http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/5be16a28/attic/servers/apache-tomcat-6.0.29/webapps/docs/security-manager-howto.html ---------------------------------------------------------------------- diff --git a/attic/servers/apache-tomcat-6.0.29/webapps/docs/security-manager-howto.html b/attic/servers/apache-tomcat-6.0.29/webapps/docs/security-manager-howto.html new file mode 100644 index 0000000..3f3d4c7 --- /dev/null +++ b/attic/servers/apache-tomcat-6.0.29/webapps/docs/security-manager-howto.html @@ -0,0 +1,420 @@ +<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 6.0 - Security Manager HOW-TO</title><meta content="Glenn Nielsen" name="author"><meta content="Jean-Francois Arcand" name="author"><style media="print" type="text/css"> + .noPrint {display: none;} + td#mainBody {width: 100%;} + </style></head><body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000" bgcolor="#ffffff"><table cellspacing="0" width="100%" border="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/";><img border="0" alt=" + The Apache Tomcat Servlet/JSP Container + " align="right" src="./images/tomcat.gif"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 6.0</font></h1></td><td><!--APACHE LOGO--><a href="http://www.apache.org/";><img border="0" alt="Apache Logo" align="right" src="./images/asf-logo.gif"></a></td></tr></table><table cellspacing="4" width="100%" border="0"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade></td></tr><tr><!--LEFT SIDE NAVIGATION--><td class="noPrint" nowrap valign="top" width="20%"><p><strong>Links</strong></p><ul><li><a href="index.html">Docs Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ";>FAQ</a></li></ul><p><strong>User Guide</strong></p><ul><li><a href="introduction.html">1) Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="appdev/index.html">3) First webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="manager-howto.html">5) Manager</a></li><li><a href="realm-howto.html">6) Realms and AAA</a></li><li><a hr ef="security-manager-howto.html">7) Security Manager</a></li><li><a href="jndi-resources-howto.html">8) JNDI Resources</a></li><li><a href="jndi-datasource-examples-howto.html">9) JDBC DataSources</a></li><li><a href="class-loader-howto.html">10) Classloading</a></li><li><a href="jasper-howto.html">11) JSPs</a></li><li><a href="ssl-howto.html">12) SSL</a></li><li><a href="ssi-howto.html">13) SSI</a></li><li><a href="cgi-howto.html">14) CGI</a></li><li><a href="proxy-howto.html">15) Proxy Support</a></li><li><a href="mbeans-descriptor-howto.html">16) MBean Descriptor</a></li><li><a href="default-servlet.html">17) Default Servlet</a></li><li><a href="cluster-howto.html">18) Clustering</a></li><li><a href="balancer-howto.html">19) Load Balancer</a></li><li><a href="connectors.html">20) Connectors</a></li><li><a href="monitoring.html">21) Monitoring and Management</a></li><li><a href="logging.html">22) Logging</a></li><li><a href="apr.html">23) APR/Native</a></li><li><a href="virtual-ho sting-howto.html">24) Virtual Hosting</a></li><li><a href="aio.html">25) Advanced IO</a></li><li><a href="extras.html">26) Additional Components</a></li><li><a href="maven-jars.html">27) Mavenized</a></li></ul><p><strong>Reference</strong></p><ul><li><a href="RELEASE-NOTES.txt">Release Notes</a></li><li><a href="config/index.html">Configuration</a></li><li><a href="api/index.html">Javadocs</a></li><li><a href="http://tomcat.apache.org/connectors-doc/";>JK 1.2 Documentation</a></li></ul><p><strong>Apache Tomcat Development</strong></p><ul><li><a href="building.html">Building</a></li><li><a href="changelog.html">Changelog</a></li><li><a href="http://wiki.apache.org/tomcat/TomcatVersions";>Status</a></li><li><a href="developers.html">Developers</a></li><li><a href="architecture/index.html">Architecture</a></li><li><a href="funcspecs/index.html">Functional Specs.</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td id="mainBody" align="left" valign="top" width="80%"><h1>Apache Tomcat 6.0</h1> <h2>Security Manager HOW-TO</h2><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Table of Contents"><!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td></tr><tr><td><blockquote> +<ul><li><a href="#Background">Background</a></li><li><a href="#Permissions">Permissions</a><ol><li><a href="#Standard_Permissions">Standard Permissions</a></li><li><a href="#Tomcat_Custom_Permissions">Tomcat Custom Permissions</a></li></ol></li><li><a href="#Configuring_Tomcat_With_A_SecurityManager">Configuring Tomcat With A SecurityManager</a></li><li><a href="#Configuring_Package_Protection_in_Tomcat">Configuring Package Protection in Tomcat</a></li><li><a href="#Troubleshooting">Troubleshooting</a></li></ul> +</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Background"><strong>Background</strong></a></font></td></tr><tr><td><blockquote> + + <p>The Java <strong>SecurityManager</strong> is what allows a web browser + to run an applet in its own sandbox to prevent untrusted code from + accessing files on the local file system, connecting to a host other + than the one the applet was loaded from, and so on. In the same way + the SecurityManager protects you from an untrusted applet running in + your browser, use of a SecurityManager while running Tomcat can protect + your server from trojan servlets, JSPs, JSP beans, and tag libraries. + Or even inadvertent mistakes.</p> + + <p>Imagine if someone who is authorized to publish JSPs on your site + inadvertently included the following in their JSP:</p> +<div align="left"><table border="0" cellpadding="0" cellspacing="4"><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre> +<% System.exit(1); %> +</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr></table></div> + + <p>Every time this JSP was executed by Tomcat, Tomcat would exit. + Using the Java SecurityManager is just one more line of defense a + system administrator can use to keep the server secure and reliable.</p> + + <p><strong>WARNING</strong> - A security audit + have been conducted using the Tomcat 6 codebase. Most of the critical + package have been protected and a new security package protection mechanism + has been implemented. Still, make sure that you are satisfied with your SecurityManager + configuration before allowing untrusted users to publish web applications, + JSPs, servlets, beans, or tag libraries. <strong>However, running with a + SecurityManager is definitely better than running without one.</strong></p> + +</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Permissions"><strong>Permissions</strong></a></font></td></tr><tr><td><blockquote> + + <p>Permission classes are used to define what Permissions a class loaded + by Tomcat will have. There are a number of Permission classes that are + a standard part of the JDK, and you can create your own Permission class + for use in your own web applications. Both techniques are used in + Tomcat 6.</p> + + + <table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#828DA6"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Standard Permissions"><!--()--></a><a name="Standard_Permissions"><strong>Standard Permissions</strong></a></font></td></tr><tr><td><blockquote> + + <p>This is just a short summary of the standard system SecurityManager + Permission classes applicable to Tomcat. See + <a href="http://java.sun.com/security/";>http://java.sun.com/security/</a> + for more information.</p> + + <ul> + <li><strong>java.util.PropertyPermission</strong> - Controls read/write + access to JVM properties such as <code>java.home</code>.</li> + <li><strong>java.lang.RuntimePermission</strong> - Controls use of + some System/Runtime functions like <code>exit()</code> and + <code>exec()</code>. Also control the package access/definition.</li> + <li><strong>java.io.FilePermission</strong> - Controls read/write/execute + access to files and directories.</li> + <li><strong>java.net.SocketPermission</strong> - Controls use of + network sockets.</li> + <li><strong>java.net.NetPermission</strong> - Controls use of + multicast network connections.</li> + <li><strong>java.lang.reflect.ReflectPermission</strong> - Controls + use of reflection to do class introspection.</li> + <li><strong>java.security.SecurityPermission</strong> - Controls access + to Security methods.</li> + <li><strong>java.security.AllPermission</strong> - Allows access to all + permissions, just as if you were running Tomcat without a + SecurityManager.</li> + </ul> + + </blockquote></td></tr></table> + + + <table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#828DA6"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Tomcat Custom Permissions"><!--()--></a><a name="Tomcat_Custom_Permissions"><strong>Tomcat Custom Permissions</strong></a></font></td></tr><tr><td><blockquote> + + <p>Tomcat utilizes a custom permission class called + <strong>org.apache.naming.JndiPermission</strong>. This permission + controls read access to JNDI named file based resources. The permission + name is the JNDI name and there are no actions. A trailing "*" can be + used to do wild card matching for a JNDI named file resource when + granting permission. For example, you might include the following + in your policy file:</p> +<div align="left"><table border="0" cellpadding="0" cellspacing="4"><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre> +permission org.apache.naming.JndiPermission "jndi://localhost/examples/*"; +</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr></table></div> + + <p>A Permission entry like this is generated dynamically for each web + application that is deployed, to allow it to read its own static resources + but disallow it from using file access to read any other files (unless + permissions for those files are explicitly granted).</p> + + <p>Also, Tomcat always dynamically creates the following file permissions:</p> +<div align="left"><table border="0" cellpadding="0" cellspacing="4"><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre> +permission java.io.FilePermission "** your application context**", "read"; + +permission java.io.FilePermission + "** application working directory**", "read,write"; +permission java.io.FilePermission + "** application working directory**/-", "read,write,delete"; +</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr></table></div> + <p>Where **your application context** equals the folder (or WAR file) under which + your application has been deployed and **application working directory** is the + temporary directory provided to your application as required by the + Servlet Specification.</p> + + </blockquote></td></tr></table> + + +</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Configuring Tomcat With A SecurityManager"><!--()--></a><a name="Configuring_Tomcat_With_A_SecurityManager"><strong>Configuring Tomcat With A SecurityManager</strong></a></font></td></tr><tr><td><blockquote> + + <h3>Policy File Format</h3> + + <p>The security policies implemented by the Java SecurityManager are + configured in the <code>$CATALINA_BASE/conf/catalina.policy</code> file. + This file completely replaces the <code>java.policy</code> file present + in your JDK system directories. The <code>catalina.policy</code> file + can be edited by hand, or you can use the + <a href="http://java.sun.com/products/jdk/1.2/docs/tooldocs/solaris/policytool.html";>policytool</a> + application that comes with Java 1.2 or later.</p> + + <p>Entries in the <code>catalina.policy</code> file use the standard + <code>java.policy</code> file format, as follows:</p> +<div align="left"><table border="0" cellpadding="0" cellspacing="4"><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre> +// Example policy file entry + +grant [signedBy <signer>,] [codeBase <code source>] { + permission <class> [<name> [, <action list>]]; +}; +</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr></table></div> + + <p>The <strong>signedBy</strong> and <strong>codeBase</strong> entries are + optional when granting permissions. Comment lines begin with "//" and + end at the end of the current line. The <code>codeBase</code> is in the + form of a URL, and for a file URL can use the <code>${java.home}</code> + and <code>${catalina.home}</code> properties (which are expanded out to + the directory paths defined for them by the <code>JAVA_HOME</code>, + <code>CATALINA_HOME</code> and <code>CATALINA_BASE</code> environment + variables).</p> + + <h3>The Default Policy File</h3> + + <p>The default <code>$CATALINA_BASE/conf/catalina.policy</code> file + looks like this:</p> +<div align="left"><table border="0" cellpadding="0" cellspacing="4"><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre> +// ============================================================================ +// catalina.policy - Security Policy Permissions for Tomcat 6 +// +// This file contains a default set of security policies to be enforced (by the +// JVM) when Catalina is executed with the "-security" option. In addition +// to the permissions granted here, the following additional permissions are +// granted to the codebase specific to each web application: +// +// * Read access to its document root directory +// * Read, write and delete access to its working directory +// +// ============================================================================ + + +// ========== SYSTEM CODE PERMISSIONS ========================================= + + +// These permissions apply to javac +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions +grant codeBase "file:${java.home}/jre/lib/ext/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/../lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions when +// ${java.home} points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; + + +// ========== CATALINA CODE PERMISSIONS ======================================= + + +// These permissions apply to the daemon code +grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the logging API +// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home}, +// update this section accordingly. +// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..} +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.io.FilePermission + "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; + + permission java.io.FilePermission + "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; + permission java.io.FilePermission + "${catalina.base}${file.separator}logs", "read, write"; + permission java.io.FilePermission + "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; + + permission java.lang.RuntimePermission "shutdownHooks"; + permission java.lang.RuntimePermission "getClassLoader"; + permission java.lang.RuntimePermission "setContextClassLoader"; + + permission java.util.logging.LoggingPermission "control"; + + permission java.util.PropertyPermission "java.util.logging.config.class", "read"; + permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.util.PropertyPermission "catalina.base", "read"; + + // Note: To enable per context logging configuration, permit read access to + // the appropriate file. Be sure that the logging configuration is + // secure before enabling such access. + // E.g. for the examples web application: + // permission java.io.FilePermission "${catalina.base}${file.separator} + // webapps${file.separator}examples${file.separator}WEB-INF + // ${file.separator}classes${file.separator}logging.properties", "read"; +}; + +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "lib" directory +grant codeBase "file:${catalina.home}/lib/-" { + permission java.security.AllPermission; +}; + + +// If using a per instance lib directory, i.e. ${catalina.base}/lib, +// then the following permission will need to be uncommented +// grant codeBase "file:${catalina.base}/lib/-" { +// permission java.security.AllPermission; +// }; + + +// ========== WEB APPLICATION PERMISSIONS ===================================== + + +// These permissions are granted by default to all web applications +// In addition, a web application will be given a read FilePermission +// and JndiPermission for all files and directories in its document root. +grant { + // Required for JNDI lookup of named JDBC DataSource's and + // javamail named MimePart DataSource used to send mail + permission java.util.PropertyPermission "java.home", "read"; + permission java.util.PropertyPermission "java.naming.*", "read"; + permission java.util.PropertyPermission "javax.sql.*", "read"; + + // OS Specific properties to allow read access + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.version", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "file.separator", "read"; + permission java.util.PropertyPermission "path.separator", "read"; + permission java.util.PropertyPermission "line.separator", "read"; + + // JVM properties to allow read access + permission java.util.PropertyPermission "java.version", "read"; + permission java.util.PropertyPermission "java.vendor", "read"; + permission java.util.PropertyPermission "java.vendor.url", "read"; + permission java.util.PropertyPermission "java.class.version", "read"; + permission java.util.PropertyPermission "java.specification.version", "read"; + permission java.util.PropertyPermission "java.specification.vendor", "read"; + permission java.util.PropertyPermission "java.specification.name", "read"; + + permission java.util.PropertyPermission "java.vm.specification.version", "read"; + permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; + permission java.util.PropertyPermission "java.vm.specification.name", "read"; + permission java.util.PropertyPermission "java.vm.version", "read"; + permission java.util.PropertyPermission "java.vm.vendor", "read"; + permission java.util.PropertyPermission "java.vm.name", "read"; + + // Required for OpenJMX + permission java.lang.RuntimePermission "getAttribute"; + + // Allow read of JAXP compliant XML parser debug + permission java.util.PropertyPermission "jaxp.debug", "read"; + + // Precompiled JSPs need access to these packages. + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + + // Precompiled JSPs need access to these system properties. + permission java.util.PropertyPermission + "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + permission java.util.PropertyPermission "org.apache.el.parser.COERCE_TO_ZERO", "read"; +}; + + +// The Manager application needs access to the following packages to support the +// session display functionality +grant codeBase "file:${catalina.base}/webapps/manager/-" { + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; +}; + +// You can assign additional permissions to particular web applications by +// adding additional "grant" entries here, based on the code base for that +// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. +// +// Different permissions can be granted to JSP pages, classes loaded from +// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ +// directory, or even to individual jar files in the /WEB-INF/lib/ directory. +// +// For instance, assume that the standard "examples" application +// included a JDBC driver that needed to establish a network connection to the +// corresponding database and used the scrape taglib to get the weather from +// the NOAA web server. You might create a "grant" entries like this: +// +// The permissions granted to the context root directory apply to JSP pages. +// grant codeBase "file:${catalina.home}/webapps/examples/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; +// +// The permissions granted to the context WEB-INF/classes directory +// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" { +// }; +// +// The permission granted to your JDBC driver +// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// }; +// The permission granted to the scrape taglib +// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; +</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr></table></div> + + <h3>Starting Tomcat With A SecurityManager</h3> + + <p>Once you have configured the <code>catalina.policy</code> file for use + with a SecurityManager, Tomcat can be started with a SecurityManager in + place by using the "-security" option:</p> +<div align="left"><table border="0" cellpadding="0" cellspacing="4"><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre> +$CATALINA_HOME/bin/catalina.sh start -security (Unix) +%CATALINA_HOME%\bin\catalina start -security (Windows) +</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr></table></div> + +</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Configuring Package Protection in Tomcat"><!--()--></a><a name="Configuring_Package_Protection_in_Tomcat"><strong>Configuring Package Protection in Tomcat</strong></a></font></td></tr><tr><td><blockquote> + <p>Starting with Tomcat 5, it is now possible to configure which Tomcat + internal package are protected againts package definition and access. See + <a href="http://java.sun.com/security/seccodeguide.html";> + http://java.sun.com/security/seccodeguide.html</a> + for more information.</p> + + + <p><strong>WARNING</strong>: Be aware that removing the default package protection + could possibly open a security hole</p> + + <h3>The Default Properties File</h3> + + <p>The default <code>$CATALINA_BASE/conf/catalina.properties</code> file + looks like this:</p> +<div align="left"><table border="0" cellpadding="0" cellspacing="4"><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre> +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageAccess unless the +# corresponding RuntimePermission ("accessClassInPackage."+package) has +# been granted. +package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat., +org.apache.jasper. +# +# List of comma-separated packages that start with or equal this string +# will cause a security exception to be thrown when +# passed to checkPackageDefinition unless the +# corresponding RuntimePermission ("defineClassInPackage."+package) has +# been granted. +# +# by default, no packages are restricted for definition, and none of +# the class loaders supplied with the JDK call checkPackageDefinition. +# +package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote., +org.apache.tomcat.,org.apache.jasper. +</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr></table></div> + <p>Once you have configured the <code>catalina.properties</code> file for use + with a SecurityManager, remember to re-start Tomcat.</p> +</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Troubleshooting"><strong>Troubleshooting</strong></a></font></td></tr><tr><td><blockquote> + + <p>If your web application attempts to execute an operation that is + prohibited by lack of a required Permission, it will throw an + <code>AccessControLException</code> or a <code>SecurityException</code> + when the SecurityManager detects the violation. Debugging the permission + that is missing can be challenging, and one option is to turn on debug + output of all security decisions that are made during execution. This + is done by setting a system property before starting Tomcat. The easiest + way to do this is via the <code>CATALINA_OPTS</code> environment variable. + Execute this command:</p> +<div align="left"><table border="0" cellpadding="0" cellspacing="4"><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre> +export CATALINA_OPTS=-Djava.security.debug=all (Unix) +set CATALINA_OPTS=-Djava.security.debug=all (Windows) +</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr></table></div> + + <p>before starting Tomcat.</p> + + <p><strong>WARNING</strong> - This will generate <em>many megabytes</em> + of output! However, it can help you track down problems by searching + for the word "FAILED" and determining which permission was being checked + for. See the Java security documentation for more options that you can + specify here as well.</p> + +</blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font size="-1" color="#525D76"><em> + Copyright © 1999-2010, Apache Software Foundation + </em></font></div></td></tr></table></body></html> \ No newline at end of file
http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/5be16a28/attic/servers/apache-tomcat-6.0.29/webapps/docs/setup.html ---------------------------------------------------------------------- diff --git a/attic/servers/apache-tomcat-6.0.29/webapps/docs/setup.html b/attic/servers/apache-tomcat-6.0.29/webapps/docs/setup.html new file mode 100644 index 0000000..ba76914 --- /dev/null +++ b/attic/servers/apache-tomcat-6.0.29/webapps/docs/setup.html @@ -0,0 +1,118 @@ +<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 6.0 - Tomcat Setup</title><meta content="Remy Maucherat" name="author"><style media="print" type="text/css"> + .noPrint {display: none;} + td#mainBody {width: 100%;} + </style></head><body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000" bgcolor="#ffffff"><table cellspacing="0" width="100%" border="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/";><img border="0" alt=" + The Apache Tomcat Servlet/JSP Container + " align="right" src="./images/tomcat.gif"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 6.0</font></h1></td><td><!--APACHE LOGO--><a href="http://www.apache.org/";><img border="0" alt="Apache Logo" align="right" src="./images/asf-logo.gif"></a></td></tr></table><table cellspacing="4" width="100%" border="0"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade></td></tr><tr><!--LEFT SIDE NAVIGATION--><td class="noPrint" nowrap valign="top" width="20%"><p><strong>Links</strong></p><ul><li><a href="index.html">Docs Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ";>FAQ</a></li></ul><p><strong>User Guide</strong></p><ul><li><a href="introduction.html">1) Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="appdev/index.html">3) First webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="manager-howto.html">5) Manager</a></li><li><a href="realm-howto.html">6) Realms and AAA</a></li><li><a hr ef="security-manager-howto.html">7) Security Manager</a></li><li><a href="jndi-resources-howto.html">8) JNDI Resources</a></li><li><a href="jndi-datasource-examples-howto.html">9) JDBC DataSources</a></li><li><a href="class-loader-howto.html">10) Classloading</a></li><li><a href="jasper-howto.html">11) JSPs</a></li><li><a href="ssl-howto.html">12) SSL</a></li><li><a href="ssi-howto.html">13) SSI</a></li><li><a href="cgi-howto.html">14) CGI</a></li><li><a href="proxy-howto.html">15) Proxy Support</a></li><li><a href="mbeans-descriptor-howto.html">16) MBean Descriptor</a></li><li><a href="default-servlet.html">17) Default Servlet</a></li><li><a href="cluster-howto.html">18) Clustering</a></li><li><a href="balancer-howto.html">19) Load Balancer</a></li><li><a href="connectors.html">20) Connectors</a></li><li><a href="monitoring.html">21) Monitoring and Management</a></li><li><a href="logging.html">22) Logging</a></li><li><a href="apr.html">23) APR/Native</a></li><li><a href="virtual-ho sting-howto.html">24) Virtual Hosting</a></li><li><a href="aio.html">25) Advanced IO</a></li><li><a href="extras.html">26) Additional Components</a></li><li><a href="maven-jars.html">27) Mavenized</a></li></ul><p><strong>Reference</strong></p><ul><li><a href="RELEASE-NOTES.txt">Release Notes</a></li><li><a href="config/index.html">Configuration</a></li><li><a href="api/index.html">Javadocs</a></li><li><a href="http://tomcat.apache.org/connectors-doc/";>JK 1.2 Documentation</a></li></ul><p><strong>Apache Tomcat Development</strong></p><ul><li><a href="building.html">Building</a></li><li><a href="changelog.html">Changelog</a></li><li><a href="http://wiki.apache.org/tomcat/TomcatVersions";>Status</a></li><li><a href="developers.html">Developers</a></li><li><a href="architecture/index.html">Architecture</a></li><li><a href="funcspecs/index.html">Functional Specs.</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td id="mainBody" align="left" valign="top" width="80%"><h1>Apache Tomcat 6.0</h1> <h2>Tomcat Setup</h2><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Table of Contents"><!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td></tr><tr><td><blockquote> +<ul><li><a href="#Introduction">Introduction</a></li><li><a href="#Windows">Windows</a></li><li><a href="#Unix_daemon">Unix daemon</a></li></ul> +</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote> + <p> + This document introduces several ways to set up Tomcat for running + on different platforms. Please note that some advanced setup issues + are not covered here: the full distribution (ZIP file or tarball) + includes a file called + RUNNING.txt which discusses these issues. We encourage you to refer + to it if the information below does not answer some of your questions. + </p> + </blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Windows"><strong>Windows</strong></a></font></td></tr><tr><td><blockquote> + + <p> + Installing Tomcat on Windows can be done easily using the Windows + installer. Its interface and functionality is similar to other wizard + based installers, with only a few items of interest. + </p> + + <p> + <ul> + <li><strong>Installation as a service</strong>: Tomcat will be + installed as a Windows + NT/2k/XP service no matter what setting is selected. Using the + checkbox on the component page sets the service as "auto" + startup, so that Tomcat is automatically started when Windows + starts. For optimal security, the service should be run as a + separate user, with reduced permissions (see the Windows Services + administration tool and its documentation).</li> + <li><strong>Java location</strong>: The installer will use the registry + or the JAVA_HOME environment variable to determine the base path + of a J2SE 5 JRE. + </li> + <li><strong>Tray icon</strong>: When Tomcat is run as a service, there + will not be any tray icon present when Tomcat is running. Note that + when choosing to run Tomcat at the end of installation, the tray + icon will be used even if Tomcat was installed as a service.</li> + <li>Refer to the + <a href="windows-service-howto.html">Windows Service HOW-TO</a> + for information on how to manage Tomcat as Windows NT service. + </li> + </ul> + </p> + + <p>The installer will create shortcuts allowing starting and configuring + Tomcat. It is important to note that the Tomcat administration web + application can only be used when Tomcat is running.</p> + + </blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Unix daemon"><!--()--></a><a name="Unix_daemon"><strong>Unix daemon</strong></a></font></td></tr><tr><td><blockquote> + + <p>Tomcat can be run as a daemon using the jsvc tool from the + commons-daemon project. Source tarballs for jsvc are included with the + Tomcat binaries, and need to be compiled. Building jsvc requires + a C ANSI compiler (such as GCC), GNU Autoconf, and a JDK.</p> + + <p>Before running the script, the <code>JAVA_HOME</code> environment + variable should be set to the base path of the JDK. Alternately, when + calling the <code>./configure</code> script, the path of the JDK may + be specified using the <code>--with-java</code> parameter, such as + <code>./configure --with-java=/usr/java</code>.</p> + + <p>Using the following commands should result in a compiled jsvc binary, + located in the <code>$CATALINA_HOME/bin</code> folder. This assumes + that GNU TAR is used, and that <code>CATALINA_HOME</code> is an + environment variable pointing to the base path of the Tomcat + installation.</p> + + <p>Please note that you should use the GNU make (gmake) instead of + the native BSD make on FreeBSD systems.</p> + +<div align="left"><table border="0" cellpadding="0" cellspacing="4"><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre> + cd $CATALINA_HOME/bin + tar xvfz jsvc.tar.gz + cd jsvc-src + autoconf + ./configure + make + cp jsvc .. + cd .. +</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr></table></div> + + <p>Tomcat can then be run as a daemon using the following commands.</p> + +<div align="left"><table border="0" cellpadding="0" cellspacing="4"><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#ffffff"><pre> + cd $CATALINA_HOME + ./bin/jsvc -cp ./bin/bootstrap.jar \ + -outfile ./logs/catalina.out -errfile ./logs/catalina.err \ + org.apache.catalina.startup.Bootstrap +</pre></td><td width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr><tr><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td><td height="1" width="1" bgcolor="#023264"><img border="0" hspace="0" vspace="0" height="1" width="1" alt="" src="./images/void.gif"></td></tr></table></div> + + <p>jsvc has other useful parameters, such as <code>-user</code> which + causes it to switch to another user after the daemon initialization is + complete. This allows, for example, running Tomcat as a non privileged + user while still being able to use privileged ports. + <code>jsvc --help</code> will return the full jsvc usage + information. In particular, the <code>-debug</code> option is useful + to debug issues running jsvc.</p> + + <p>The file <code>$CATALINA_HOME/bin/jsvc/native/tomcat.sh</code> can be + used as a template for starting Tomcat automatically at boot time from + <code>/etc/init.d</code>. The file is currently setup for running + Tomcat 4.1.x, so it is necessary to edit it and change the classname + from <code>BootstrapService</code> to <code>Bootstrap</code>.</p> + + <p>Note that the Commons-Daemon JAR file must be on your runtime classpath + to run Tomcat in this manner. The Commons-Daemon JAR file is in the Class-Path + entry of the bootstrap.jar manifest, but if you get a ClassNotFoundException + or a NoClassDefFoundError for a Commons-Daemon class, add the Commons-Daemon + JAR to the -cp argument when launching jsvc.</p> + + </blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font size="-1" color="#525D76"><em> + Copyright © 1999-2010, Apache Software Foundation + </em></font></div></td></tr></table></body></html> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/5be16a28/attic/servers/apache-tomcat-6.0.29/webapps/docs/ssi-howto.html ---------------------------------------------------------------------- diff --git a/attic/servers/apache-tomcat-6.0.29/webapps/docs/ssi-howto.html b/attic/servers/apache-tomcat-6.0.29/webapps/docs/ssi-howto.html new file mode 100644 index 0000000..00c78f3 --- /dev/null +++ b/attic/servers/apache-tomcat-6.0.29/webapps/docs/ssi-howto.html @@ -0,0 +1,357 @@ +<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 6.0 - SSI How To</title><meta content="Glenn L. Nielsen" name="author"><style media="print" type="text/css"> + .noPrint {display: none;} + td#mainBody {width: 100%;} + </style></head><body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000" bgcolor="#ffffff"><table cellspacing="0" width="100%" border="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/";><img border="0" alt=" + The Apache Tomcat Servlet/JSP Container + " align="right" src="./images/tomcat.gif"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 6.0</font></h1></td><td><!--APACHE LOGO--><a href="http://www.apache.org/";><img border="0" alt="Apache Logo" align="right" src="./images/asf-logo.gif"></a></td></tr></table><table cellspacing="4" width="100%" border="0"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade></td></tr><tr><!--LEFT SIDE NAVIGATION--><td class="noPrint" nowrap valign="top" width="20%"><p><strong>Links</strong></p><ul><li><a href="index.html">Docs Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ";>FAQ</a></li></ul><p><strong>User Guide</strong></p><ul><li><a href="introduction.html">1) Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="appdev/index.html">3) First webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="manager-howto.html">5) Manager</a></li><li><a href="realm-howto.html">6) Realms and AAA</a></li><li><a hr ef="security-manager-howto.html">7) Security Manager</a></li><li><a href="jndi-resources-howto.html">8) JNDI Resources</a></li><li><a href="jndi-datasource-examples-howto.html">9) JDBC DataSources</a></li><li><a href="class-loader-howto.html">10) Classloading</a></li><li><a href="jasper-howto.html">11) JSPs</a></li><li><a href="ssl-howto.html">12) SSL</a></li><li><a href="ssi-howto.html">13) SSI</a></li><li><a href="cgi-howto.html">14) CGI</a></li><li><a href="proxy-howto.html">15) Proxy Support</a></li><li><a href="mbeans-descriptor-howto.html">16) MBean Descriptor</a></li><li><a href="default-servlet.html">17) Default Servlet</a></li><li><a href="cluster-howto.html">18) Clustering</a></li><li><a href="balancer-howto.html">19) Load Balancer</a></li><li><a href="connectors.html">20) Connectors</a></li><li><a href="monitoring.html">21) Monitoring and Management</a></li><li><a href="logging.html">22) Logging</a></li><li><a href="apr.html">23) APR/Native</a></li><li><a href="virtual-ho sting-howto.html">24) Virtual Hosting</a></li><li><a href="aio.html">25) Advanced IO</a></li><li><a href="extras.html">26) Additional Components</a></li><li><a href="maven-jars.html">27) Mavenized</a></li></ul><p><strong>Reference</strong></p><ul><li><a href="RELEASE-NOTES.txt">Release Notes</a></li><li><a href="config/index.html">Configuration</a></li><li><a href="api/index.html">Javadocs</a></li><li><a href="http://tomcat.apache.org/connectors-doc/";>JK 1.2 Documentation</a></li></ul><p><strong>Apache Tomcat Development</strong></p><ul><li><a href="building.html">Building</a></li><li><a href="changelog.html">Changelog</a></li><li><a href="http://wiki.apache.org/tomcat/TomcatVersions";>Status</a></li><li><a href="developers.html">Developers</a></li><li><a href="architecture/index.html">Architecture</a></li><li><a href="funcspecs/index.html">Functional Specs.</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td id="mainBody" align="left" valign="top" width="80%"><h1>Apache Tomcat 6.0</h1> <h2>SSI How To</h2><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Table of Contents"><!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td></tr><tr><td><blockquote> +<ul><li><a href="#Introduction">Introduction</a></li><li><a href="#Installation">Installation</a></li><li><a href="#Servlet_Configuration">Servlet Configuration</a></li><li><a href="#Filter_Configuration">Filter Configuration</a></li><li><a href="#Directives">Directives</a></li><li><a href="#Variables">Variables</a></li></ul> +</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote> + +<p>SSI (Server Side Includes) are directives that are placed in HTML pages, +and evaluated on the server while the pages are being served. They let you +add dynamically generated content to an existing HTML page, without having +to serve the entire page via a CGI program, or other dynamic technology. +</p> + +<p>Within Tomcat SSI support can be added when using Tomcat as your +HTTP server and you require SSI support. Typically this is done +during development when you don't want to run a web server like Apache.</p> + +<p>Tomcat SSI support implements the same SSI directives as Apache. See the +<a href="http://httpd.apache.org/docs/howto/ssi.html#basicssidirectives";> +Apache Introduction to SSI</a> for information on using SSI directives.</p> + +<p>SSI support is available as a servlet and as a filter. You should use one +or the other to provide SSI support but not both.</p> + +<p>Servlet based SSI support is implemented using the class +<code>org.apache.catalina.ssi.SSIServlet</code>. Traditionally, this servlet +is mapped to the URL pattern "*.shtml".</p> + +<p>Filter based SSI support is implemented using the class +<code>org.apache.catalina.ssi.SSIFilter</code>. Traditionally, this filter +is mapped to the URL pattern "*.shtml", though it can be mapped to "*" as +it will selectively enable/disable SSI processing based on mime types. The +contentType init param allows you to apply SSI processing to JSP pages, +javascript, or any other content you wish.</p> +<p>By default SSI support is disabled in Tomcat.</p> +</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Installation"><strong>Installation</strong></a></font></td></tr><tr><td><blockquote> + +<p><strong>CAUTION</strong> - SSI directives can be used to execute programs +external to the Tomcat JVM. If you are using the Java SecurityManager this +will bypass your security policy configuration in <code>catalina.policy.</code> +</p> + +<p>To use the SSI servlet, remove the XML comments from around the SSI servlet +and servlet-mapping configuration in +<code>$CATALINA_BASE/conf/web.xml</code>.</p> + +<p>To use the SSI filter, remove the XML comments from around the SSI filter +and filter-mapping configuration in +<code>$CATALINA_BASE/conf/web.xml</code>.</p> + +<p>Only Contexts which are marked as privileged may use SSI features (see the +privileged property of the Context element).</p> + +</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Servlet Configuration"><!--()--></a><a name="Servlet_Configuration"><strong>Servlet Configuration</strong></a></font></td></tr><tr><td><blockquote> + +<p>There are several servlet init parameters which can be used to +configure the behaviour of the SSI servlet. +<ul> +<li><strong>buffered</strong> - Should output from this servlet be buffered? +(0=false, 1=true) Default 0 (false).</li> +<li><strong>debug</strong> - Debugging detail level for messages logged +by this servlet. Default 0.</li> +<li><strong>expires</strong> - The number of seconds before a page with SSI +directives will expire. Default behaviour is for all SSI directives to be +evaluated for every request.</li> +<li><strong>isVirtualWebappRelative</strong> - Should "virtual" SSI directive +paths be interpreted as relative to the context root, instead of the server +root? (0=false, 1=true) Default 0 (false).</li> +<li><strong>inputEncoding</strong> - The encoding to be assumed for SSI +resources if one cannot be determined from the resource itself. Default is +the default platform encoding.</li> +<li><strong>outputEncoding</strong> - The encoding to be used for the result +of the SSI processing. Default is UTF-8.</li> +<li><strong>allowExec</strong> - Is the exec command enabled? Default is +false.</li> +</ul> +</p> + +</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Filter Configuration"><!--()--></a><a name="Filter_Configuration"><strong>Filter Configuration</strong></a></font></td></tr><tr><td><blockquote> + +<p>There are several filter init parameters which can be used to +configure the behaviour of the SSI filter. +<ul> +<li><strong>contentType</strong> - A regex pattern that must be matched before +SSI processing is applied. When crafting your own pattern, don't forget that a +mime content type may be followed by an optional character set in the form +"mime/type; charset=set" that you must take into account. Default is +"text/x-server-parsed-html(;.*)?".</li> +<li><strong>debug</strong> - Debugging detail level for messages logged +by this servlet. Default 0.</li> +<li><strong>expires</strong> - The number of seconds before a page with SSI +directives will expire. Default behaviour is for all SSI directives to be +evaluated for every request.</li> +<li><strong>isVirtualWebappRelative</strong> - Should "virtual" SSI directive +paths be interpreted as relative to the context root, instead of the server +root? (0=false, 1=true) Default 0 (false).</li> +<li><strong>allowExec</strong> - Is the exec command enabled? Default is +false.</li> +</ul> +</p> + +</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Directives"><strong>Directives</strong></a></font></td></tr><tr><td><blockquote> +<p>Server Side Includes are invoked by embedding SSI directives in an HTML document + whose type will be processed by the SSI servlet. The directives take the form of an HTML + comment. The directive is replaced by the results of interpreting it before sending the + page to the client. The general form of a directive is: </p> +<p> <code><!--#directive [parm=value] --></code></p> +<p>The directives are: +<ul> +<li> +<strong>config</strong> - <code><!--#config timefmt="%B %Y" --></code> +Used to set the format of dates and other items processed by SSI +</li> +<li> +<strong>echo</strong> - <code><!--#echo var="VARIABLE_NAME" --></code> +will be replaced by the value of the variable. +</li> +<li> +<strong>exec</strong> - Used to run commands on the host system. +</li> +<li> +<strong>include</strong> - <code><!--#include virtual="file-name" --></code> +inserts the contents +</li> +<li> +<strong>flastmod</strong> - <code><!--#flastmod file="filename.shtml" --></code> +Returns the time that a file was lost modified. +</li> +<li> +<strong>fsize</strong> - <code><!--#fsize file="filename.shtml" --></code> +Returns the size of a file. +</li> +<li> +<strong>printenv</strong> - <code><!--#printenv --></code> +Returns the list of all the defined variables. +</li> +<li> +<strong>set</strong> - <code><!--#set var="foo" value="Bar" --></code> +is used to assign a value to a user-defind variable. +</li> +<li> +<strong>if elif endif else</strong> - Used to create conditional sections. For example:</li> +<code><!--#config timefmt="%A" --><br> + <!--#if expr="$DATE_LOCAL = /Monday/" --><br> + <p>Meeting at 10:00 on Mondays</p><br> + <!--#elif expr="$DATE_LOCAL = /Friday/" --><br> + <p>Turn in your time card</p><br> + <!--#else --><br> + <p>Yoga class at noon.</p><br> + <!--#endif --></code> + </ul> +</p> +See the +<p> <a href="http://httpd.apache.org/docs/howto/ssi.html#basicssidirectives";> +Apache Introduction to SSI</a> for more information on using SSI directives.</p> +</blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Variables"><strong>Variables</strong></a></font></td></tr><tr><td><blockquote> +<p>The SSI servlet currently implements the following variables: +</p> +<table border="1"> +<tr> +<th>Variable Name</th> +<th>Description</th> +</tr> + +<tr> +<td>AUTH_TYPE</td> +<td> + The type of authentication used for this user: BASIC, FORM, etc.</td> +</tr> + +<tr> +<td>CONTENT_LENGTH</td> +<td> + The length of the data (in bytes or the number of + characters) passed from a form.</td> +</tr> + +<tr> +<td>CONTENT_TYPE</td> +<td> + The MIME type of the query data, such as "text/html".</td> +</tr> + +<tr> +<td>DATE_GMT</td> +<td> +Current date and time in GMT</td> +</tr> + +<tr> +<td>DATE_LOCAL</td> +<td> +Current date and time in the local time zone</td> +</tr> +<tr> +<td>DOCUMENT_NAME</td> +<td> +The current file</td> +</tr> +<tr> +<td>DOCUMENT_URI</td> +<td> +Virtual path to the file</td> +</tr> + +<tr> +<td>GATEWAY_INTERFACE</td> +<td> + The revision of the Common Gateway Interface that the + server uses if enabled: "CGI/1.1".</td> +</tr> + +<tr> +<td>HTTP_ACCEPT</td> +<td> + A list of the MIME types that the client can accept.</td> +</tr> + +<tr> +<td>HTTP_ACCEPT_ENCODING</td> +<td> + A list of the compression types that the client can accept.</td> +</tr> + +<tr> +<td>HTTP_ACCEPT_LANGUAGE</td> +<td> + A list of the languages that the client can accept.</td> +</tr> +<tr> +<td>HTTP_CONNECTION</td> +<td> + The way that the connection from the client is being managed: + "Close" or "Keep-Alive".</td> +</tr> +<tr> +<td>HTTP_HOST</td> +<td> + The web site that the client requested.</td> +</tr> +<tr> +<td>HTTP_REFERER</td> +<td> + The URL of the document that the client linked from.</td> +</tr> +<tr> +<td>HTTP_USER_AGENT</td> +<td> + The browser the client is using to issue the request.</td> +</tr> +<tr> +<td>LAST_MODIFIED</td> +<td> +Last modification date and time for current file</td> +</tr> +<tr> +<td>PATH_INFO</td> +<td> + Extra path information passed to a servlet.</td> +</tr> +<tr> +<td>PATH_TRANSLATED</td> +<td> + The translated version of the path given by the + variable PATH_INFO.</td> +</tr> +<tr> +<td>QUERY_STRING</td> +<td> +The query string that follows the "?" in the URL. +</td> +</tr> +<tr> +<td>QUERY_STRING_UNESCAPED</td> +<td> +Undecoded query string with all shell metacharacters escaped +with "\"</td> +</tr> +<tr> +<td>REMOTE_ADDR</td> +<td> + The remote IP address of the user making the request.</td> +</tr> +<tr> +<td>REMOTE_HOST</td> +<td> + The remote hostname of the user making the request.</td> +</tr> +<tr> +<td>REMOTE_PORT</td> +<td> + The port number at remote IP address of the user making the request.</td> +</tr> +<tr> +<td>REMOTE_USER</td> +<td> + The authenticated name of the user.</td> +</tr> +<tr> +<td>REQUEST_METHOD</td> +<td> + The method with which the information request was + issued: "GET", "POST" etc.</td> +</tr> +<tr> +<td>REQUEST_URI</td> +<td> + The web page originally requested by the client.</td> +</tr> +<tr> +<td>SCRIPT_FILENAME</td> +<td> + The location of the current web page on the server.</td> +</tr> +<tr> +<td>SCRIPT_NAME</td> +<td> + The name of the web page.</td> +</tr> +<tr> +<td>SERVER_ADDR</td> +<td> + The server's IP address.</td> +</tr> +<tr> +<td>SERVER_NAME</td> +<td> + The server's hostname or IP address.</td> +</tr> +<tr> +<td>SERVER_PORT</td> +<td> + The port on which the server received the request.</td> +</tr> +<tr> +<td>SERVER_PROTOCOL</td> +<td> + The protocol used by the server. E.g. "HTTP/1.1".</td> +</tr> +<tr> +<td>SERVER_SOFTWARE</td> +<td> + The name and version of the server software that is + answering the client request.</td> +</tr> +<tr> +<td>UNIQUE_ID</td> +<td> + A token used to identify the current session if one + has been established.</td> +</tr> +</table> +</blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font size="-1" color="#525D76"><em> + Copyright © 1999-2010, Apache Software Foundation + </em></font></div></td></tr></table></body></html> \ No newline at end of file
