This is an automated email from the ASF dual-hosted git repository. jlmonteiro pushed a commit to branch jakartaee9-tck in repository https://gitbox.apache.org/repos/asf/tomee-tck.git
commit 69a89e650011b6b7d0129903dbfc8ec9387bc17c Author: Jean-Louis Monteiro <[email protected]> AuthorDate: Mon Apr 26 16:31:34 2021 +0200 Security update for permissions tests, jaxrs, servlet and security api Signed-off-by: Jean-Louis Monteiro <[email protected]> --- .../openejb/tck/commands/JavaTestCommand.groovy | 9 ++- src/test/tomee-plume/conf/catalina.policy | 72 ++++++++++++++++------ src/test/tomee-plume/conf/context.xml | 8 --- src/test/tomee-plume/conf/tomcat-users.xml | 4 +- 4 files changed, 63 insertions(+), 30 deletions(-) diff --git a/src/test/script/openejb/tck/commands/JavaTestCommand.groovy b/src/test/script/openejb/tck/commands/JavaTestCommand.groovy index aece499..f0c9c13 100644 --- a/src/test/script/openejb/tck/commands/JavaTestCommand.groovy +++ b/src/test/script/openejb/tck/commands/JavaTestCommand.groovy @@ -230,12 +230,17 @@ class JavaTestCommand } def containerJavaOpts = get('container.java.opts', "") + + // force memory on tasks because with JDK 8 it's computed with a bit too much + containerJavaOpts += " -Xmx512m -Dtest.ejb.stateful.timeout.wait.seconds=60" + + if (options.contains('security')) { log.info("Enabling server security manager") // -Djava.security.properties=conf/security.properties - containerJavaOpts += " -Djava.security.manager " + - "-Djava.security.policy==${project.basedir}/${openejbHome}/conf/catalina.policy " + + containerJavaOpts += " -Djava.security.manager -Dcts.home=${javaeeCtsHome} -Djava.security.debug=none " + + "-Djava.security.policy=${project.basedir}/${openejbHome}/conf/catalina.policy " + "-Djava.security.properties=${project.basedir}/${openejbHome}/conf/security.properties" } if (options.contains('websocket')) { diff --git a/src/test/tomee-plume/conf/catalina.policy b/src/test/tomee-plume/conf/catalina.policy index c18010f..82499e5 100644 --- a/src/test/tomee-plume/conf/catalina.policy +++ b/src/test/tomee-plume/conf/catalina.policy @@ -62,8 +62,8 @@ grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { // These permissions apply to the logging API // Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home}, // update this section accordingly. -// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..} -grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { +grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" { +// grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; @@ -90,6 +90,10 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; permission java.util.PropertyPermission "catalina.base", "read"; + // TomEE specific + permission java.util.PropertyPermission "tomee.*", "read"; + + // Note: To enable per context logging configuration, permit read access to // the appropriate file. Be sure that the logging configuration is // secure before enabling such access. @@ -115,9 +119,14 @@ grant codeBase "file:${catalina.home}/lib/-" { // If using a per instance lib directory, i.e. ${catalina.base}/lib, // then the following permission will need to be uncommented -// grant codeBase "file:${catalina.base}/lib/-" { -// permission java.security.AllPermission; -// }; +grant codeBase "file:${catalina.base}/lib/-" { + permission java.security.AllPermission; +}; + +// TomEE webapp for deployment +grant codeBase "file:${catalina.base}/webapps/tomee/-" { + permission java.security.AllPermission; +}; // ========== WEB APPLICATION PERMISSIONS ===================================== @@ -157,6 +166,25 @@ grant { permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; + // TomEE + permission java.util.PropertyPermission "tomee.*", "read"; + permission java.util.PropertyPermission "openejb.*", "read"; + permission java.util.PropertyPermission "user.name", "read"; + permission java.util.PropertyPermission "java.io.tmpdir", "read"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.loader"; // tomee + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.core"; // tomee + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.realm"; // tomee + permission java.io.FilePermission "${catalina.base}/lib/-", "read"; // java ee api class, slf4j, owb, etc + permission java.lang.RuntimePermission "accessDeclaredMembers"; // owb + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // owb + permission java.net.SocketPermission "localhost", "connect,resolve"; // jndi + permission java.net.SocketPermission "127.0.0.1", "connect,resolve"; // jndi + permission javax.security.auth.AuthPermission "modifyPrincipals"; // tomee security + permission javax.security.auth.AuthPermission "modifyPrivateCredentials"; // tomee security + + // TomEE for CTS classes in webapps + permission java.io.FilePermission "${cts.home}/dist/-", "read"; + // Required for OpenJMX permission java.lang.RuntimePermission "getAttribute"; @@ -175,6 +203,9 @@ grant { // Applications using WebSocket need to be able to access these packages permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server"; + + // TomEE for CTS classes + permission java.lang.RuntimePermission "accessClassInPackage.com.sun.ts.*"; }; @@ -259,17 +290,22 @@ grant codeBase "file:${catalina.home}/webapps/host-manager/-" { // grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" { // }; -// ================ Apache TomEE ============== (To be refined) -grant codeBase "jar:file:${catalina.home}/lib/*!/-" { - permission java.security.AllPermission; -}; -grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { - permission java.security.AllPermission; -}; -grant codeBase "file:${catalina.base}/lib/-" { - permission java.security.AllPermission; +// TomEE for CTS configuration +grant codeBase "file:${cts.home}/dist/com/sun/ts/tests/servlet/ee/spec/security/permissiondd/servlet_ee_spec_security_permissiondd_web/-" { + permission java.util.PropertyPermission "cts.*", "read"; + + permission java.security.SecurityPermission "CTSPermission1_name"; + permission java.security.SecurityPermission "CTSPermission1_name2"; + permission java.security.SecurityPermission "CTSPermission2_name"; + permission java.security.SecurityPermission "CTSPermission_second_name"; + + permission java.lang.RuntimePermission "loadLibrary.*"; + permission java.lang.RuntimePermission "queuePrintJob"; + + permission java.net.SocketPermission "*", "connect"; + + permission java.io.FilePermission "*", "read"; + + permission java.util.PropertyPermission "*", "read"; }; -grant { - // "standard" properties that can be read by anyone - permission java.security.AllPermission ; -}; \ No newline at end of file + diff --git a/src/test/tomee-plume/conf/context.xml b/src/test/tomee-plume/conf/context.xml index 5d42cfe..3c422ef 100644 --- a/src/test/tomee-plume/conf/context.xml +++ b/src/test/tomee-plume/conf/context.xml @@ -30,14 +30,6 @@ --> <Valve className="org.apache.openejb.cts.TransactionalWorkaroundLeakGuardValve"/> - <!-- Rollback this because it causes some other tests to fail because they test the Form authentication and Tomcat - Does not allow multiple authenticator valve - We need to hear back or to find a way to only add this for jaspic webapp or tests - - <Valve className="org.apache.catalina.authenticator.BasicAuthenticator" - jaspicCallbackHandlerClass="org.apache.openejb.cts.CallbackHandlerImpl" - /> - --> <Environment name="myUrl" value="http://google.com"; type="java.net.URL" override="false"/> diff --git a/src/test/tomee-plume/conf/tomcat-users.xml b/src/test/tomee-plume/conf/tomcat-users.xml index 7de2b4f..9ce0456 100644 --- a/src/test/tomee-plume/conf/tomcat-users.xml +++ b/src/test/tomee-plume/conf/tomcat-users.xml @@ -21,9 +21,9 @@ <user name="admin" password="admin" roles="manager"/> <user name="jave_vi" password="javaee_vi" roles="staff"/> <user name="javee_vi" password="javaee_vi" roles="staff"/> - <user name="javajoe" password="javajoe" roles="Manager,Employee,guest"/> + <user name="javajoe" password="javajoe" roles="Manager,Employee,guest,OTHERROLE"/> <user name="javaee" password="javaee" roles="Administrator,Employee,mgr,asadmin"/> - <user name="j2ee" password="j2ee" roles="Administrator,Employee,mgr,asadmin,staff"/> + <user name="j2ee" password="j2ee" roles="Administrator,Employee,mgr,asadmin,staff,DIRECTOR"/> <user name="CN=CTS, OU=Java Software, O=Sun Microsystems Inc., L=Burlington, ST=MA, C=US" roles="Administrator"/> </tomcat-users>
