This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new ea94837028 More SecurityManager clean-up
ea94837028 is described below
commit ea94837028bba83137160b90f255be4aa29f7c70
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 19 17:27:37 2023 +0000
More SecurityManager clean-up
---
webapps/docs/config/cluster-manager.xml | 14 ++++----------
webapps/docs/config/manager.xml | 26 ++++++++++----------------
webapps/docs/security-howto.xml | 13 +++++++++++++
3 files changed, 27 insertions(+), 26 deletions(-)
diff --git a/webapps/docs/config/cluster-manager.xml
b/webapps/docs/config/cluster-manager.xml
index 7d742cbe5f..99bc181985 100644
--- a/webapps/docs/config/cluster-manager.xml
+++ b/webapps/docs/config/cluster-manager.xml
@@ -180,9 +180,7 @@
length or <code>null</code>, all attributes are eligible for
replication. The pattern is anchored so the fully qualified class name
must fully match the pattern. If not specified, the default value of
- <code>null</code> will be used unless a <code>SecurityManager</code> is
- enabled in which case the default will be
- <code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)</code>.</p>
+ <code>null</code> will be used.</p>
</attribute>
<attribute name="stateTimestampDrop" required="false">
When this node sends a <code>GET_ALL_SESSIONS</code> message to other
@@ -201,8 +199,7 @@
attribute, should this be logged at <code>WARN</code> level? If
<code>WARN</code> level logging is disabled then it will be logged at
<code>DEBUG</code>. The default value of this attribute is
- <code>false</code> unless a <code>SecurityManager</code> is enabled in
- which case the default will be <code>true</code>.</p>
+ <code>false</code>.</p>
</attribute>
</attributes>
</subsection>
@@ -245,9 +242,7 @@
length or <code>null</code>, all attributes are eligible for
replication. The pattern is anchored so the fully qualified class name
must fully match the pattern. If not specified, the default value of
- <code>null</code> will be used unless a <code>SecurityManager</code> is
- enabled in which case the default will be
- <code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)</code>.</p>
+ <code>null</code> will be used.</p>
</attribute>
<attribute name="terminateOnStartFailure" required="false">
Set to true if you wish to terminate replication map when replication
@@ -262,8 +257,7 @@
attribute, should this be logged at <code>WARN</code> level? If
<code>WARN</code> level logging is disabled then it will be logged at
<code>DEBUG</code>. The default value of this attribute is
- <code>false</code> unless a <code>SecurityManager</code> is enabled in
- which case the default will be <code>true</code>.</p>
+ <code>false</code>.</p>
</attribute>
<attribute name="accessTimeout" required="false">
The timeout for a ping message. If a remote map does not respond within
diff --git a/webapps/docs/config/manager.xml b/webapps/docs/config/manager.xml
index 93489f8f9c..1b7e0b9169 100644
--- a/webapps/docs/config/manager.xml
+++ b/webapps/docs/config/manager.xml
@@ -154,9 +154,9 @@
<p>Please note that the session's <code>Principal</code> class as well
as its descendant classes are all subject to the
<strong>sessionAttributeValueClassNameFilter</strong>. If such a filter
- is specified or a <code>SecurityManager</code> is enabled, the names of
- the <code>Principal</code> class and descendant classes must match that
- filter pattern in order to be restored.</p>
+ is specified the names of the <code>Principal</code> class and
+ descendant classes must match that filter pattern in order to be
+ restored.</p>
</attribute>
<attribute name="processExpiresFrequency" required="false">
@@ -213,9 +213,7 @@
length or <code>null</code>, all attributes are eligible for
distribution. The pattern is anchored so the fully qualified class name
must fully match the pattern. If not specified, the default value of
- <code>null</code> will be used unless a <code>SecurityManager</code> is
- enabled in which case the default will be
-
<code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)|org\\.apache\\.catalina\\.realm\\.GenericPrincipal\\$SerializablePrincipal|\\[Ljava.lang.String;</code>.</p>
+ <code>null</code> will be used.</p>
</attribute>
<attribute name="warnOnSessionAttributeFilterFailure" required="false">
@@ -224,8 +222,7 @@
attribute, should this be logged at <code>WARN</code> level? If
<code>WARN</code> level logging is disabled then it will be logged at
<code>DEBUG</code>. The default value of this attribute is
- <code>false</code> unless a <code>SecurityManager</code> is enabled in
- which case the default will be <code>true</code>.</p>
+ <code>false</code>.</p>
</attribute>
</attributes>
@@ -296,9 +293,9 @@
<p>Please note that the session's <code>Principal</code> class as well
as its descendant classes are all subject to the
<strong>sessionAttributeValueClassNameFilter</strong>. If such a filter
- is specified or a <code>SecurityManager</code> is enabled, the names of
- the <code>Principal</code> class and descendant classes must match that
- filter pattern in order to be restored.</p>
+ is specified the names of the <code>Principal</code> class and
+ descendant classes must match that filter pattern in order to be
+ restored.</p>
</attribute>
<attribute name="processExpiresFrequency" required="false">
@@ -351,9 +348,7 @@
length or <code>null</code>, all attributes are eligible for
distribution. The pattern is anchored so the fully qualified class name
must fully match the pattern. If not specified, the default value of
- <code>null</code> will be used unless a <code>SecurityManager</code> is
- enabled in which case the default will be
-
<code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)|org\\.apache\\.catalina\\.realm\\.GenericPrincipal\\$SerializablePrincipal|\\[Ljava.lang.String;</code>.</p>
+ <code>null</code> will be used.</p>
</attribute>
<attribute name="warnOnSessionAttributeFilterFailure" required="false">
@@ -362,8 +357,7 @@
attribute, should this be logged at <code>WARN</code> level? If
<code>WARN</code> level logging is disabled then it will be logged at
<code>DEBUG</code>. The default value of this attribute is
- <code>false</code> unless a <code>SecurityManager</code> is enabled in
- which case the default will be <code>true</code>.</p>
+ <code>false</code>.</p>
</attribute>
</attributes>
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index c437558f11..65684cca67 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -470,6 +470,19 @@
the <strong>JDBCStore</strong> is able to access the persisted session
data. In particular, the <strong>JDBCStore</strong> should not be
accessible via any credentials available to a web application.</p>
+
+ <p>Manager implementations that persist sessions to storage or replicate
+ sessions in a cluster typically use Java serialization. While the session
+ data is considered trusted (since the application is trusted), system
+ administrators may wish to consider placing restrictions on the Java
+ serialization. This can be done using the
+ <strong>sessionAttributeValueClassNameFilter</strong> attribute. A
+ safe starting value for this attribute is
+
<code>java\\.lang\\.(?:Boolean|Integer|Long|Number|String)|org\\.apache\\.catalina\\.realm\\.GenericPrincipal\\$SerializablePrincipal|\\[Ljava.lang.String;</code>
which
+ can then be adjusted to meet the needs of the application. If setting a
+ value for <strong>sessionAttributeValueClassNameFilter</strong> it is
+ recommended that <strong>warnOnSessionAttributeFilterFailure</strong> is
+ set to <code>true</code>.</p>
</subsection>
<subsection name="Cluster">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
