Hi,
The only server where we have to limit such things is still using a
Resin 2.1.17, but in case it helps, that's how we do it:
We configure the application to have the work directory in a specifc
place (.../ServerX/work/) and then...
... global restricted permissions for everyone.
... all permissions for core classes and Resin classes.
//
// Give a specific web-app additional permissions.
//
grant codeBase "file:${user.home}/Apps/ServerX/AppY/-" {
permission java.io.FilePermission
"${user.home}/Apps/ServerX/AppY/-", "read,write,delete";
permission java.io.FilePermission "${resin.home}/WEB-INF/-",
"read";
permission java.io.FilePermission
"${user.home}/Apps/ServerX/work/-", "read,write";
permission java.io.FilePermission
"${user.home}/Apps/ServerX/work/", "read,write";
};
grant codeBase "file:${user.home}/Apps/ServerX/work/-" {
permission java.io.FilePermission "${resin.home}/WEB-INF/-",
"read";
permission java.io.FilePermission
"${user.home}/Apps/ServerX/work/-", "read,write";
permission java.io.FilePermission
"${user.home}/Apps/ServerX/work/", "read,write";
};
In this case the App uses an in-memory database that is stored inside
WEB-INF/db, so no network access is required. For the JSPs, codeBase
"file:${user.home}/Apps/ServerX/work/-" works for us as that's where the
.class files are generated.
But as I've said, that is a 2.1.17 installation so some things might
have changed for Resin 3.X. I remember it was quite a pain of trial and
error to get to this in the first place, so that's why I haven't updated
it in a while :).
D.
Kai Virkki escribió:
> Hi,
>
> Is it really so that nobody uses JSPs and SecurityManager with Resin?
> :) Could this problem be solved by pre-compiling jsps to Java classes?
> Now we just let Resin handle the compilation from directories under
> WEB-INF.
>
> Cheers,
>
> Kai
>
> 2009/8/25 Kai Virkki <[email protected]>:
>> Hi!
>>
>> We are trying to use SecurityManager with Resin 3.1.9 and run into the
>> following problem: CodeSource.getLocation() returns null for compiled
>> JSPs.
>>
>> This means that we cannot use a specific codebase in grant clause in
>> our policy file, for example:
>>
>> grant codeBase "file:/path_to_resin/runtime/work/-" {
>> OR grant codeBase "file:/path_to_resin/webapp/JSP-source/-" {
>> ...some jsp-specific permissions
>> };
>>
>> Instead, we have to use a universal grant clause:
>> grant {
>> ..some jsp-specific permissions. Unfortunately, these will be applied
>> to all code!!!
>> };
>>
>> Is there a way to make JSPs have a proper CodeSource?
>>
>> Cheers,
>>
>> Kai
_______________________________________________
resin-interest mailing list
[email protected]
http://maillist.caucho.com/mailman/listinfo/resin-interest
