[
http://jira.xwiki.org/jira/browse/XWIKI-348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_20609
]
Sergiu Dumitriu commented on XWIKI-348:
---------------------------------------
I tried to determine the minimum security rules which must be added in order
for XWiki to work. With the current trunk (rev. 6639), these changes are needed:
- Remove the xerxesImpl jar, as it will be used by Tomcat to load it's own
resources, thus throwing security exceptions. I'd say this is a bug in Tomcat.
- Disable the file logger in log4j.properties
- Add the following in a policy file:
grant codeBase "file:${catalina.home}/webapps/xwiki/WEB-INF/lib/-" {
permission java.util.PropertyPermission "file.encoding", "read";
// Needed by Hibernate -> antlr
permission java.util.PropertyPermission "ANTLR_DO_NOT_EXIT", "read";
permission java.util.PropertyPermission "ANTLR_USE_DIRECT_CLASS_LOADING",
"read";
// Needed by Plexus. Can be omitted if Plexus is disabled (OK in XWiki <= 1.2)
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
// Needed by Plexus and Hibernate
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
// Needed by commons-logging
permission java.util.PropertyPermission
"org.apache.commons.logging.LogFactory.HashtableImpl", "read";
// Needed for connecting to the database
permission java.net.SocketPermission "127.0.0.1:3306", "connect,resolve";
// Needed by the scheduler plugin -> quartz, but works without (maybe except
scheduling? should be checked)
// permission java.util.PropertyPermission "org.quartz.properties", "read";
};
Our code is pretty safe for the moment, but some of the projects we are using
have some problems, like antlr (v3 doesn't require them, but Hibernate still
uses v2), hibernate and plexus which require custom class loading and
reflection, and commons-logging.
> XWiki does not work with java security on
> -----------------------------------------
>
> Key: XWIKI-348
> URL: http://jira.xwiki.org/jira/browse/XWIKI-348
> Project: XWiki Platform
> Issue Type: Improvement
> Components: Core
> Affects Versions: 0.9.1252
> Environment: Debian, tomcat -secure
> Reporter: Sergiu Dumitriu
> Assigned To: Sergiu Dumitriu
> Priority: Critical
> Fix For: Future
>
>
> Servlets can work in two security models: the standard servlet model and the
> standard java model.
> The standard servlet model is on by default on most distributions and web
> servers. In this model, a webapp cannot exit the directory specified by the
> docBase attribute of the Context element, but no other restrictions apply,
> meaning that a servelt or jsp can call System.exit() and shut down the whole
> server. In this model, / in a path means the directory or .war file of the
> webapp.
> The java security model is the one active for applets and WebStart
> applications. Such an application can access anything as long as there is a
> policy that gives the proper rights. This model can be selected in tomcat by
> starting it with "tomcat start -security". In this model, / means the system
> root.
> The problem is that all paths in XWiki are specified with a leading /. So,
> every file is searched on the root filesystem instead of the XWiki directory.
> This can be fixed by removing the leading / in all paths. The servlet
> specification says that all relative paths start from the docBase, so nothing
> else should be changed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.xwiki.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
notifications mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/notifications
