cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityConfig.java
jfarcand2002/11/07 14:52:25 Modified:catalina/src/share/org/apache/catalina/security SecurityConfig.java Log: By default (if the catalina.properties is not founded), do not protect org.apache.jsp, but org.apache.jasper. org.apache.jsp should not be protected. Revision ChangesPath 1.5 +2 -2 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityConfig.java Index: SecurityConfig.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityConfig.java,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- SecurityConfig.java 4 Nov 2002 05:16:23 - 1.4 +++ SecurityConfig.java 7 Nov 2002 22:52:25 - 1.5 -76,7 +76,7 private final static String PACKAGE_ACCESS = sun., + org.apache.catalina. -+ ,org.apache.jsp. ++ ,org.apache.jasper. + ,org.apache.coyote. + ,org.apache.tomcat.; -84,7 +84,7 + ,org.apache.catalina. + ,org.apache.coyote. + ,org.apache.tomcat. -+ ,org.apache.jsp.; ++ ,org.apache.jasper.; /** * List of protected package from conf/catalina.properties */ -- To unsubscribe, e-mail: mailto:tomcat-dev-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityConfig.java SecurityClassLoad.java
jfarcand2002/11/03 21:16:23 Modified:catalina/src/share/org/apache/catalina/security SecurityConfig.java SecurityClassLoad.java Log: Use the catalina.properties file to customize the package protection/access. This new security m echanism enable the customization, at runtime, of which package should be protected. the following package will be protected by default: o.a.catalina o.a.jasper(*) o.a.coyote o.a.tomcat.util (*) Tomcat 5 is broken when a JSP use a class from jsp20el.jar and when the SecurityManager is t urned on. Even if you remove all the protection, Tomcat fail to properly runs the example. o.a.coyote.tomcat5 has been securized in order to support package protection. Revision ChangesPath 1.4 +48 -14 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityConfig.java Index: SecurityConfig.java === RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityConfig.java,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- SecurityConfig.java 24 Oct 2002 02:43:20 - 1.3 +++ SecurityConfig.java 4 Nov 2002 05:16:23 - 1.4 -59,6 +59,7 package org.apache.catalina.security; import java.security.Security; +import org.apache.catalina.startup.CatalinaProperties; /** * Util class to protect Catalina against package access and insertion. -68,27 +69,51 */ public final class SecurityConfig{ private static SecurityConfig singleton = null; + +private static org.apache.commons.logging.Log log= +org.apache.commons.logging.LogFactory.getLog( SecurityConfig.class ); + -private final static String PACKAGE_ACCESS = org.apache.catalina. -+ ,org.apache.jasper. +private final static String PACKAGE_ACCESS = sun., ++ org.apache.catalina. + ,org.apache.jsp. -+ ,org.apache.jk.; ++ ,org.apache.coyote. ++ ,org.apache.tomcat.; -private final static String PACKAGE_DEFINITION= java. +private final static String PACKAGE_DEFINITION= java.,sun. + ,org.apache.catalina. -+ ,org.apache.jasper. + ,org.apache.coyote. -+ ,org.apache.jsp. -+ ,org.apache.jk.; ++ ,org.apache.tomcat. ++ ,org.apache.jsp.; +/** + * List of protected package from conf/catalina.properties + */ +private String packageDefinition; + + +/** + * List of protected package from conf/catalina.properties + */ +private String packageAccess; + + /** * Create a single instance of this class. */ -private SecurityConfig(){ +private SecurityConfig(){ +try{ +packageDefinition = CatalinaProperties.getProperty(package.definition); +packageAccess = CatalinaProperties.getProperty(package.access); +} catch (java.lang.Exception ex){ +if (log.isDebugEnabled()){ +log.debug(Unable to load properties using CatalinaProperties, ex); +} +} } /** - * Retuens the singleton instance of that class. + * Returns the singleton instance of that class. * return an instance of that class. */ public static SecurityConfig newInstance(){ -103,7 +128,12 * Set the security package.access value. */ public void setPackageAccess(){ -setSecurityProperty(package.access, PACKAGE_ACCESS); +// If catalina.properties is missing, protect all by default. +if (packageAccess == null){ +setSecurityProperty(package.access, PACKAGE_ACCESS); +} else { +setSecurityProperty(package.access, packageAccess); +} } -111,7 +141,12 * Set the security package.definition value. */ public void setPackageDefinition(){ -setSecurityProperty(package.definition, PACKAGE_DEFINITION); +// If catalina.properties is missing, protect all by default. + if (packageDefinition == null){ +
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityConfig.java
jfarcand2002/10/16 13:05:29 Added: catalina/src/share/org/apache/catalina/security SecurityConfig.java Log: Refactorize Catalina.java and CatalinaService.java. Merge the security code into a single class. Revision ChangesPath 1.1 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityConfig.java Index: SecurityConfig.java === /* * * * The Apache Software License, Version 1.1 * * Copyright (c) 1999 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright *notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright *notice, this list of conditions and the following disclaimer in *the documentation and/or other materials provided with the *distribution. * * 3. The end-user documentation included with the redistribution, if *any, must include the following acknowlegement: * This product includes software developed by the *Apache Software Foundation (http://www.apache.org/). *Alternately, this acknowlegement may appear in the software itself, *if and wherever such third-party acknowlegements normally appear. * * 4. The names The Jakarta Project, Tomcat, and Apache Software *Foundation must not be used to endorse or promote products derived *from this software without prior written permission. For written *permission, please contact [EMAIL PROTECTED] * * 5. Products derived from this software may not be called Apache *nor may Apache appear in their names without prior written *permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * http://www.apache.org/. * * [Additional notices, if required by prior licensing conditions] * */ package org.apache.catalina.security; import java.security.Security; /** * Util class to protect Catalina against package access and insertion. * The code are been moved from Catalina.java * @author the Catalina.java authors * @author Jean-Francois Arcand */ public final class SecurityConfig{ private static SecurityConfig singleton = null; private final static String PACKAGE_ACCESS = org.apache.catalina. + ,org.apache.jasper. + ,org.apache.coyote. + ,org.apache.tomcat.; private final static String PACKAGE_DEFINITION= java., + PACKAGE_ACCESS; /** * Create a single instance of this class. */ private SecurityConfig(){ } /** * Retuens the singleton instance of that class. * @return an instance of that class. */ public static SecurityConfig newInstance(){ if (singleton == null){ singleton = new SecurityConfig(); } return singleton; } /** * Set the security package.access value. */ public void setPackageAccess(){ setSecurityProperty(package.access, PACKAGE_ACCESS); } /** * Set the security package.definition value. */ public void setPackageDefinition(){ setSecurityProperty(package.definition, PACKAGE_DEFINITION); } /** * Set the