This is an automated email from the ASF dual-hosted git repository. rzo1 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 4b009f18bd2adb61053ee55d2411ba1b84e089b1 Author: Richard Zowalla <[email protected]> AuthorDate: Thu Feb 17 08:43:31 2022 +0100 TOMEE-3840 - Adds TomEE specific policies to catalina.policy config file to allow startup with enabled security Reverted the previous fix for TOMEE-3840 in favour of this Installer-based approach, so we do not need to update a sole config file in TomEE for every Tomcat update. --- .../src/main/resources/tomee/conf/catalina.policy | 5 +++ .../src/main/resources/tomee/conf/catalina.policy | 5 +++ .../src/main/resources/tomee/conf/catalina.policy | 5 +++ .../src/main/resources/tomee/conf/catalina.policy | 5 +++ .../java/org/apache/tomee/installer/Installer.java | 38 ++++++++++++++++++++++ .../java/org/apache/tomee/installer/Paths.java | 9 +++++ .../org/apache/tomee/installer/PathsInterface.java | 2 ++ 7 files changed, 69 insertions(+) diff --git a/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy index 7aab95d..748ba1c 100644 --- a/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy +++ b/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy @@ -94,6 +94,11 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; permission java.util.PropertyPermission "catalina.base", "read"; + // TOMEE-3840 + permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + + // Note: To enable per context logging configuration, permit read access to // the appropriate file. Be sure that the logging configuration is // secure before enabling such access. diff --git a/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy index 7aab95d..748ba1c 100644 --- a/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy +++ b/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy @@ -94,6 +94,11 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; permission java.util.PropertyPermission "catalina.base", "read"; + // TOMEE-3840 + permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + + // Note: To enable per context logging configuration, permit read access to // the appropriate file. Be sure that the logging configuration is // secure before enabling such access. diff --git a/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy index 7aab95d..748ba1c 100644 --- a/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy +++ b/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy @@ -94,6 +94,11 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; permission java.util.PropertyPermission "catalina.base", "read"; + // TOMEE-3840 + permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + + // Note: To enable per context logging configuration, permit read access to // the appropriate file. Be sure that the logging configuration is // secure before enabling such access. diff --git a/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy index 7aab95d..748ba1c 100644 --- a/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy +++ b/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy @@ -94,6 +94,11 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; permission java.util.PropertyPermission "catalina.base", "read"; + // TOMEE-3840 + permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + + // Note: To enable per context logging configuration, permit read access to // the appropriate file. Be sure that the logging configuration is // secure before enabling such access. diff --git a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java index a5e2a60..c56f7bf 100644 --- a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java +++ b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Installer.java @@ -957,6 +957,44 @@ public class Installer implements InstallerInterface { } catch (final IOException e) { // no-op } + + // + // conf/catalina.policy + // + + // if we can't backup the file, do not modify it + if (!Installers.backup(paths.getCatalinaPolicy() , alerts)) { + return; + } + + String catalinaPolicy = Installers.readAll(paths.getCatalinaPolicy(), alerts); + + // catalina.policy will be null if we couldn't read the file + if (catalinaPolicy == null) { + return; + } + + //Add TomEE-specific policies (see TOMEE-3840) + try { + catalinaPolicy = Installers.replace(catalinaPolicy, + " permission java.util.PropertyPermission \"org.apache.juli.ClassLoaderLogManager.debug\", \"read\";", + " permission java.util.PropertyPermission \"org.apache.juli.ClassLoaderLogManager.debug\", \"read\";", + " permission java.util.PropertyPermission \"catalina.base\", \"read\";", + " permission java.util.PropertyPermission \"catalina.base\", \"read\";\n\n" + + " // TOMEE-3840\n" + + " permission java.util.PropertyPermission \"tomee.skip-tomcat-log\", \"read\";\n" + + " permission java.lang.RuntimePermission \"accessDeclaredMembers\";\n"); + + } catch (final IOException e) { + alerts.addError("Error adding TomEE specific policies to catalina.policy file", e); + } + + // overwrite catalina.policy + if (Installers.writeAll(paths.getCatalinaPolicy(), catalinaPolicy, alerts)) { + alerts.addInfo("Add TomEE specific policies to catalina.policy"); + } + + } private void installTomEEJuli(final Alerts alerts, final File loggingPropsFile, final String newLoggingProps) { diff --git a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Paths.java b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Paths.java index 34ac641..fe6ab19 100644 --- a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Paths.java +++ b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/Paths.java @@ -527,4 +527,13 @@ public class Paths implements PathsInterface { } return new File(binDir, "setclasspath.bat"); } + + @Override + public File getCatalinaPolicy() { + final File confDir = getCatalinaConfDir(); + if (confDir == null) { + return null; + } + return new File(confDir, "catalina.policy"); + } } diff --git a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/PathsInterface.java b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/PathsInterface.java index 390a9c9..1bc0e2e 100644 --- a/tomee/tomee-common/src/main/java/org/apache/tomee/installer/PathsInterface.java +++ b/tomee/tomee-common/src/main/java/org/apache/tomee/installer/PathsInterface.java @@ -85,4 +85,6 @@ public interface PathsInterface { File getSetClasspathSh(); File getSetClasspathBat(); + + File getCatalinaPolicy(); }
