Re: [Resin-interest] Security Manager and JSPs

2009-08-28 Thread Scott Ferguson 

On Aug 26, 2009, at 11:13 PM, Kai Virkki wrote:

 Hi,

 Is it really so that nobody uses JSPs and SecurityManager with Resin?
 :) Could this problem be solved by pre-compiling jsps to Java classes?
 Now we just let Resin handle the compilation from directories under
 WEB-INF.

Well, the security manager kills performance, so we generally  
discourage it.  I've added a bug report, though.

-- Scott



 Cheers,

 Kai

 2009/8/25 Kai Virkki kai.vir...@gmail.com:
 Hi!

 We are trying to use SecurityManager with Resin 3.1.9 and run into  
 the
 following problem: CodeSource.getLocation() returns null for compiled
 JSPs.

 This means that we cannot use a specific codebase in grant clause in
 our policy file, for example:

 grant codeBase file:/path_to_resin/runtime/work/- {
 OR grant codeBase file:/path_to_resin/webapp/JSP-source/- {
 ...some jsp-specific permissions
 };

 Instead, we have to use a universal grant clause:
 grant  {
 ..some jsp-specific permissions. Unfortunately, these will be applied
 to all code!!!
 };

 Is there a way to make JSPs have a proper CodeSource?

 Cheers,

 Kai



 ___
 resin-interest mailing list
 resin-interest@caucho.com
 http://maillist.caucho.com/mailman/listinfo/resin-interest



___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Re: [Resin-interest] Security Manager and JSPs

2009-08-27 Thread Kai Virkki 
Hi,

Is it really so that nobody uses JSPs and SecurityManager with Resin?
:) Could this problem be solved by pre-compiling jsps to Java classes?
Now we just let Resin handle the compilation from directories under
WEB-INF.

Cheers,

Kai

2009/8/25 Kai Virkki kai.vir...@gmail.com:
 Hi!

 We are trying to use SecurityManager with Resin 3.1.9 and run into the
 following problem: CodeSource.getLocation() returns null for compiled
 JSPs.

 This means that we cannot use a specific codebase in grant clause in
 our policy file, for example:

 grant codeBase file:/path_to_resin/runtime/work/- {
 OR grant codeBase file:/path_to_resin/webapp/JSP-source/- {
 ...some jsp-specific permissions
 };

 Instead, we have to use a universal grant clause:
 grant  {
 ..some jsp-specific permissions. Unfortunately, these will be applied
 to all code!!!
 };

 Is there a way to make JSPs have a proper CodeSource?

 Cheers,

 Kai



___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Re: [Resin-interest] Security Manager and JSPs

2009-08-27 Thread Daniel López 
Hi,

The only server where we have to limit such things is still using a 
Resin 2.1.17, but in case it helps, that's how we do it:

We configure the application to have the work directory in a specifc 
place (.../ServerX/work/) and then...

... global restricted permissions for everyone.
... all permissions for core classes and Resin classes.
//
// Give a specific web-app additional permissions.
//
grant codeBase file:${user.home}/Apps/ServerX/AppY/- {
 permission java.io.FilePermission 
${user.home}/Apps/ServerX/AppY/-, read,write,delete;
 permission java.io.FilePermission ${resin.home}/WEB-INF/-, 
read;
 permission java.io.FilePermission 
${user.home}/Apps/ServerX/work/-, read,write;
 permission java.io.FilePermission 
${user.home}/Apps/ServerX/work/, read,write;
};
grant codeBase file:${user.home}/Apps/ServerX/work/- {
 permission java.io.FilePermission ${resin.home}/WEB-INF/-, 
read;
 permission java.io.FilePermission 
${user.home}/Apps/ServerX/work/-, read,write;
 permission java.io.FilePermission 
${user.home}/Apps/ServerX/work/, read,write;
};

In this case the App uses an in-memory database that is stored inside 
WEB-INF/db, so no network access is required. For the JSPs, codeBase 
file:${user.home}/Apps/ServerX/work/- works for us as that's where the 
.class files are generated.

But as I've said, that is a 2.1.17 installation so some things might 
have changed for Resin 3.X. I remember it was quite a pain of trial and 
error to get to this in the first place, so that's why I haven't updated 
it in a while :).

D.


Kai Virkki escribió:
 Hi,
 
 Is it really so that nobody uses JSPs and SecurityManager with Resin?
 :) Could this problem be solved by pre-compiling jsps to Java classes?
 Now we just let Resin handle the compilation from directories under
 WEB-INF.
 
 Cheers,
 
 Kai
 
 2009/8/25 Kai Virkki kai.vir...@gmail.com:
 Hi!

 We are trying to use SecurityManager with Resin 3.1.9 and run into the
 following problem: CodeSource.getLocation() returns null for compiled
 JSPs.

 This means that we cannot use a specific codebase in grant clause in
 our policy file, for example:

 grant codeBase file:/path_to_resin/runtime/work/- {
 OR grant codeBase file:/path_to_resin/webapp/JSP-source/- {
 ...some jsp-specific permissions
 };

 Instead, we have to use a universal grant clause:
 grant  {
 ..some jsp-specific permissions. Unfortunately, these will be applied
 to all code!!!
 };

 Is there a way to make JSPs have a proper CodeSource?

 Cheers,

 Kai


___
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest