tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <>
Subject Re: Extending Server.xml configurability (foradditionalclasspaths)
Date Tue, 04 Sep 2001 01:27:20 GMT
Rick Mann wrote:
> > Comments:
> >
> > If you need to restrict access to an API for security reasons there are ways
> > to do that using the Java SecurityManager configuration and permissions
> > granted in the security policy file.
> If you tell me how this is done, I'll let you know if that solves my
> problem. Chances are it does not, because I can't give access to a directory
> to the owner of some contexts, and say "put your common classes in here". I
> have to give access to the CATALINA_HOME/lib|classes dir to every owner of a
> context and I don't want to have to do that.
> But I'm always open to suggestion.

This solution only works in Tomcat 4 running with the Java SecurityManager,
the -security option.

Install the jar file for your API in $CATALINA_HOME/lib.
Edit $JAVA_HOME/jre/lib/security/, add the packages
you wish to protect to the properties package.access and package.definition.
With the above configuration a java class can only define
a class in your package or access a class in your package if it is granted
the correct RuntimePermission.  For example, if your package were
the following permissions within a codebase grant in the catalina.policy file
would allow use of your protected package.

permission java.lang.RuntimePermission "";
permission java lang.RuntimePermission "";

Any codebase which did not have the above permissions would throw an

See the Tomcat 4 catalina.policy file and the tomcat-security.html doc
for more information.



Glenn Nielsen    | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |

View raw message