Re: cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
Hi Glenn, your last addition seems, IMO, to open a security isssue with classes located under the o.a.c.util directory. Actually, maybe not for Tomcat 4.1, but for 5.0, I have created a class called SecurityAudit.java that contains some security check. If we port your latest changes, this class will be exposed to malicious uses. Also, Is there a reason why we are giving the defineClassInPackage? I think two solutions are available (1) move sensitive classes to another package (2) create a public package where we want to give access to some internal class. What is your recommendation? Thanks, -- Jeanfrancois [EMAIL PROTECTED] wrote: glenn 2002/09/30 12:59:47 Modified:catalina/src/conf catalina.policy Log: Allow defineClassInPackage for util due to Request Parametermap needs Revision ChangesPath 1.28 +3 -1 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.27 retrieving revision 1.28 diff -u -r1.27 -r1.28 --- catalina.policy 8 Sep 2002 18:04:02 - 1.27 +++ catalina.policy 30 Sep 2002 19:59:47 - 1.28 @@ -121,6 +121,8 @@ // Required for sevlets and JSP's permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util.*; + permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util; + permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util.*; // Required for running servlets generated by JSPC permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
Right, there are no security sensitive classes in Tomcat 4 o.a.c.util. I advocated at one time identifying which packages within o.a.c contain security sensitive code and which don't. And documenting this so that a security sensitive class doesn't get added to a package considered public. For starters, o.a.c.util could be identified as a package where no security sensitive classes can be located. And with JSR 115 incorporating JAAS into J2EE, perhaps it would be best to have a o.a.c.security package. Regards, Glenn Jean-Francois Arcand wrote: Hi Glenn, your last addition seems, IMO, to open a security isssue with classes located under the o.a.c.util directory. Actually, maybe not for Tomcat 4.1, but for 5.0, I have created a class called SecurityAudit.java that contains some security check. If we port your latest changes, this class will be exposed to malicious uses. Also, Is there a reason why we are giving the defineClassInPackage? I think two solutions are available (1) move sensitive classes to another package (2) create a public package where we want to give access to some internal class. What is your recommendation? Thanks, -- Jeanfrancois [EMAIL PROTECTED] wrote: glenn 2002/09/30 12:59:47 Modified:catalina/src/conf catalina.policy Log: Allow defineClassInPackage for util due to Request Parametermap needs Revision ChangesPath 1.28 +3 -1 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.27 retrieving revision 1.28 diff -u -r1.27 -r1.28 --- catalina.policy8 Sep 2002 18:04:02 -1.27 +++ catalina.policy30 Sep 2002 19:59:47 -1.28 @@ -121,6 +121,8 @@ // Required for sevlets and JSP's permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util.*; + permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util; + permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util.*; // Required for running servlets generated by JSPC permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- -- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder| MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | -- -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 2002/09/30 12:59:47 Modified:catalina/src/conf catalina.policy Log: Allow defineClassInPackage for util due to Request Parametermap needs Revision ChangesPath 1.28 +3 -1 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.27 retrieving revision 1.28 diff -u -r1.27 -r1.28 --- catalina.policy 8 Sep 2002 18:04:02 - 1.27 +++ catalina.policy 30 Sep 2002 19:59:47 - 1.28 @@ -121,6 +121,8 @@ // Required for sevlets and JSP's permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util.*; + permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util; + permission java.lang.RuntimePermission defineClassInPackage.org.apache.catalina.util.*; // Required for running servlets generated by JSPC permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 2002/09/08 11:04:02 Modified:catalina/src/conf catalina.policy Log: Fix example web application grant codeBase Revision ChangesPath 1.27 +3 -3 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.26 retrieving revision 1.27 diff -u -r1.26 -r1.27 --- catalina.policy 2 Sep 2002 13:37:22 - 1.26 +++ catalina.policy 8 Sep 2002 18:04:02 - 1.27 @@ -158,11 +158,11 @@ // }; // // The permission granted to your JDBC driver -// grant codeBase jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar { +// grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar { // permission java.net.SocketPermission dbhost.mycompany.com:5432, connect; // }; // The permission granted to the scrape taglib -// grant codeBase jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar { +// grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar { // permission java.net.SocketPermission *.noaa.gov:80, connect; // }; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 2002/09/02 06:37:22 Modified:catalina/src/conf catalina.policy Log: Update policy for java 1.4, fix bug 12101 Revision ChangesPath 1.26 +7 -1 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.25 retrieving revision 1.26 diff -u -r1.25 -r1.26 --- catalina.policy 18 Aug 2002 00:56:09 - 1.25 +++ catalina.policy 2 Sep 2002 13:37:22 - 1.26 @@ -115,9 +115,15 @@ permission java.util.PropertyPermission java.vm.name, read; // Required for getting BeanInfo + permission java.lang.RuntimePermission accessClassInPackage.sun.beans; permission java.lang.RuntimePermission accessClassInPackage.sun.beans.*; + // Required for sevlets and JSP's + permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util; + permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina.util.*; + // Required for running servlets generated by JSPC + permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime; permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime.*; // Required for OpenJMX -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 2002/08/17 17:56:09 Modified:catalina/src/conf catalina.policy Log: Cleanup policy for release Revision ChangesPath 1.25 +56 -56jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.24 retrieving revision 1.25 diff -u -r1.24 -r1.25 --- catalina.policy 19 Jul 2002 12:38:34 - 1.24 +++ catalina.policy 18 Aug 2002 00:56:09 - 1.25 @@ -17,23 +17,23 @@ // These permissions apply to javac grant codeBase file:${java.home}/lib/- { -permission java.security.AllPermission; + permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase file:${java.home}/jre/lib/ext/- { -permission java.security.AllPermission; + permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase file:${java.home}/../lib/- { -permission java.security.AllPermission; + permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase file:${java.home}/lib/ext/- { -permission java.security.AllPermission; + permission java.security.AllPermission; }; @@ -42,39 +42,39 @@ // These permissions apply to the server startup code grant codeBase file:${catalina.home}/bin/bootstrap.jar { -permission java.security.AllPermission; + permission java.security.AllPermission; }; // These permissions apply to the servlet API classes // and those that are shared across all class loaders // located in the common directory grant codeBase file:${catalina.home}/common/- { -permission java.security.AllPermission; + permission java.security.AllPermission; }; // These permissions apply to the container's core code, plus any additional // libraries installed in the server directory grant codeBase file:${catalina.home}/server/- { -permission java.security.AllPermission; + permission java.security.AllPermission; }; // These permissions apply to the jasper page compiler. grant codeBase file:${catalina.home}/shared/lib/jasper-compiler.jar { -permission java.security.AllPermission; + permission java.security.AllPermission; }; // These permissions apply to the jasper JSP runtime grant codeBase file:${catalina.home}/shared/lib/jasper-runtime.jar { -permission java.security.AllPermission; + permission java.security.AllPermission; }; // These permissions apply to the privileged admin and manager web applications grant codeBase file:${catalina.home}/server/webapps/admin/WEB-INF/classes/- { -permission java.security.AllPermission; + permission java.security.AllPermission; }; grant codeBase file:${catalina.home}/server/webapps/admin/WEB-INF/lib/struts.jar { -permission java.security.AllPermission; + permission java.security.AllPermission; }; // == WEB APPLICATION PERMISSIONS = @@ -84,47 +84,47 @@ // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { -// Required for JNDI lookup of named JDBC DataSource's and -// javamail named MimePart DataSource used to send mail -permission java.util.PropertyPermission java.home, read; -permission java.util.PropertyPermission java.naming.*, read; -permission java.util.PropertyPermission javax.sql.*, read; - -// OS Specific properties to allow read access - permission java.util.PropertyPermission os.name, read; - permission java.util.PropertyPermission os.version, read; - permission java.util.PropertyPermission os.arch, read; - permission java.util.PropertyPermission file.separator, read; - permission java.util.PropertyPermission path.separator, read; - permission java.util.PropertyPermission line.separator, read; - -// JVM properties to allow read access -permission java.util.PropertyPermission java.version, read; -permission java.util.PropertyPermission java.vendor, read; -permission java.util.PropertyPermission java.vendor.url, read; -permission java.util.PropertyPermission java.class.version, read; - permission java.util.PropertyPermission java.specification.version, read; - permission java.util.PropertyPermission java.specification.vendor, read; - permission
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 2002/07/19 05:36:14 Modified:catalina/src/conf Tag: tomcat_40_branch catalina.policy Log: Add permission required for JSPC servlets Revision ChangesPath No revision No revision 1.14.2.2 +4 -1 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.14.2.1 retrieving revision 1.14.2.2 diff -u -r1.14.2.1 -r1.14.2.2 --- catalina.policy 6 Oct 2001 18:51:03 - 1.14.2.1 +++ catalina.policy 19 Jul 2002 12:36:14 - 1.14.2.2 @@ -110,6 +110,9 @@ // Required for getting BeanInfo permission java.lang.RuntimePermission accessClassInPackage.sun.beans.*; +// Required for running servlets generated by JSPC +permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime.*; + // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission jaxp.debug, read; }; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 2002/07/19 05:38:35 Modified:catalina/src/conf catalina.policy Log: Add permission required for JSPC servlets Revision ChangesPath 1.24 +4 -1 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.23 retrieving revision 1.24 diff -u -r1.23 -r1.24 --- catalina.policy 29 Apr 2002 20:24:57 - 1.23 +++ catalina.policy 19 Jul 2002 12:38:34 - 1.24 @@ -117,6 +117,9 @@ // Required for getting BeanInfo permission java.lang.RuntimePermission accessClassInPackage.sun.beans.*; +// Required for running servlets generated by JSPC +permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper.runtime.*; + // Required for OpenJMX permission java.lang.RuntimePermission getAttribute; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
remm02/04/29 13:24:57 Modified:catalina/src/conf catalina.policy Log: - Modify the policy file according to the codebase change. Revision ChangesPath 1.23 +2 -2 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.22 retrieving revision 1.23 diff -u -r1.22 -r1.23 --- catalina.policy 4 Mar 2002 15:12:48 - 1.22 +++ catalina.policy 29 Apr 2002 20:24:57 - 1.23 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.22 2002/03/04 15:12:48 glenn Exp $ +// $Id: catalina.policy,v 1.23 2002/04/29 20:24:57 remm Exp $ // @@ -73,7 +73,7 @@ permission java.security.AllPermission; }; -grant codeBase jar:file:${catalina.home}/server/webapps/admin/WEB-INF/lib/struts.jar!/- { +grant codeBase file:${catalina.home}/server/webapps/admin/WEB-INF/lib/struts.jar { permission java.security.AllPermission; }; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 02/03/04 07:12:48 Modified:catalina/src/conf catalina.policy Log: Fix example grants fro webapp jar's Revision ChangesPath 1.22 +3 -3 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.21 retrieving revision 1.22 diff -u -r1.21 -r1.22 --- catalina.policy 9 Feb 2002 18:31:25 - 1.21 +++ catalina.policy 4 Mar 2002 15:12:48 - 1.22 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.21 2002/02/09 18:31:25 remm Exp $ +// $Id: catalina.policy,v 1.22 2002/03/04 15:12:48 glenn Exp $ // @@ -149,11 +149,11 @@ // }; // // The permission granted to your JDBC driver -// grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/- { +// grant codeBase jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/- { // permission java.net.SocketPermission dbhost.mycompany.com:5432, connect; // }; // The permission granted to the scrape taglib -// grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/- { +// grant codeBase jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/- { // permission java.net.SocketPermission *.noaa.gov:80, connect; // }; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
remm02/02/09 10:31:25 Modified:catalina/src/conf catalina.policy Log: - Update policy files after moving Jasper around. - Also ran into a surprise problem with OpenJMX while testing (which of course lead me to believe it was somehow related to me moving Jasper). Grant an extra permission to have it work. Revision ChangesPath 1.21 +4 -22 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.20 retrieving revision 1.21 diff -u -r1.20 -r1.21 --- catalina.policy 17 Jan 2002 00:28:15 - 1.20 +++ catalina.policy 9 Feb 2002 18:31:25 - 1.21 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.20 2002/01/17 00:28:15 patrickl Exp $ +// $Id: catalina.policy,v 1.21 2002/02/09 18:31:25 remm Exp $ // @@ -68,11 +68,6 @@ permission java.security.AllPermission; }; -// These permissions apply to the JNDI naming factory -grant codeBase file:${catalina.home}/shared/lib/naming-factory.jar { -permission java.security.AllPermission; -}; - // These permissions apply to the privileged admin and manager web applications grant codeBase file:${catalina.home}/server/webapps/admin/WEB-INF/classes/- { permission java.security.AllPermission; @@ -82,22 +77,6 @@ permission java.security.AllPermission; }; -grant codeBase jar:file:${catalina.home}/server/webapps/admin/WEB-INF/lib/jasper-compiler.jar!/- { -permission java.security.AllPermission; -}; - -grant codeBase jar:file:${catalina.home}/server/webapps/admin/WEB-INF/lib/jasper-runtime.jar!/- { -permission java.security.AllPermission; -}; - -grant codeBase jar:file:${catalina.home}/server/webapps/manager/WEB-INF/lib/jasper-compiler.jar!/- { -permission java.security.AllPermission; -}; - -grant codeBase jar:file:${catalina.home}/server/webapps/manager/WEB-INF/lib/jasper-runtime.jar!/- { -permission java.security.AllPermission; -}; - // == WEB APPLICATION PERMISSIONS = @@ -137,6 +116,9 @@ // Required for getting BeanInfo permission java.lang.RuntimePermission accessClassInPackage.sun.beans.*; + +// Required for OpenJMX +permission java.lang.RuntimePermission getAttribute; // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission jaxp.debug, read; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
patrickl02/01/16 16:28:15 Modified:catalina/src/conf catalina.policy Log: Add AllPermissions to admin webapp's classes directory Revision ChangesPath 1.20 +9 -5 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- catalina.policy 14 Jan 2002 09:34:12 - 1.19 +++ catalina.policy 17 Jan 2002 00:28:15 - 1.20 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.19 2002/01/14 09:34:12 patrickl Exp $ +// $Id: catalina.policy,v 1.20 2002/01/17 00:28:15 patrickl Exp $ // @@ -74,15 +74,19 @@ }; // These permissions apply to the privileged admin and manager web applications -grant codeBase jar:file:${catalina.home}/server/webapps/admin/WEB-INF/lib/jasper-compiler.jar!/- { +grant codeBase file:${catalina.home}/server/webapps/admin/WEB-INF/classes/- { permission java.security.AllPermission; }; -grant codeBase jar:file:${catalina.home}/server/webapps/admin/WEB-INF/lib/jasper-runtime.jar!/- { -permission java.security.AllPermission; +grant codeBase jar:file:${catalina.home}/server/webapps/admin/WEB-INF/lib/struts.jar!/- { +permission java.security.AllPermission; }; -grant codeBase jar:file:${catalina.home}/server/webapps/admin/WEB-INF/lib/struts.jar!/- { +grant codeBase jar:file:${catalina.home}/server/webapps/admin/WEB-INF/lib/jasper-compiler.jar!/- { +permission java.security.AllPermission; +}; + +grant codeBase jar:file:${catalina.home}/server/webapps/admin/WEB-INF/lib/jasper-runtime.jar!/- { permission java.security.AllPermission; }; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
patrickl02/01/14 01:34:12 Modified:catalina/src/conf catalina.policy Log: Add AllPermissions struts.jar in admin webapp since it was missing from the policy file. Revision ChangesPath 1.19 +5 -1 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- catalina.policy 27 Nov 2001 02:47:26 - 1.18 +++ catalina.policy 14 Jan 2002 09:34:12 - 1.19 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.18 2001/11/27 02:47:26 patrickl Exp $ +// $Id: catalina.policy,v 1.19 2002/01/14 09:34:12 patrickl Exp $ // @@ -79,6 +79,10 @@ }; grant codeBase jar:file:${catalina.home}/server/webapps/admin/WEB-INF/lib/jasper-runtime.jar!/- { +permission java.security.AllPermission; +}; + +grant codeBase jar:file:${catalina.home}/server/webapps/admin/WEB-INF/lib/struts.jar!/- { permission java.security.AllPermission; }; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 01/11/19 05:51:03 Modified:catalina/src/conf catalina.policy Log: Make the permissions for shared/lib explicit Revision ChangesPath 1.16 +14 -4 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- catalina.policy 2001/10/06 18:45:51 1.15 +++ catalina.policy 2001/11/19 13:51:03 1.16 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.15 2001/10/06 18:45:51 remm Exp $ +// $Id: catalina.policy,v 1.16 2001/11/19 13:51:03 glenn Exp $ // @@ -58,11 +58,21 @@ permission java.security.AllPermission; }; -// These permissions apply to shared web application libraries -// including the Jasper page compiler installed in the shared/lib directory -grant codeBase file:${catalina.home}/shared/- { +// These permissions apply to the jasper page compiler. +grant codeBase file:${catalina.home}/shared/lib/jasper-compiler.jar { permission java.security.AllPermission; }; + +// These permissions apply to the jasper JSP runtime +grant codeBase file:${catalina.home}/shared/lib/jasper-runtime.jar { +permission java.security.AllPermission; +}; + +// These permissions apply to the JNDI naming factory +grant codeBase file:${catalina.home}/shared/lib/naming-factory.jar { +permission java.security.AllPermission; +}; + // == WEB APPLICATION PERMISSIONS = -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 01/06/29 11:01:14 Modified:catalina/src/conf catalina.policy Log: Update policy for WebappClassLoader changes Revision ChangesPath 1.13 +4 -16 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- catalina.policy 2001/06/22 20:36:29 1.12 +++ catalina.policy 2001/06/29 18:01:09 1.13 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.12 2001/06/22 20:36:29 glenn Exp $ +// $Id: catalina.policy,v 1.13 2001/06/29 18:01:09 glenn Exp $ // @@ -138,30 +138,18 @@ // grant codeBase file:${catalina.home}/webapps/examples/- { // permission java.net.SocketPermission dbhost.mycompany.com:5432, connect; // permission java.net.SocketPermission *.noaa.gov:80, connect; -// // }; // // The permissions granted to the context WEB-INF/classes directory -// -// Permissions granted to a web applications /WEB-INF/classes -// need to use the JNDI naming convention Tomcat 4 uses to identify -// these resources. The naming convention is -// jndi:/virtual host name/web application directory/WEB-INF/classes/ -// -// grant codeBase jndi:/localhost/examples/WEB-INF/classes/- { +// grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/classes/- { // }; // -// Permissions granted to a web applications /WEB-INF/lib -// need to use the JNDI naming convention Tomcat 4 uses to identify -// these resources. The naming convention is -// jar:jndi:/virtual host name/web application directory/WEB-INF/lib/ -// // The permission granted to your JDBC driver -// grant codeBase jar:jndi:/localhost/examples/WEB-INF/lib/driver.jar { +// grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/- { // permission java.net.SocketPermission dbhost.mycompany.com:5432, connect; // }; // The permission granted to the scrape taglib -// grant codeBase jar:jndi:localhost/webapps/examples/WEB-INF/lib/scrape.jar { +// grant codeBase file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/- { // permission java.net.SocketPermission *.noaa.gov:80, connect; // };
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
remm01/06/29 14:53:45 Modified:catalina/src/conf catalina.policy Log: - Package name typo fix. Patch submitted by Gennis Emerson gemerson at acm.org Revision ChangesPath 1.14 +2 -2 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- catalina.policy 2001/06/29 18:01:09 1.13 +++ catalina.policy 2001/06/29 21:53:43 1.14 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.13 2001/06/29 18:01:09 glenn Exp $ +// $Id: catalina.policy,v 1.14 2001/06/29 21:53:43 remm Exp $ // @@ -85,7 +85,7 @@ grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail -permission java.utim.PropertyPermission java.home, read; +permission java.util.PropertyPermission java.home, read; permission java.util.PropertyPermission java.naming.*, read; permission java.util.PropertyPermission javax.sql.*, read;
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 01/06/22 13:36:30 Modified:catalina/src/conf catalina.policy Log: Update for new JndiPermission Revision ChangesPath 1.12 +2 -2 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- catalina.policy 2001/04/25 17:02:10 1.11 +++ catalina.policy 2001/06/22 20:36:29 1.12 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.11 2001/04/25 17:02:10 glenn Exp $ +// $Id: catalina.policy,v 1.12 2001/06/22 20:36:29 glenn Exp $ // @@ -81,7 +81,7 @@ // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission -// for all files and directories in its document root. +// and JndiPermission for all files and directories in its document root. grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 01/04/11 14:32:50 Modified:catalina/src/conf catalina.policy Log: Update policy to support JNDI Revision ChangesPath 1.9 +23 -5 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- catalina.policy 2001/04/09 00:23:32 1.8 +++ catalina.policy 2001/04/11 21:32:50 1.9 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.8 2001/04/09 00:23:32 craigmcc Exp $ +// $Id: catalina.policy,v 1.9 2001/04/11 21:32:50 glenn Exp $ // @@ -83,10 +83,13 @@ // In addition, a web application will be given a read FilePermission // for all files and directories in its document root. grant { - permission java.util.PropertyPermission "java.version", "read"; - permission java.util.PropertyPermission "java.vendor", "read"; - permission java.util.PropertyPermission "java.vendor.url", "read"; - permission java.util.PropertyPermission "java.class.version", "read"; +// Required for JNDI lookup of named JDBC DataSource's and +// javamail named MimePart DataSource used to send mail +permission java.utim.PropertyPermission "java.home", "read"; +permission java.util.PropertyPermission "java.naming.*", "read"; +permission java.util.PropertyPermission "javax.sql.*", "read"; + +// OS Specific properties to allow read access permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; @@ -94,6 +97,11 @@ permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; +// JVM properties to allow read access +permission java.util.PropertyPermission "java.version", "read"; +permission java.util.PropertyPermission "java.vendor", "read"; +permission java.util.PropertyPermission "java.vendor.url", "read"; +permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; @@ -104,6 +112,16 @@ permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; + +// Required for reading resources using JNDI lookup +permission java.io.FilePermission "jndi:/-", "read"; +permission java.io.FilePermission "jar:jndi:/WEB-INF/lib/-", "read"; +// Required for getting BeanInfo +permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.*"; +// Requried for sending email +permission java.io.FilePermission "${java.home}${/}lib${/}ext${/}mail.jar", "read"; + + // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission "jaxp.debug", "read"; };
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
craigmcc01/04/08 17:23:32 Modified:catalina/src/conf catalina.policy Log: Add a property reading permission needed for JAXP. Revision ChangesPath 1.8 +2 -1 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- catalina.policy 2001/04/08 01:05:19 1.7 +++ catalina.policy 2001/04/09 00:23:32 1.8 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.7 2001/04/08 01:05:19 craigmcc Exp $ +// $Id: catalina.policy,v 1.8 2001/04/09 00:23:32 craigmcc Exp $ // @@ -104,6 +104,7 @@ permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; + permission java.util.PropertyPermission "jaxp.debug", "read"; };
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 01/02/26 19:18:15 Modified:catalina/src/conf catalina.policy Log: Update policy for new lib/class file locations Revision ChangesPath 1.5 +15 -10jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- catalina.policy 2001/02/18 17:18:40 1.4 +++ catalina.policy 2001/02/27 03:18:15 1.5 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.4 2001/02/18 17:18:40 glenn Exp $ +// $Id: catalina.policy,v 1.5 2001/02/27 03:18:15 glenn Exp $ // @@ -29,20 +29,18 @@ // == CATALINA CODE PERMISSIONS === -// These permissions apply to the server startup code, and the servlet API -// classes that are shared across all class loaders +// These permissions apply to the server startup code grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; -grant codeBase "file:${catalina.home}/bin/servlet.jar" { +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "common" directory +grant codeBase "file:${catalina.home}/common/-" { permission java.security.AllPermission; }; -grant codeBase "file:${catalina.home}/bin/naming.jar" { -permission java.security.AllPermission; -}; - // These permissions apply to the container's core code, plus any additional // libraries installed in the "server" directory grant codeBase "file:${catalina.home}/server/-" { @@ -50,16 +48,22 @@ }; // These permissions apply to the jasper page compiler +// located in the "jasper" directory. grant codeBase "file:${catalina.home}/jasper/-" { permission java.security.AllPermission; }; -// These permissions apply to all extension libraries (including Jasper, -// if present) installed in the "lib" directory +// These permissions apply to shared web application libraries +// including the Jasper runtime library installed in the "lib" directory grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; +// These permissions apply to shared web application classes +// located in the "classes" directory +grant codeBase "file:${catalina.home}/classes/-" { +permission java.security.AllPermission; +}; // == WEB APPLICATION PERMISSIONS = @@ -90,6 +94,7 @@ permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; permission java.io.FilePermission "jndi:/WEB-INF/-", "read"; + permission java.io.FilePermission "jar:jndi:/WEB-INF/lib/-", "read"; }; - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-4.0/catalina/src/conf catalina.policy
glenn 01/02/18 09:18:41 Modified:catalina/src/conf catalina.policy Log: Update policy for Craig's jasper class loading changes Revision ChangesPath 1.4 +5 -1 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy Index: catalina.policy === RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- catalina.policy 2001/02/03 16:42:39 1.3 +++ catalina.policy 2001/02/18 17:18:40 1.4 @@ -8,7 +8,7 @@ // // * Read access to the document root directory // -// $Id: catalina.policy,v 1.3 2001/02/03 16:42:39 glenn Exp $ +// $Id: catalina.policy,v 1.4 2001/02/18 17:18:40 glenn Exp $ // @@ -49,6 +49,10 @@ permission java.security.AllPermission; }; +// These permissions apply to the jasper page compiler +grant codeBase "file:${catalina.home}/jasper/-" { +permission java.security.AllPermission; +}; // These permissions apply to all extension libraries (including Jasper, // if present) installed in the "lib" directory - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]