This is an automated email from the ASF dual-hosted git repository. rzo1 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomee.git
commit 4cb9f8b90ad7728454e20a448dd739a372714620 Author: Richard Zowalla <[email protected]> AuthorDate: Thu Feb 17 08:36:15 2022 +0100 Revert "TOMEE-3840 - Fix TomEE does not start with security enabled" This reverts commit 18f174b6acb6873c41f7da73f8a1cd952be95e87. --- .../src/main/resources/tomee/conf/catalina.policy | 4 - .../src/main/resources/tomee/conf/catalina.policy | 4 - .../src/main/resources/tomee/conf/catalina.policy | 4 - .../src/main/resources/tomee/conf/catalina.policy | 4 - tomee/apache-tomee/pom.xml | 3 - .../src/main/assembly/tomee-microprofile.xml | 8 - .../apache-tomee/src/main/assembly/tomee-plume.xml | 8 - .../apache-tomee/src/main/assembly/tomee-plus.xml | 8 - .../src/main/assembly/tomee-webprofile.xml | 8 - .../src/main/resources/catalina.policy | 268 --------------------- 10 files changed, 319 deletions(-) diff --git a/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy index 1a081a3..7aab95d 100644 --- a/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy +++ b/boms/tomee-microprofile/src/main/resources/tomee/conf/catalina.policy @@ -94,10 +94,6 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; permission java.util.PropertyPermission "catalina.base", "read"; - // TOMEE-3840 - permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - // Note: To enable per context logging configuration, permit read access to // the appropriate file. Be sure that the logging configuration is // secure before enabling such access. diff --git a/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy index 1a081a3..7aab95d 100644 --- a/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy +++ b/boms/tomee-plume/src/main/resources/tomee/conf/catalina.policy @@ -94,10 +94,6 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; permission java.util.PropertyPermission "catalina.base", "read"; - // TOMEE-3840 - permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - // Note: To enable per context logging configuration, permit read access to // the appropriate file. Be sure that the logging configuration is // secure before enabling such access. diff --git a/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy index 1a081a3..7aab95d 100644 --- a/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy +++ b/boms/tomee-plus/src/main/resources/tomee/conf/catalina.policy @@ -94,10 +94,6 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; permission java.util.PropertyPermission "catalina.base", "read"; - // TOMEE-3840 - permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - // Note: To enable per context logging configuration, permit read access to // the appropriate file. Be sure that the logging configuration is // secure before enabling such access. diff --git a/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy b/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy index 1a081a3..7aab95d 100644 --- a/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy +++ b/boms/tomee-webprofile/src/main/resources/tomee/conf/catalina.policy @@ -94,10 +94,6 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; permission java.util.PropertyPermission "catalina.base", "read"; - // TOMEE-3840 - permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - // Note: To enable per context logging configuration, permit read access to // the appropriate file. Be sure that the logging configuration is // secure before enabling such access. diff --git a/tomee/apache-tomee/pom.xml b/tomee/apache-tomee/pom.xml index 8340c16..bfcccf4 100644 --- a/tomee/apache-tomee/pom.xml +++ b/tomee/apache-tomee/pom.xml @@ -159,9 +159,6 @@ <resource> <directory>src/main/resources</directory> <filtering>true</filtering> - <excludes> - <exclude>*.policy</exclude> - </excludes> </resource> <resource> <directory>src/main/resources</directory> diff --git a/tomee/apache-tomee/src/main/assembly/tomee-microprofile.xml b/tomee/apache-tomee/src/main/assembly/tomee-microprofile.xml index a7949d5..e026258 100644 --- a/tomee/apache-tomee/src/main/assembly/tomee-microprofile.xml +++ b/tomee/apache-tomee/src/main/assembly/tomee-microprofile.xml @@ -38,7 +38,6 @@ <exclude>NOTICE</exclude> <exclude>**/bin/**/*</exclude> <exclude>**/lib/tomcat-annotations-api*.jar</exclude> - <exclude>**/conf/catalina.policy</exclude> </excludes> </fileSet> <fileSet> @@ -50,13 +49,6 @@ </fileSet> <fileSet> <directory>${project.basedir}/target/classes</directory> - <outputDirectory>/apache-tomee-microprofile-${project.version}/conf</outputDirectory> - <includes> - <include>catalina.policy</include> - </includes> - </fileSet> - <fileSet> - <directory>${project.basedir}/target/classes</directory> <outputDirectory>/apache-tomee-microprofile-${project.version}/bin</outputDirectory> <includes> <include>service.*</include> diff --git a/tomee/apache-tomee/src/main/assembly/tomee-plume.xml b/tomee/apache-tomee/src/main/assembly/tomee-plume.xml index d8f6763..0ba6892 100644 --- a/tomee/apache-tomee/src/main/assembly/tomee-plume.xml +++ b/tomee/apache-tomee/src/main/assembly/tomee-plume.xml @@ -38,7 +38,6 @@ <exclude>NOTICE</exclude> <exclude>**/bin/**/*</exclude> <exclude>**/lib/tomcat-annotations-api*.jar</exclude> - <exclude>**/conf/catalina.policy</exclude> </excludes> </fileSet> <fileSet> @@ -50,13 +49,6 @@ </fileSet> <fileSet> <directory>${project.basedir}/target/classes</directory> - <outputDirectory>/apache-tomee-plume-${project.version}/conf</outputDirectory> - <includes> - <include>catalina.policy</include> - </includes> - </fileSet> - <fileSet> - <directory>${project.basedir}/target/classes</directory> <outputDirectory>/apache-tomee-plume-${project.version}/bin</outputDirectory> <includes> <include>service.*</include> diff --git a/tomee/apache-tomee/src/main/assembly/tomee-plus.xml b/tomee/apache-tomee/src/main/assembly/tomee-plus.xml index 57c63cb..5e1ac51 100644 --- a/tomee/apache-tomee/src/main/assembly/tomee-plus.xml +++ b/tomee/apache-tomee/src/main/assembly/tomee-plus.xml @@ -38,7 +38,6 @@ <exclude>NOTICE</exclude> <exclude>**/bin/**/*</exclude> <exclude>**/lib/tomcat-annotations-api*.jar</exclude> - <exclude>**/conf/catalina.policy</exclude> </excludes> </fileSet> <fileSet> @@ -50,13 +49,6 @@ </fileSet> <fileSet> <directory>${project.basedir}/target/classes</directory> - <outputDirectory>/apache-tomee-plus-${project.version}/conf</outputDirectory> - <includes> - <include>catalina.policy</include> - </includes> - </fileSet> - <fileSet> - <directory>${project.basedir}/target/classes</directory> <outputDirectory>/apache-tomee-plus-${project.version}/bin</outputDirectory> <includes> <include>service.*</include> diff --git a/tomee/apache-tomee/src/main/assembly/tomee-webprofile.xml b/tomee/apache-tomee/src/main/assembly/tomee-webprofile.xml index 6602155..e84b860 100644 --- a/tomee/apache-tomee/src/main/assembly/tomee-webprofile.xml +++ b/tomee/apache-tomee/src/main/assembly/tomee-webprofile.xml @@ -38,7 +38,6 @@ <exclude>NOTICE</exclude> <exclude>**/bin/**/*</exclude> <exclude>**/lib/tomcat-annotations-api*.jar</exclude> - <exclude>**/conf/catalina.policy</exclude> </excludes> </fileSet> <fileSet> @@ -50,13 +49,6 @@ </fileSet> <fileSet> <directory>${project.basedir}/target/classes</directory> - <outputDirectory>/apache-tomee-webprofile-${project.version}/conf</outputDirectory> - <includes> - <include>catalina.policy</include> - </includes> - </fileSet> - <fileSet> - <directory>${project.basedir}/target/classes</directory> <outputDirectory>/apache-tomee-webprofile-${project.version}/bin</outputDirectory> <includes> <include>service.*</include> diff --git a/tomee/apache-tomee/src/main/resources/catalina.policy b/tomee/apache-tomee/src/main/resources/catalina.policy deleted file mode 100644 index 1a081a3..0000000 --- a/tomee/apache-tomee/src/main/resources/catalina.policy +++ /dev/null @@ -1,268 +0,0 @@ -// Licensed to the Apache Software Foundation (ASF) under one or more -// contributor license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright ownership. -// The ASF licenses this file to You under the Apache License, Version 2.0 -// (the "License"); you may not use this file except in compliance with -// the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// ============================================================================ -// catalina.policy - Security Policy Permissions for Tomcat -// -// This file contains a default set of security policies to be enforced (by the -// JVM) when Catalina is executed with the "-security" option. In addition -// to the permissions granted here, the following additional permissions are -// granted to each web application: -// -// * Read access to the web application's document root directory -// * Read, write and delete access to the web application's working directory -// ============================================================================ - - -// ========== SYSTEM CODE PERMISSIONS ========================================= - - -// These permissions apply to javac -grant codeBase "file:${java.home}/lib/-" { - permission java.security.AllPermission; -}; - -// These permissions apply to all shared system extensions -grant codeBase "file:${java.home}/jre/lib/ext/-" { - permission java.security.AllPermission; -}; - -// These permissions apply to javac when ${java.home} points at $JAVA_HOME/jre -grant codeBase "file:${java.home}/../lib/-" { - permission java.security.AllPermission; -}; - -// These permissions apply to all shared system extensions when -// ${java.home} points at $JAVA_HOME/jre -grant codeBase "file:${java.home}/lib/ext/-" { - permission java.security.AllPermission; -}; - -// This permission is required when using javac to compile JSPs on Java 9 -// onwards -//grant codeBase "jrt:/jdk.compiler" { -// permission java.security.AllPermission; -//}; - - -// ========== CATALINA CODE PERMISSIONS ======================================= - -// These permissions apply to the daemon code -grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to the logging API -// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home}, -// update this section accordingly. -// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..} -grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { - permission java.io.FilePermission - "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; - - permission java.io.FilePermission - "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; - permission java.io.FilePermission - "${catalina.base}${file.separator}logs", "read, write"; - permission java.io.FilePermission - "${catalina.base}${file.separator}logs${file.separator}*", "read, write, delete"; - - permission java.lang.RuntimePermission "shutdownHooks"; - permission java.lang.RuntimePermission "getClassLoader"; - permission java.lang.RuntimePermission "setContextClassLoader"; - - permission java.lang.management.ManagementPermission "monitor"; - - permission java.util.logging.LoggingPermission "control"; - - permission java.util.PropertyPermission "java.util.logging.config.class", "read"; - permission java.util.PropertyPermission "java.util.logging.config.file", "read"; - permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read"; - permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read"; - permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; - permission java.util.PropertyPermission "catalina.base", "read"; - - // TOMEE-3840 - permission java.util.PropertyPermission "tomee.skip-tomcat-log", "read"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - - // Note: To enable per context logging configuration, permit read access to - // the appropriate file. Be sure that the logging configuration is - // secure before enabling such access. - // E.g. for the examples web application (uncomment and unwrap - // the following to be on a single line): - // permission java.io.FilePermission "${catalina.base}${file.separator} - // webapps${file.separator}examples${file.separator}WEB-INF - // ${file.separator}classes${file.separator}logging.properties", "read"; -}; - -// These permissions apply to the server startup code -grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to the servlet API classes -// and those that are shared across all class loaders -// located in the "lib" directory -grant codeBase "file:${catalina.home}/lib/-" { - permission java.security.AllPermission; -}; - - -// If using a per instance lib directory, i.e. ${catalina.base}/lib, -// then the following permission will need to be uncommented -// grant codeBase "file:${catalina.base}/lib/-" { -// permission java.security.AllPermission; -// }; - - -// ========== WEB APPLICATION PERMISSIONS ===================================== - - -// These permissions are granted by default to all web applications -// In addition, a web application will be given a read FilePermission -// for all files and directories in its document root. -grant { - // Required for JNDI lookup of named JDBC DataSource's and - // javamail named MimePart DataSource used to send mail - permission java.util.PropertyPermission "java.home", "read"; - permission java.util.PropertyPermission "java.naming.*", "read"; - permission java.util.PropertyPermission "javax.sql.*", "read"; - - // OS Specific properties to allow read access - permission java.util.PropertyPermission "os.name", "read"; - permission java.util.PropertyPermission "os.version", "read"; - permission java.util.PropertyPermission "os.arch", "read"; - permission java.util.PropertyPermission "file.separator", "read"; - permission java.util.PropertyPermission "path.separator", "read"; - permission java.util.PropertyPermission "line.separator", "read"; - - // JVM properties to allow read access - permission java.util.PropertyPermission "java.version", "read"; - permission java.util.PropertyPermission "java.vendor", "read"; - permission java.util.PropertyPermission "java.vendor.url", "read"; - permission java.util.PropertyPermission "java.class.version", "read"; - permission java.util.PropertyPermission "java.specification.version", "read"; - permission java.util.PropertyPermission "java.specification.vendor", "read"; - permission java.util.PropertyPermission "java.specification.name", "read"; - - permission java.util.PropertyPermission "java.vm.specification.version", "read"; - permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; - permission java.util.PropertyPermission "java.vm.specification.name", "read"; - permission java.util.PropertyPermission "java.vm.version", "read"; - permission java.util.PropertyPermission "java.vm.vendor", "read"; - permission java.util.PropertyPermission "java.vm.name", "read"; - - // Required for OpenJMX - permission java.lang.RuntimePermission "getAttribute"; - - // Allow read of JAXP compliant XML parser debug - permission java.util.PropertyPermission "jaxp.debug", "read"; - - // All JSPs need to be able to read this package - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat"; - - // Precompiled JSPs need access to these packages. - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; - permission java.lang.RuntimePermission - "accessClassInPackage.org.apache.jasper.runtime.*"; - - // Applications using WebSocket need to be able to access these packages - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server"; -}; - - -// The Manager application needs access to the following packages to support the -// session display functionality. It also requires the custom Tomcat -// DeployXmlPermission to enable the use of META-INF/context.xml -// These settings support the following configurations: -// - default CATALINA_HOME == CATALINA_BASE -// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE -// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME -grant codeBase "file:${catalina.base}/webapps/manager/-" { - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; - permission org.apache.catalina.security.DeployXmlPermission "manager"; -}; -grant codeBase "file:${catalina.home}/webapps/manager/-" { - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; - permission org.apache.catalina.security.DeployXmlPermission "manager"; -}; - -// The Host Manager application needs the custom Tomcat DeployXmlPermission to -// enable the use of META-INF/context.xml -// These settings support the following configurations: -// - default CATALINA_HOME == CATALINA_BASE -// - CATALINA_HOME != CATALINA_BASE, per instance Host Manager in CATALINA_BASE -// - CATALINA_HOME != CATALINA_BASE, shared Host Manager in CATALINA_HOME -grant codeBase "file:${catalina.base}/webapps/host-manager/-" { - permission org.apache.catalina.security.DeployXmlPermission "host-manager"; -}; -grant codeBase "file:${catalina.home}/webapps/host-manager/-" { - permission org.apache.catalina.security.DeployXmlPermission "host-manager"; -}; - - -// You can assign additional permissions to particular web applications by -// adding additional "grant" entries here, based on the code base for that -// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. -// -// Different permissions can be granted to JSP pages, classes loaded from -// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ -// directory, or even to individual jar files in the /WEB-INF/lib/ directory. -// -// For instance, assume that the standard "examples" application -// included a JDBC driver that needed to establish a network connection to the -// corresponding database and used the scrape taglib to get the weather from -// the NOAA web server. You might create a "grant" entries like this: -// -// The permissions granted to the context root directory apply to JSP pages. -// grant codeBase "file:${catalina.base}/webapps/examples/-" { -// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; -// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; -// }; -// -// The permissions granted to the context WEB-INF/classes directory -// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { -// }; -// -// The permission granted to your JDBC driver -// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { -// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; -// }; -// The permission granted to the scrape taglib -// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { -// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; -// }; - -// To grant permissions for web applications using packed WAR files, use the -// Tomcat specific WAR url scheme. -// -// The permissions granted to the entire web application -// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/-" { -// }; -// -// The permissions granted to a specific JAR -// grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" { -// }; \ No newline at end of file
