tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Catalina.policy java.security.AllPermission
Date Thu, 09 May 2013 12:06:16 GMT
2013/5/9 Alejandro Garcia <alexander001_2@msn.com>:
> Thanks!
>
> It is because I am run my app in a Web Hosting that runs with SM enable.
>

(...)

SM can protect you from running webapps that you do not know or do not
trust. It cannot protect a web hoster from you (or from someone else
who uses a password that was stolen from you). It cannot be the only
line of defense.

If they run with SM, but allow you to edit conf/catalina.policy file,
then this is just a "feature" they provide and it is up to you to use
it or not.  If you want to use it, you need some knowledge. If you do
not, assign AllPermission to the whole codebase and be done with it.

> grant codeBase "file:${catalina.home}/
webapps/WebRed/-" {

Web applications are in ${catalina.base}, not ${catalina.home},
unless both are the same.

> permission java.io.FilePermission "${catalina.home}/webapps/
WebRed", "read,write";
> permission java.io.FilePermission "${catalina.home}/webapps/WebRed/-", "read,write,delete";

Your webapp updates its own files at runtime?
It should not. (Thus you do not need "write" or "delete" permissions here).

> permission java.util.PropertyPermission "org.apache.catalina.manager.
util", "read";
> permission java.util.PropertyPermission "org.apache.catalina.manager", "read";
> permission java.util.PropertyPermission "org.apache.catalina", "read";
> permission java.util.PropertyPermission "org.apache.catalina.core", "read";

Why? There are no such system properties.

> permission java.lang.RuntimePermission "accessClassInPackage.org.
apache.catalina";
> permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
> permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
> permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.core";

Why? Do you need reflective access to Tomcat internal classes?
(And if you give such permissions, you can as well assign
AllPermissions to that code, as these permissions alone could be
abused).

> permission java.lang.RuntimePermission "accessClassInPackage.org.
springframework.web.context";
> permission java.lang.RuntimePermission "accessClassInPackage.org.springframework.web.context.request";
> permission java.lang.RuntimePermission "accessClassInPackage.org.springframework.web.filter";
> permission java.lang.RuntimePermission "accessClassInPackage.org.
icefaces.util";


Why? Access to these packages is not restricted by Tomcat. (They are
not in "package.access" property in conf/catalina.properties).

The way to debug security permission issues is described here:
http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html#Troubleshooting

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message