Author: markt Date: Wed Oct 5 09:50:39 2016 New Revision: 1763377 URL: http://svn.apache.org/viewvc?rev=1763377&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60087 Refactor the web resources handling to use the Tomcat specific 'war:file:...' URL protocol to refer to WAR files and their contents rather than the standard 'jar:file:...' form since some components of the JRE, such as JAR verification, give unexpected results when the standard form is used. A side-effect of the refactoring is that when using packed WARs, it is now possible to reference a WAR and/or specific JARs within a WAR in the security policy file used when running under a SecurityManager.
Added: tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java (with props) tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java (with props) tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java (with props) tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java (with props) Modified: tomcat/trunk/conf/catalina.policy tomcat/trunk/java/org/apache/catalina/webresources/JarResource.java tomcat/trunk/java/org/apache/catalina/webresources/JarResourceSet.java tomcat/trunk/java/org/apache/catalina/webresources/JarWarResource.java tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java tomcat/trunk/webapps/docs/changelog.xml tomcat/trunk/webapps/docs/security-manager-howto.xml Modified: tomcat/trunk/conf/catalina.policy URL: http://svn.apache.org/viewvc/tomcat/trunk/conf/catalina.policy?rev=1763377&r1=1763376&r2=1763377&view=diff ============================================================================== --- tomcat/trunk/conf/catalina.policy (original) +++ tomcat/trunk/conf/catalina.policy Wed Oct 5 09:50:39 2016 @@ -245,3 +245,13 @@ grant codeBase "file:${catalina.home}/we // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; +// To grant permissions for web applications using packed WAR files, use the +// Tomcat specific WAR url scheme. +// +// The permissions granted to the entire web application +// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/-" { +// }; +// +// The permissions granted to a specific JAR +// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" { +// }; \ No newline at end of file Added: tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java?rev=1763377&view=auto ============================================================================== --- tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java (added) +++ tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java Wed Oct 5 09:50:39 2016 @@ -0,0 +1,52 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.webresources; + +import java.io.IOException; +import java.io.InputStream; +import java.util.jar.JarEntry; +import java.util.jar.JarFile; + +public abstract class AbstractSingleArchiveResource extends AbstractArchiveResource { + + protected AbstractSingleArchiveResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath, + String baseUrl, JarEntry jarEntry, String codeBaseUrl) { + super(archiveResourceSet, webAppPath, baseUrl, jarEntry, codeBaseUrl); + } + + + @Override + protected JarInputStreamWrapper getJarInputStreamWrapper() { + JarFile jarFile = null; + try { + jarFile = getArchiveResourceSet().openJarFile(); + // Need to create a new JarEntry so the certificates can be read + JarEntry jarEntry = jarFile.getJarEntry(getResource().getName()); + InputStream is = jarFile.getInputStream(jarEntry); + return new JarInputStreamWrapper(jarEntry, is); + } catch (IOException e) { + if (getLog().isDebugEnabled()) { + getLog().debug(sm.getString("jarResource.getInputStreamFail", + getResource().getName(), getBaseUrl()), e); + } + if (jarFile != null) { + getArchiveResourceSet().closeJarFile(); + } + return null; + } + } +} Propchange: tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResource.java ------------------------------------------------------------------------------ svn:eol-style = native Added: tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java?rev=1763377&view=auto ============================================================================== --- tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java (added) +++ tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java Wed Oct 5 09:50:39 2016 @@ -0,0 +1,122 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.webresources; + +import java.io.File; +import java.io.IOException; +import java.net.MalformedURLException; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.jar.JarEntry; +import java.util.jar.JarFile; + +import org.apache.catalina.LifecycleException; +import org.apache.catalina.WebResourceRoot; +import org.apache.tomcat.util.buf.UriUtil; + +/** + * Base class for a {@link org.apache.catalina.WebResourceSet} based on a + * single, rather than nested, archive. + */ +public abstract class AbstractSingleArchiveResourceSet extends AbstractArchiveResourceSet { + + /** + * A no argument constructor is required for this to work with the digester. + */ + public AbstractSingleArchiveResourceSet() { + } + + + public AbstractSingleArchiveResourceSet(WebResourceRoot root, String webAppMount, String base, + String internalPath) throws IllegalArgumentException { + setRoot(root); + setWebAppMount(webAppMount); + setBase(base); + setInternalPath(internalPath); + + if (getRoot().getState().isAvailable()) { + try { + start(); + } catch (LifecycleException e) { + throw new IllegalStateException(e); + } + } + } + + + @Override + protected HashMap<String,JarEntry> getArchiveEntries(boolean single) { + synchronized (archiveLock) { + if (archiveEntries == null && !single) { + JarFile jarFile = null; + archiveEntries = new HashMap<>(); + try { + jarFile = openJarFile(); + Enumeration<JarEntry> entries = jarFile.entries(); + while (entries.hasMoreElements()) { + JarEntry entry = entries.nextElement(); + archiveEntries.put(entry.getName(), entry); + } + } catch (IOException ioe) { + // Should never happen + archiveEntries = null; + throw new IllegalStateException(ioe); + } finally { + if (jarFile != null) { + closeJarFile(); + } + } + } + return archiveEntries; + } + } + + + @Override + protected JarEntry getArchiveEntry(String pathInArchive) { + JarFile jarFile = null; + try { + jarFile = openJarFile(); + return jarFile.getJarEntry(pathInArchive); + } catch (IOException ioe) { + // Should never happen + throw new IllegalStateException(ioe); + } finally { + if (jarFile != null) { + closeJarFile(); + } + } + } + + + //-------------------------------------------------------- Lifecycle methods + @Override + protected void initInternal() throws LifecycleException { + + try (JarFile jarFile = new JarFile(getBase())) { + setManifest(jarFile.getManifest()); + } catch (IOException ioe) { + throw new IllegalArgumentException(ioe); + } + + try { + setBaseUrl(UriUtil.buildJarSafeUrl(new File(getBase()))); + } catch (MalformedURLException e) { + throw new IllegalArgumentException(e); + } + } +} Propchange: tomcat/trunk/java/org/apache/catalina/webresources/AbstractSingleArchiveResourceSet.java ------------------------------------------------------------------------------ svn:eol-style = native Modified: tomcat/trunk/java/org/apache/catalina/webresources/JarResource.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/JarResource.java?rev=1763377&r1=1763376&r2=1763377&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/webresources/JarResource.java (original) +++ tomcat/trunk/java/org/apache/catalina/webresources/JarResource.java Wed Oct 5 09:50:39 2016 @@ -16,10 +16,7 @@ */ package org.apache.catalina.webresources; -import java.io.IOException; -import java.io.InputStream; import java.util.jar.JarEntry; -import java.util.jar.JarFile; import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; @@ -28,35 +25,16 @@ import org.apache.juli.logging.LogFactor * Represents a single resource (file or directory) that is located within a * JAR. */ -public class JarResource extends AbstractArchiveResource { +public class JarResource extends AbstractSingleArchiveResource { private static final Log log = LogFactory.getLog(JarResource.class); + public JarResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath, String baseUrl, JarEntry jarEntry) { super(archiveResourceSet, webAppPath, "jar:" + baseUrl, jarEntry, baseUrl); } - @Override - protected JarInputStreamWrapper getJarInputStreamWrapper() { - JarFile jarFile = null; - try { - jarFile = getArchiveResourceSet().openJarFile(); - // Need to create a new JarEntry so the certificates can be read - JarEntry jarEntry = jarFile.getJarEntry(getResource().getName()); - InputStream is = jarFile.getInputStream(jarEntry); - return new JarInputStreamWrapper(jarEntry, is); - } catch (IOException e) { - if (log.isDebugEnabled()) { - log.debug(sm.getString("jarResource.getInputStreamFail", - getResource().getName(), getBaseUrl()), e); - } - if (jarFile != null) { - getArchiveResourceSet().closeJarFile(); - } - return null; - } - } @Override protected Log getLog() { Modified: tomcat/trunk/java/org/apache/catalina/webresources/JarResourceSet.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/JarResourceSet.java?rev=1763377&r1=1763376&r2=1763377&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/webresources/JarResourceSet.java (original) +++ tomcat/trunk/java/org/apache/catalina/webresources/JarResourceSet.java Wed Oct 5 09:50:39 2016 @@ -16,24 +16,16 @@ */ package org.apache.catalina.webresources; -import java.io.File; -import java.io.IOException; -import java.net.MalformedURLException; -import java.util.Enumeration; -import java.util.HashMap; import java.util.jar.JarEntry; -import java.util.jar.JarFile; import java.util.jar.Manifest; -import org.apache.catalina.LifecycleException; import org.apache.catalina.WebResource; import org.apache.catalina.WebResourceRoot; -import org.apache.tomcat.util.buf.UriUtil; /** * Represents a {@link org.apache.catalina.WebResourceSet} based on a JAR file. */ -public class JarResourceSet extends AbstractArchiveResourceSet { +public class JarResourceSet extends AbstractSingleArchiveResourceSet { /** * A no argument constructor is required for this to work with the digester. @@ -41,6 +33,7 @@ public class JarResourceSet extends Abst public JarResourceSet() { } + /** * Creates a new {@link org.apache.catalina.WebResourceSet} based on a JAR * file. @@ -63,86 +56,13 @@ public class JarResourceSet extends Abst */ public JarResourceSet(WebResourceRoot root, String webAppMount, String base, String internalPath) throws IllegalArgumentException { - setRoot(root); - setWebAppMount(webAppMount); - setBase(base); - setInternalPath(internalPath); - - if (getRoot().getState().isAvailable()) { - try { - start(); - } catch (LifecycleException e) { - throw new IllegalStateException(e); - } - } + super(root, webAppMount, base, internalPath); } + @Override protected WebResource createArchiveResource(JarEntry jarEntry, String webAppPath, Manifest manifest) { return new JarResource(this, webAppPath, getBaseUrlString(), jarEntry); } - - - @Override - protected HashMap<String,JarEntry> getArchiveEntries(boolean single) { - synchronized (archiveLock) { - if (archiveEntries == null && !single) { - JarFile jarFile = null; - archiveEntries = new HashMap<>(); - try { - jarFile = openJarFile(); - Enumeration<JarEntry> entries = jarFile.entries(); - while (entries.hasMoreElements()) { - JarEntry entry = entries.nextElement(); - archiveEntries.put(entry.getName(), entry); - } - } catch (IOException ioe) { - // Should never happen - archiveEntries = null; - throw new IllegalStateException(ioe); - } finally { - if (jarFile != null) { - closeJarFile(); - } - } - } - return archiveEntries; - } - } - - - @Override - protected JarEntry getArchiveEntry(String pathInArchive) { - JarFile jarFile = null; - try { - jarFile = openJarFile(); - return jarFile.getJarEntry(pathInArchive); - } catch (IOException ioe) { - // Should never happen - throw new IllegalStateException(ioe); - } finally { - if (jarFile != null) { - closeJarFile(); - } - } - } - - - //-------------------------------------------------------- Lifecycle methods - @Override - protected void initInternal() throws LifecycleException { - - try (JarFile jarFile = new JarFile(getBase())) { - setManifest(jarFile.getManifest()); - } catch (IOException ioe) { - throw new IllegalArgumentException(ioe); - } - - try { - setBaseUrl(UriUtil.buildJarSafeUrl(new File(getBase()))); - } catch (MalformedURLException e) { - throw new IllegalArgumentException(e); - } - } } Modified: tomcat/trunk/java/org/apache/catalina/webresources/JarWarResource.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/JarWarResource.java?rev=1763377&r1=1763376&r2=1763377&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/webresources/JarWarResource.java (original) +++ tomcat/trunk/java/org/apache/catalina/webresources/JarWarResource.java Wed Oct 5 09:50:39 2016 @@ -37,8 +37,9 @@ public class JarWarResource extends Abst public JarWarResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath, String baseUrl, JarEntry jarEntry, String archivePath) { - super(archiveResourceSet, webAppPath, "jar:war:" + baseUrl + "*/" + archivePath, - jarEntry, "jar:" + baseUrl + "!/" + archivePath); + + super(archiveResourceSet, webAppPath, "jar:war:" + baseUrl + "*/" + archivePath + "!/", + jarEntry, "war:" + baseUrl + "*/" + archivePath); this.archivePath = archivePath; } Modified: tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java?rev=1763377&r1=1763376&r2=1763377&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java (original) +++ tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java Wed Oct 5 09:50:39 2016 @@ -727,7 +727,7 @@ public class StandardRoot extends Lifecy if (f.isDirectory()) { mainResourceSet = new DirResourceSet(this, "/", f.getAbsolutePath(), "/"); } else if(f.isFile() && docBase.endsWith(".war")) { - mainResourceSet = new JarResourceSet(this, "/", f.getAbsolutePath(), "/"); + mainResourceSet = new WarResourceSet(this, "/", f.getAbsolutePath()); } else { throw new IllegalArgumentException( sm.getString("standardRoot.startInvalidMain", @@ -800,9 +800,14 @@ public class StandardRoot extends Lifecy BaseLocation(URL url) { File f = null; - if ("jar".equals(url.getProtocol())) { + if ("jar".equals(url.getProtocol()) || "war".equals(url.getProtocol())) { String jarUrl = url.toString(); - int endOfFileUrl = jarUrl.indexOf("!/"); + int endOfFileUrl = -1; + if ("jar".equals(url.getProtocol())) { + endOfFileUrl = jarUrl.indexOf("!/"); + } else { + endOfFileUrl = jarUrl.indexOf("*/"); + } String fileUrl = jarUrl.substring(4, endOfFileUrl); try { f = new File(new URL(fileUrl).toURI()); Added: tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java?rev=1763377&view=auto ============================================================================== --- tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java (added) +++ tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java Wed Oct 5 09:50:39 2016 @@ -0,0 +1,59 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.webresources; + +import java.net.MalformedURLException; +import java.net.URL; +import java.util.jar.JarEntry; + +import org.apache.juli.logging.Log; +import org.apache.juli.logging.LogFactory; + +/** + * Represents a single resource (file or directory) that is located within a + * WAR. + */ +public class WarResource extends AbstractSingleArchiveResource { + + private static final Log log = LogFactory.getLog(WarResource.class); + + + public WarResource(AbstractArchiveResourceSet archiveResourceSet, String webAppPath, + String baseUrl, JarEntry jarEntry) { + super(archiveResourceSet, webAppPath, "war:" + baseUrl, jarEntry, baseUrl); + } + + + @Override + public URL getURL() { + String url = getBaseUrl() + "*/" + getResource().getName(); + try { + return new URL(url); + } catch (MalformedURLException e) { + if (getLog().isDebugEnabled()) { + getLog().debug(sm.getString("fileResource.getUrlFail", url), e); + } + return null; + } + } + + + @Override + protected Log getLog() { + return log; + } +} Propchange: tomcat/trunk/java/org/apache/catalina/webresources/WarResource.java ------------------------------------------------------------------------------ svn:eol-style = native Added: tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java?rev=1763377&view=auto ============================================================================== --- tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java (added) +++ tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java Wed Oct 5 09:50:39 2016 @@ -0,0 +1,64 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.catalina.webresources; + +import java.util.jar.JarEntry; +import java.util.jar.Manifest; + +import org.apache.catalina.WebResource; +import org.apache.catalina.WebResourceRoot; + +/** + * Represents a {@link org.apache.catalina.WebResourceSet} based on a WAR file. + */ +public class WarResourceSet extends AbstractSingleArchiveResourceSet { + + /** + * A no argument constructor is required for this to work with the digester. + */ + public WarResourceSet() { + } + + + /** + * Creates a new {@link org.apache.catalina.WebResourceSet} based on a WAR + * file. + * + * @param root The {@link WebResourceRoot} this new + * {@link org.apache.catalina.WebResourceSet} will + * be added to. + * @param webAppMount The path within the web application at which this + * {@link org.apache.catalina.WebResourceSet} will + * be mounted. + * @param base The absolute path to the WAR file on the file system + * from which the resources will be served. + * + * @throws IllegalArgumentException if the webAppMount is not valid (valid + * paths must start with '/') + */ + public WarResourceSet(WebResourceRoot root, String webAppMount, String base) + throws IllegalArgumentException { + super(root, webAppMount, base, "/"); + } + + + @Override + protected WebResource createArchiveResource(JarEntry jarEntry, + String webAppPath, Manifest manifest) { + return new WarResource(this, webAppPath, getBaseUrlString(), jarEntry); + } +} Propchange: tomcat/trunk/java/org/apache/catalina/webresources/WarResourceSet.java ------------------------------------------------------------------------------ svn:eol-style = native Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1763377&r1=1763376&r2=1763377&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed Oct 5 09:50:39 2016 @@ -60,6 +60,16 @@ test cases by Santhana Preethiand a patch by Tiago Oliveira. (markt) </fix> <fix> + <bug>60087</bug>: Refactor the web resources handling to use the Tomcat + specific <code>war:file:...</code> URL protocol to refer to WAR files + and their contents rather than the standard <code>jar:file:...</code> + form since some components of the JRE, such as JAR verification, give + unexpected results when the standard form is used. A side-effect of the + refactoring is that when using packed WARs, it is now possible to + reference a WAR and/or specific JARs within a WAR in the security policy + file used when running under a <code>SecurityManager</code>. (markt) + </fix> + <fix> <bug>60116</bug>: Fix a problem with the rewrite valve that caused back references evaluated in conditions to be forced to lower case when using the <code>NC</code> flag. (markt) Modified: tomcat/trunk/webapps/docs/security-manager-howto.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-manager-howto.xml?rev=1763377&r1=1763376&r2=1763377&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/security-manager-howto.xml (original) +++ tomcat/trunk/webapps/docs/security-manager-howto.xml Wed Oct 5 09:50:39 2016 @@ -154,7 +154,33 @@ grant [signedBy <signer>,] [codeBase <co <source>$CATALINA_HOME/bin/catalina.sh start -security (Unix) %CATALINA_HOME%\bin\catalina start -security (Windows)</source> + <subsection name="Permissions for packed WAR files"> + + <p>When using packed WAR files, it is necessary to use Tomcat's custom war + URL protocol to asisgn permissions to web application code.</p> + + <p>To assign permissions to the entire web application the entry in the + policy file would look like this:</p> + +<source><![CDATA[// Example policy file entry +grant codeBase "war:file:${catalina.base}/webapps/examples.war*/-" { + ... +}; +]]></source> + + <p>To assign permissions to a single JAR within the web application the + entry in the policy file would look like this:</p> + +<source><![CDATA[// Example policy file entry +grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" { + ... +}; +]]></source> + + </subsection> + </section> + <section name="Configuring Package Protection in Tomcat"> <p>Starting with Tomcat 5, it is now possible to configure which Tomcat internal package are protected against package definition and access. See --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org