It's a great proposal. Just one thing, Read/Write File permissions and the directory
tree it applies will be included in the Servlet permission right ?
Glenn Nielsen [EMAIL PROTECTED] wrote: Due to recent questions about the
SecurityManager implementation in
Tomcat 4 I decided to post my proposal for overhauling how security
policies are managed in Tomcat 4. This is something I have wanted
to do for a while but has been sitting on the back burner as I have
been very busy with other work (non open source) related projects..
Regards,
Glenn
--
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
--[PROPOSAL] -
Implement new Catalina SecurityManager Policy class
Overview
Currently all Java SecurityManager permissions are set using the
catalina.policy file using the default Sun PolicyFile class.
This works fine for setting security policies but makes use of
a policy with more restrictive permissions very painstaking to
configure. And makes it impossible for those responsible for
an individual web application to set their own security policies
unless they have access to the catalina.policy file.
Implementation Summary
==
Allow an alternate Policy class to be configured in conf/server.xml
so that the code which manages security policies is configurable.
Since the JVM bootstrap class loader is used for the JVM itself
and the JVM classpath class loader is used for bin/bootstrap.jar,
permissions for these CodeSources's would still need to be configured
in catalina.policy.
The replacement Policy class would be used to set permissions for
all classes loaded by internal catalina class loaders.
If no replacement Policy class is defined in server.xml the catalina.policy
would be the sole source of security policy permission grants.
Security Policy Management
==
Rather than use a CodeBase which is a valid file URL to a code source,
the CodeBase will be based on function with the following hierarchy.
Assigning permissions by function rather than codeBase should make
configuring the security policies easier. Once the code is implemented
so that policy can be managed by function, generation of the security
permissions required by catalina can be generated by the new admin web app.
Server Permissions Functional Hierarchy
---
The following are for configuring the permissions for the Catalina Server.
Server - Entire servlet container
Permissions applied to following jar files:
server/lib/catalina.jar
Server/Jasper - JSP Compiler and Runtime permissions
Permissions required here are also assigned to the Server.
Permissions applied to following jar files:
shared/lib/jasper-compiler.jar
shared/lib/jasper-runtime.jar
server/webapps/admin/WEB-INF/lib/jasper-compiler.jar
server/webapps/admin/WEB-INF/lib/jasper-runtime.jar
server/webapps/manager/WEB-INF/lib/jasper-compiler.jar
server/webapps/manager/WEB-INF/lib/jasper-runtime.jar
Server/Servlet
Permissions assigned here are assigned to
the Server and the following jar files:
common/lib/servlet.jar
server/lib/servlets-invoker.jar
Server/Servlet/CGI - Permissions granted for CGI Servlet
Permissions assigned here are assigned to
the Server, Server/Servlet, and servlets-cgi.jar.
Server/Servlet/SSI - Permissions granted for SSI Servlet
Permissions assigned here are assigned to
the Server, Server/Servlet, and servlets-ssi.jar.
Server/Servlet/Webdav - Permissions granted to webdav servlet
Permissions assigned here are assigned to
the Server, Server/Servlet, and servlets-webdav.jar.
Server/Servlet/Manager - Permissions granted to manager servlet
Permissions assigned here are assigned to
the Server, Server/Servlet, and servlets-manager.jar.
Server/Database - Permissions for db connectivity
Permissions assigned here are also assigned to
the Server and Server/Jasper.
Permissions applied to following jar files:
common/lib/{tryex}.jar
common/lib/{jdbc driver}.jar
server/lib/commons-dbcp.jar
Q. Since both tyrex and commons-dbcp fulfill the same
function, can't the jar file for tyrex be moved to
server/lib?
Server/Mail - Permissions for sending/getting email
Permissions assigned here are also assigned to
the Server and Server/Jasper.
Maximum and Default permissions for web applications
The following set the maximum and default permissions for web
applications scope globally, by host, or a single webapp.
Server/Max - Maximum allowed permissions for all webapps
Permissions for Server/Max are assigned to servlet.jar
Server/Default - Default permissions granted to all webapps
Server/Host/Max - Maximum allowed permissions to all webapps for this host
Server/Host/Default - Default permissions