Re: [PROPOSAL] - Tocmat 4, implement new Catalina SecurityManager Policy class

[Renato Weiner]

It's a great proposal. Just one thing, Read/Write File permissions and the directory 
tree it applies will be included in the Servlet permission right ?
  Glenn Nielsen [EMAIL PROTECTED] wrote: Due to recent questions about the 
SecurityManager implementation in
Tomcat 4 I decided to post my proposal for overhauling how security
policies are managed in Tomcat 4. This is something I have wanted
to do for a while but has been sitting on the back burner as I have
been very busy with other work (non open source) related projects..

Regards,

Glenn

--
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
--[PROPOSAL] - 
Implement new Catalina SecurityManager Policy class

Overview


Currently all Java SecurityManager permissions are set using the
catalina.policy file using the default Sun PolicyFile class.
This works fine for setting security policies but makes use of
a policy with more restrictive permissions very painstaking to
configure. And makes it impossible for those responsible for
an individual web application to set their own security policies
unless they have access to the catalina.policy file.

Implementation Summary
==

Allow an alternate Policy class to be configured in conf/server.xml
so that the code which manages security policies is configurable.

Since the JVM bootstrap class loader is used for the JVM itself
and the JVM classpath class loader is used for bin/bootstrap.jar,
permissions for these CodeSources's would still need to be configured
in catalina.policy.

The replacement Policy class would be used to set permissions for
all classes loaded by internal catalina class loaders.

If no replacement Policy class is defined in server.xml the catalina.policy
would be the sole source of security policy permission grants.

Security Policy Management
==

Rather than use a CodeBase which is a valid file URL to a code source,
the CodeBase will be based on function with the following hierarchy.
Assigning permissions by function rather than codeBase should make
configuring the security policies easier. Once the code is implemented
so that policy can be managed by function, generation of the security
permissions required by catalina can be generated by the new admin web app.

Server Permissions Functional Hierarchy
---

The following are for configuring the permissions for the Catalina Server.

Server - Entire servlet container
Permissions applied to following jar files:

server/lib/catalina.jar

Server/Jasper - JSP Compiler and Runtime permissions
Permissions required here are also assigned to the Server.
Permissions applied to following jar files:

shared/lib/jasper-compiler.jar
shared/lib/jasper-runtime.jar
server/webapps/admin/WEB-INF/lib/jasper-compiler.jar
server/webapps/admin/WEB-INF/lib/jasper-runtime.jar
server/webapps/manager/WEB-INF/lib/jasper-compiler.jar
server/webapps/manager/WEB-INF/lib/jasper-runtime.jar

Server/Servlet
Permissions assigned here are assigned to
the Server and the following jar files:

common/lib/servlet.jar
server/lib/servlets-invoker.jar

Server/Servlet/CGI - Permissions granted for CGI Servlet
Permissions assigned here are assigned to
the Server, Server/Servlet, and servlets-cgi.jar.

Server/Servlet/SSI - Permissions granted for SSI Servlet
Permissions assigned here are assigned to
the Server, Server/Servlet, and servlets-ssi.jar.

Server/Servlet/Webdav - Permissions granted to webdav servlet
Permissions assigned here are assigned to
the Server, Server/Servlet, and servlets-webdav.jar.

Server/Servlet/Manager - Permissions granted to manager servlet
Permissions assigned here are assigned to
the Server, Server/Servlet, and servlets-manager.jar.

Server/Database - Permissions for db connectivity
Permissions assigned here are also assigned to
the Server and Server/Jasper.
Permissions applied to following jar files:

common/lib/{tryex}.jar
common/lib/{jdbc driver}.jar
server/lib/commons-dbcp.jar

Q. Since both tyrex and commons-dbcp fulfill the same
function, can't the jar file for tyrex be moved to
server/lib?

Server/Mail - Permissions for sending/getting email
Permissions assigned here are also assigned to
the Server and Server/Jasper.

Maximum and Default permissions for web applications


The following set the maximum and default permissions for web
applications scope globally, by host, or a single webapp.

Server/Max - Maximum allowed permissions for all webapps
Permissions for Server/Max are assigned to servlet.jar
Server/Default - Default permissions granted to all webapps
Server/Host/Max - Maximum allowed permissions to all webapps for this host
Server/Host/Default - Default permissions 

Re: [PROPOSAL] - Tocmat 4, implement new Catalina SecurityManager Policy class

[Remy Maucherat]

 Due to recent questions about the SecurityManager implementation in
 Tomcat 4 I decided to post my proposal for overhauling how security
 policies are managed in Tomcat 4.  This is something I have wanted
 to do for a while but has been sitting on the back burner as I have
 been very busy with other work (non open source) related projects..

Yes, I think it looks good, and full of useful features.

The only thing is that IMO it should be integrated in the server.xml file
and its child files. I don't see any reason to keep that in separate config
files.

I think I could implement it if I have some time, which is a possibility
after I finish Coyote.

Remy


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]

Re: [PROPOSAL] - Tocmat 4, implement new Catalina SecurityManager Policy class

[Remy Maucherat]

 Remy Maucherat wrote:
 
   Due to recent questions about the SecurityManager implementation in
   Tomcat 4 I decided to post my proposal for overhauling how security
   policies are managed in Tomcat 4.  This is something I have wanted
   to do for a while but has been sitting on the back burner as I have
   been very busy with other work (non open source) related projects..
 
  Yes, I think it looks good, and full of useful features.

 Thanks.

  The only thing is that IMO it should be integrated in the server.xml
file
  and its child files. I don't see any reason to keep that in separate
config
  files.

 server.xml child files ??

Like the ones used for the admin and manager webapps (webapps/admin.xml and
webapps/manager.xml). It's just as if that XML fragment was inserted in the
server.xml file.

  I think I could implement it if I have some time, which is a possibility
  after I finish Coyote.

 Whats the timeline on that?

Whenever I stop trying to fix bugs for one whole week. Of course, it's less
a priority now that (unexpectedly) JK is out there and fully supported.
I still have some design decisions to make for the Catalina wrapper (the
HTTP stack itself looks good enough already).

 I originally wrote that proposal Jan 3, but was sitting on it
 because I was very busy with other projects.  I have some time now to
 work on it.  I'll see if I can flush out the design some more.

No problem then, I was just suggesting that if you didn't have time.

 BTW, I have been testing Tomcat 4.1-dev built from CVS using java 1.4 with
 -security.  Tomcat runs fine with the default catalina.policy, but fails
 when I use a more restrictive policy.  I think the problem is in Java 1.4,
 I have filed a bug report on this.  So for now, I am back to using java
1.3.1.

I was very unhappy about 1.4 b3, which had lots of classloading issues.
Thankfully, the RC and the final have been much better, but I'm not
surprised there are still issues remaining in some more advanced use cases.
What's the bugtraq number for your report ?

Remy


--
To unsubscribe, e-mail:   mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL PROTECTED]