA5
zoCA1JRB+hwC/vhNgJGdhhNxDOEQo66mfiJlfQ0rHpOGwVrGppAuSV4kVfX5aZCQ
9Ssq2HZvfLE7tL0pg+qnBT1AA9/HU+hAmk4GkCETSMR16jB8NrwI10ejU7gt1F4F
BaUCULZvYtLRelbsAQTfz4ZOQL0FZq2zD85BeZ+hey0koinpr+nY1aRGy4ASbmrM
Eke8ruYKW5xbVmSyQ0A4JmaYmMrYFfc7SgdR7UOkD21wbHA87fSHF9oNhhom2Tqd
Qsdn89swuBwp6XkS1akbfRc6RJ4WPCxNfxBWceGWlJewtgY8XRD8lPYOsHCSiVN/
SOSVnmCaa8Fs6ygk75wo6IKI+VlLRJqFSK5pr1iGK9hVC+xgBGB5APrhMhvSCUmO
SuP6IxFMSRDhghlxUbDhd7hW7KZnpXGQCJZjSoEsW/ysjhwy0hfhLbkEGTyYV8Az
wCap5r3eHc5KsHP0FK9F283DbiUhV8oHoLK0ddzKd9KrHbxap4Vekk2tqbUA52Vn
gpcRk5vodI88w0mvtdc9b57luHPedmY87bqmayjqzh6VHixlT/O8+CQhmJLRrln3
Wf6YgQg1Li6p//YLwHpo
=TJPJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message