Author: cbrisson
Date: Wed Jun 20 00:58:00 2018
New Revision: 1833884
URL: http://svn.apache.org/viewvc?rev=1833884&view=rev
Log:
[tools] Put the showcase webapp tests under a security manager
Added:
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/policy/
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/policy/showcase.policy
Modified:
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/pom.xml
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/webapp/WEB-INF/web.xml
Modified:
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/pom.xml
URL:
http://svn.apache.org/viewvc/velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/pom.xml?rev=1833884&r1=1833883&r2=1833884&view=diff
==============================================================================
---
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/pom.xml
(original)
+++
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/pom.xml
Wed Jun 20 00:58:00 2018
@@ -27,6 +27,9 @@
<groupId>org.apache.velocity</groupId>
<version>3.0-SNAPSHOT</version>
</parent>
+ <properties>
+ <webapp-slf4j-logger.version>1.3</webapp-slf4j-logger.version>
+ </properties>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity-tools-examples-showcase</artifactId>
<packaging>war</packaging>
@@ -37,7 +40,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
- <version>2.19.1</version>
+ <version>2.22.0</version>
<executions>
<execution>
<id>integration-test</id>
@@ -56,21 +59,43 @@
<plugin>
<groupId>org.codehaus.cargo</groupId>
<artifactId>cargo-maven2-plugin</artifactId>
- <version>1.6.0</version>
- <!-- enable remote debugging
+ <version>1.6.8</version>
<configuration>
+ <container>
+ <containerId>jetty9x</containerId>
+ </container>
<configuration>
+ <files>
+ <copy>
+
<file>${project.basedir}/src/main/policy/showcase.policy</file>
+ <todir>/</todir>
+ <configfile>true</configfile>
+ </copy>
+ </files>
<properties>
+
<cargo.container>${project.build.directory}/cargo/installs</cargo.container>
+
<cargo.repository>${settings.localRepository}</cargo.repository>
+
<cargo.webapp>${project.build.directory}/${project.artifactId}</cargo.webapp>
+
<cargo.velocity-engine.version>${velocity.engine.version}</cargo.velocity-engine.version>
+
<cargo.velocity-tools.version>${project.version}</cargo.velocity-tools.version>
+
<cargo.slf4j.version>${slf4j.version}</cargo.slf4j.version>
+
<cargo.webapp-slf4j-logger.version>${webapp-slf4j-logger.version}</cargo.webapp-slf4j-logger.version>
<cargo.jvmargs>
- -Xdebug
-
-Xrunjdwp:transport=dt_socket,server=n,suspend=y,address=5005
- -Xnoagent
- -Djava.compiler=NONE
+ <!-- enable remote debugging
+
-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5006
+ -->
+
+ <!-- enable Jetty debug log
+ -Dorg.eclipse.jetty.LEVEL=DEBUG
+ -->
+
+ <!-- enable security manager -->
+ -Djava.security.manager
+
-Djava.security.policy=${project.build.directory}/cargo/configurations/jetty9x/showcase.policy
</cargo.jvmargs>
</properties>
</configuration>
</configuration>
- -->
<executions>
<execution>
<configuration>
@@ -122,7 +147,7 @@
<dependency>
<groupId>rhino</groupId>
<artifactId>js</artifactId>
- <version>1.6R5</version>
+ <version>1.7R2</version>
</dependency>
<dependency>
<groupId>org.apache.velocity</groupId>
@@ -146,7 +171,7 @@
<dependency>
<groupId>com.republicate</groupId>
<artifactId>webapp-slf4j-logger</artifactId>
- <version>1.1</version>
+ <version>${webapp-slf4j-logger.version}</version>
<scope>runtime</scope>
</dependency>
</dependencies>
Added:
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/policy/showcase.policy
URL:
http://svn.apache.org/viewvc/velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/policy/showcase.policy?rev=1833884&view=auto
==============================================================================
---
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/policy/showcase.policy
(added)
+++
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/policy/showcase.policy
Wed Jun 20 00:58:00 2018
@@ -0,0 +1,155 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+///////////////////////////////////////////////////
+//
+// Give Maven repository libs all permissions
+//
+///////////////////////////////////////////////////
+
+grant codeBase "file:@cargo.repository@/-"
+{
+ permission java.security.AllPermission "", "";
+};
+
+///////////////////////////////////////////////////
+//
+// Give Jetty libs all permissions
+//
+///////////////////////////////////////////////////
+
+grant codeBase "file:@cargo.container@/-"
+{
+ permission java.security.AllPermission "", "";
+};
+
+///////////////////////////////////////////////////
+//
+// Give anyone basic and reflection runtime rights
+//
+///////////////////////////////////////////////////
+
+grant
+{
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.RuntimePermission "getProtectionDomain";
+ permission java.lang.RuntimePermission "getClassLoader";
+};
+
+///////////////////////////////////////////////////
+//
+// Let webapp resolve classes dependencies
+//
+///////////////////////////////////////////////////
+
+grant codeBase "file:@cargo.webapp@/WEB-INF/classes/-"
+{
+ permission java.io.FilePermission "@cargo.webapp@/WEB-INF/lib/*", "read";
+ permission java.io.FilePermission "@cargo.webapp@/WEB-INF/classes/-",
"read";
+};
+
+grant codeBase "file:@cargo.webapp@/WEB-INF/lib/*"
+{
+ permission java.io.FilePermission "@cargo.webapp@/WEB-INF/lib/*", "read";
+ permission java.io.FilePermission "@cargo.webapp@/WEB-INF/classes/-",
"read";
+};
+
+
+///////////////////////////////////////////////////
+//
+// Give webapp-slf4j-logger all permissions
+//
+///////////////////////////////////////////////////
+
+// (since the logger will install an IPFilter tag, it's here in all calling
stacks)
+
+grant codeBase
"file:@cargo.webapp@/WEB-INF/lib/[email protected]@.jar
+{
+ permission java.security.AllPermission "", "";
+};
+
+///////////////////////////////////////////////////
+//
+// Give slf4j permission to read its properties
+//
+///////////////////////////////////////////////////
+
+// all calling chain is needed
+
+grant codeBase
"file:@cargo.webapp@/WEB-INF/lib/[email protected]@.jar"
+{
+ permission java.util.PropertyPermission "slf4j.*", "read";
+};
+
+grant codeBase
"file:@cargo.webapp@/WEB-INF/lib/[email protected]@.jar"
+{
+ permission java.util.PropertyPermission "slf4j.*", "read";
+};
+
+grant codeBase
"file:@cargo.webapp@/WEB-INF/lib/[email protected]@.jar"
+{
+ permission java.util.PropertyPermission "slf4j.*", "read";
+};
+
+///////////////////////////////////////////////////
+//
+// Give velocity, velocity-tools-generic and velocity-tools-view only needed
rights
+//
+///////////////////////////////////////////////////
+
+// engine
+
+grant codeBase
"file:@cargo.webapp@/WEB-INF/lib/[email protected]@.jar"
+{
+ // read default velocity.properties from velocity-engine-core jar
+ permission java.io.FilePermission
"@cargo.webapp@/WEB-INF/lib/[email protected]@.jar",
"read";
+};
+
+// generic tools
+
+grant codeBase
"file:@cargo.webapp@/WEB-INF/lib/[email protected]@.jar"
+{
+ // read default velocity.properties and default toolbox from
velocity-tools-view jar
+ permission java.io.FilePermission
"@cargo.webapp@/WEB-INF/lib/[email protected]@.jar",
"read";
+
+ // read default toolbox from velocity-tools-generic jar
+ permission java.io.FilePermission
"@cargo.webapp@/WEB-INF/lib/[email protected]@.jar",
"read";
+};
+
+
+// view tools
+
+grant codeBase
"file:@cargo.webapp@/WEB-INF/lib/[email protected]@.jar"
+{
+ // read permissions on the webapp
+ permission java.io.FilePermission "@cargo.webapp@/-", "read";
+
+ // get request character encoding (specific to jetty)
+ permission java.util.PropertyPermission
"org.eclipse.jetty.util.UrlEncoding.charset","read";
+};
+
+///////////////////////////////////////////////////
+//
+// Showcase samples need some more permissions
+//
+///////////////////////////////////////////////////
+
+grant codeBase "file:@cargo.webapp@/WEB-INF/classes/-"
+{
+};
Modified:
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/webapp/WEB-INF/web.xml
URL:
http://svn.apache.org/viewvc/velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/webapp/WEB-INF/web.xml?rev=1833884&r1=1833883&r2=1833884&view=diff
==============================================================================
---
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/webapp/WEB-INF/web.xml
(original)
+++
velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/webapp/WEB-INF/web.xml
Wed Jun 20 00:58:00 2018
@@ -21,8 +21,8 @@
<web-app xmlns="http://java.sun.com/xml/ns/javaee";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
- xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd";
- version="2.5">
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3.0.xsd";
+ version="3.0">
<servlet>
<servlet-name>velocity</servlet-name>
<servlet-class>org.apache.velocity.tools.view.VelocityLayoutServlet</servlet-class>
