Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 93D5BFBF5 for ; Thu, 9 May 2013 12:06:47 +0000 (UTC) Received: (qmail 55145 invoked by uid 500); 9 May 2013 12:06:44 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 55087 invoked by uid 500); 9 May 2013 12:06:44 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 55058 invoked by uid 99); 9 May 2013 12:06:43 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 May 2013 12:06:43 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of knst.kolinko@gmail.com designates 209.85.214.182 as permitted sender) Received: from [209.85.214.182] (HELO mail-ob0-f182.google.com) (209.85.214.182) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 May 2013 12:06:37 +0000 Received: by mail-ob0-f182.google.com with SMTP id eh20so2833943obb.13 for ; Thu, 09 May 2013 05:06:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=2dWgaVO7B5JsHL5/3F3wU582dirHkmil+fByC+6ipeY=; b=mM4i/C729uUukU6gZ4NuVhwpzDfDlbUcX2MFXH4PBGAcTbHfwJaigcoDM+axRjkqAm eFzinXaqrn9vqqeeDBWxcI62UnvZ2W1i6zv4R2OODYMVRmCKxEIp3vO7kxlnHL9yvoPb LOQlB2b577t38tEYy5qgi9q/bPPQI0le85yz1Es/l9f2mFukLOySh5Ffodkgp8S2RYXq Z4l2qEOPz7IG0FgQfiVK5UoqDsWmbuR8nZLYdL8Dvav2oIWHGCHGj/2lQ8/V2MBHstt7 Qzj0ht7ah4h6S07xd88iLQSs4um1uEyjZBUUkL3WLunBxS73OB5HRQG80lmLscPWsJ0D VKGA== MIME-Version: 1.0 X-Received: by 10.60.121.70 with SMTP id li6mr4215046oeb.16.1368101176725; Thu, 09 May 2013 05:06:16 -0700 (PDT) Received: by 10.76.73.65 with HTTP; Thu, 9 May 2013 05:06:16 -0700 (PDT) In-Reply-To: References: Date: Thu, 9 May 2013 16:06:16 +0400 Message-ID: Subject: Re: Catalina.policy java.security.AllPermission From: Konstantin Kolinko To: Tomcat Users List Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org 2013/5/9 Alejandro Garcia : > Thanks! > > It is because I am run my app in a Web Hosting that runs with SM enable. > (...) SM can protect you from running webapps that you do not know or do not trust. It cannot protect a web hoster from you (or from someone else who uses a password that was stolen from you). It cannot be the only line of defense. If they run with SM, but allow you to edit conf/catalina.policy file, then this is just a "feature" they provide and it is up to you to use it or not. If you want to use it, you need some knowledge. If you do not, assign AllPermission to the whole codebase and be done with it. > grant codeBase "file:${catalina.home}/ webapps/WebRed/-" { Web applications are in ${catalina.base}, not ${catalina.home}, unless both are the same. > permission java.io.FilePermission "${catalina.home}/webapps/ WebRed", "read,write"; > permission java.io.FilePermission "${catalina.home}/webapps/WebRed/-", "read,write,delete"; Your webapp updates its own files at runtime? It should not. (Thus you do not need "write" or "delete" permissions here). > permission java.util.PropertyPermission "org.apache.catalina.manager. util", "read"; > permission java.util.PropertyPermission "org.apache.catalina.manager", "read"; > permission java.util.PropertyPermission "org.apache.catalina", "read"; > permission java.util.PropertyPermission "org.apache.catalina.core", "read"; Why? There are no such system properties. > permission java.lang.RuntimePermission "accessClassInPackage.org. apache.catalina"; > permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; > permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; > permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.core"; Why? Do you need reflective access to Tomcat internal classes? (And if you give such permissions, you can as well assign AllPermissions to that code, as these permissions alone could be abused). > permission java.lang.RuntimePermission "accessClassInPackage.org. springframework.web.context"; > permission java.lang.RuntimePermission "accessClassInPackage.org.springframework.web.context.request"; > permission java.lang.RuntimePermission "accessClassInPackage.org.springframework.web.filter"; > permission java.lang.RuntimePermission "accessClassInPackage.org. icefaces.util"; Why? Access to these packages is not restricted by Tomcat. (They are not in "package.access" property in conf/catalina.properties). The way to debug security permission issues is described here: http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html#Troubleshooting --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org