Re: [PROPOSAL] Tomcat 4 SecurityManager implementation
Sorry not to get this out earlier ... comments intermixed.
Glenn Nielsen wrote:
Here is my proposal for implementing the Java SecurityManager in Tocmat 4.
Work on implementing this proposal is in progress. Comments please?
Tomcat 4 Java SecurityManager Proposal
Tomcat 4 will require the Java SecurityManager, use of the
SecurityManager will be optional when Tomcat is embedded in
another application.
Will it be optional when Tomcat 4 is run by itself (either standalone or behind
a
web server) as well?
Setting policies for internal Tomcat classes
Security policies will be set using the tomcat.policy file. Security
checks will be based only on the codeSource of the class matching the
codeBase for JVM and Tomcat internal classes.
Example tomcat.policy entries affecting Tomcat internals
// javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/jre/lib/-" {
permission java.security.AllPermission;
};
grant codeBase="file:${tomcat.home}/server/-" {
permission java.security.AllPermission;
};
grant codeBase="file:${tomcat.home}/bin/-" {
permission java.security.AllPermission;
};
Note - to be technically correct, references to "tomcat.home" in the entries
above
should be "catalina.home" for Tomcat 4, to be consistent with the system
property
definition that is actually used.
Setting policies for web application contexts
-
A web application has its security based on either the default grant in
tomcat.policy or an entry for the context which uses the Context path
file URL as the codeBase. This policy will be in affect for any Class running
within the Context thread no matter which ClassLoader loaded the class
which triggered a security check. A default permission to read files in
the Context path is granted.
// Default permissions for a Context, all contexts have these permissions
grant {
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
};
Is this set of default permissions going to be easily configurable? I can
imagine
that this would be a popular choice for people who don't want to spend a lot of
time thinking about security. For example, you might want to grant all webapps
the
ability to connect to the network host and port required by your database
because
you use it in every app.
// Additional Permissions for tomcat examples context
grant codeBase="file:${tomcat.home}/webapps/examples/- {
permission java.util.PropertyPermission "*", "read";
};
Should the code base actually be restricted to ".../examples/WEB-INF/classes/-"
and
".../examples/WEB-INF/lib/-"? It means setting up two policy entries instead of
one if a particular app uses both JAR'd and unJAR'd classes, but I suspect that
is
somewhat unusual.
Security restrictions for using classes
---
StandardClassLoader will implement the SecurityManager.checkPackageAccess()
method to determine whether the ClassLoader has permission to access the
packages "sun.,org.apache.catalina.,org.apache.jasper.".
Is org.apache.jasper really special? It is loaded by the "Shared" classloader
(in
the Tomcat 4 classloader hierarchy) anyway, so it is already going to be
restricted.
And, a web app will need to be able to access these packages to utilize the JSP
servlet, and therefore execute JSP pages.
If a Context doesn't have the RuntimePermission "*" or
"accessClassInPackage.{package name}", it will not be allowed to use a
Class in the package.
Security restrictions for defining classes
--
StandardClassLoader will implement the SecurityManager.checkPackageDefinition()
method to determine whether the ClassLoader has permission to define a class
in the packages "sun.,java.,javax.,org.apache.catalina.,org.apache.jasper.".
Same question re: specialness of Jasper, although I can see a stronger case for
prohibiting class *creation* in this package than class *access*.
If a Context doesn't have the RuntimePermission "*" or
"defineClassInPackage.{package name}", it will not be allowed to define
a Class in the package.
Changing security policies at runtime
-
Anytime a Context is reloaded the security policies will be refreshed
from the tomcat policy file.
StandardClassLoader
---
All of the code for implementing system, restricted, and allowed
checks will be removed. This will be handled by the SecurityManager.
+1
It's only there as a placeholder until security manager support is available.
Remove the ability to configure a contexts classloader in the
server.xml
Re: [PROPOSAL] Tomcat 4 SecurityManager implementation
Hi Glenn, I had a few questions/comments on: Jasper JSP class loading The work directory will be moved inside the web application context /WEB-INF/ directory. This will make security configuration easier and security checks more efficient. The jasper work dir for a context would be /WEB-INF/work/. This should be safe, other important files which need to be protected from outside view are stored in WEB-INF such as java properties files and class files. /WEB-INF/work will not be added to the contexts class path. Instead of this, how about having a parallel tree under a user-specified temp dir with a workdir per web application? This wouldn't work too well for webapps that are run from the WAR file itself. (The WAR file could be expanded but that's an implementation detail and not necessarily true.) Also, I'm a bit wary about touching any part of the webapp that the user created. What if I create a jar from the directory for that web application after you created the tmp files? As far as I can remember, the work directory needs to be added to the context's classpath. Am I missing something? Jasper will be modified so that each individual jsp page will have its own URLClassLoader. When each jsp page has its own URLClassLoader we can remove the need to munge and version the jsp java and class file names. We can also create directory paths in the work dir for the context that matches the jsp page path in the context. This will make it easier to view the generated source for a jsp page. When a jsp page is recompiled, a new instance of the URLClassLoader for that page will be created. At this point I don't have enough details to -1 this. But I'd suggest you consider this before going ahead. Classloaders are heavyweight objects. JSP pages are essentially like HTML pages. There can be many many of them. Do you want to have a heavyweight classloader per JSP page (and one for every update of that page?) -- Peace, Anil +:-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
[PROPOSAL] Tomcat 4 SecurityManager implementation
Here is my proposal for implementing the Java SecurityManager in Tocmat 4.
Work on implementing this proposal is in progress. Comments please?
Tomcat 4 Java SecurityManager Proposal
Tomcat 4 will require the Java SecurityManager, use of the
SecurityManager will be optional when Tomcat is embedded in
another application.
Setting policies for internal Tomcat classes
Security policies will be set using the tomcat.policy file. Security
checks will be based only on the codeSource of the class matching the
codeBase for JVM and Tomcat internal classes.
Example tomcat.policy entries affecting Tomcat internals
// javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/jre/lib/-" {
permission java.security.AllPermission;
};
grant codeBase="file:${tomcat.home}/server/-" {
permission java.security.AllPermission;
};
grant codeBase="file:${tomcat.home}/bin/-" {
permission java.security.AllPermission;
};
Setting policies for web application contexts
-
A web application has its security based on either the default grant in
tomcat.policy or an entry for the context which uses the Context path
file URL as the codeBase. This policy will be in affect for any Class running
within the Context thread no matter which ClassLoader loaded the class
which triggered a security check. A default permission to read files in
the Context path is granted.
// Default permissions for a Context, all contexts have these permissions
grant {
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
};
// Additional Permissions for tomcat examples context
grant codeBase="file:${tomcat.home}/webapps/examples/- {
permission java.util.PropertyPermission "*", "read";
};
Security restrictions for using classes
---
StandardClassLoader will implement the SecurityManager.checkPackageAccess()
method to determine whether the ClassLoader has permission to access the
packages "sun.,org.apache.catalina.,org.apache.jasper.".
If a Context doesn't have the RuntimePermission "*" or
"accessClassInPackage.{package name}", it will not be allowed to use a
Class in the package.
Security restrictions for defining classes
--
StandardClassLoader will implement the SecurityManager.checkPackageDefinition()
method to determine whether the ClassLoader has permission to define a class
in the packages "sun.,java.,javax.,org.apache.catalina.,org.apache.jasper.".
If a Context doesn't have the RuntimePermission "*" or
"defineClassInPackage.{package name}", it will not be allowed to define
a Class in the package.
Changing security policies at runtime
-
Anytime a Context is reloaded the security policies will be refreshed
from the tomcat policy file.
StandardClassLoader
---
All of the code for implementing system, restricted, and allowed
checks will be removed. This will be handled by the SecurityManager.
Remove the ability to configure a contexts classloader in the
server.xml Context element.
ApplicationSecurityManager
--
This Class is a replacement for the default SecurityManager and extends
class SecurityManager.
It does a normal permission check first, if that fails it takes additional
steps if the current thread is for a web application context.
When a Context is started or stopped it will need to register with
the ApplicationSecurityManager using methods setContext() and
removeContext().
Context threads will be named threads with the name set to the
string representing the file URL of the Context. i.e.
"file:/usr/local/tomcat/webapps/examples".
Re: [PROPOSAL] Tomcat 4 SecurityManager implementation
Glenn Nielsen wrote: Here is my proposal for implementing the Java SecurityManager in Tocmat 4. Work on implementing this proposal is in progress. Comments please? Tomcat 4 Java SecurityManager Proposal Tomcat 4 will require the Java SecurityManager, use of the SecurityManager will be optional when Tomcat is embedded in another application. [...] -0. Why not make it optional for standard use as well? If I use Tomcat for development only, I'm not concerned with security and don't want to mess with policy files. [...] Jasper JSP class loading Jasper will have the old 1.1 compatability code stripped out. +1 The work directory will be moved inside the web application context /WEB-INF/ directory. [...] -1. It should be possible to configure Tomcat so that the work directory is located under /tmp, or any other standard OS location for temporary files. Besides, creating files under /WEB-INF will not work if we one day support running applications straight from the WAR file. Jasper will be modified so that each individual jsp page will have its own URLClassLoader. When each jsp page has its own URLClassLoader we can remove the need to munge and version the jsp java and class file names. We can also create directory paths in the work dir for the context that matches the jsp page path in the context. This will make it easier to view the generated source for a jsp page. When a jsp page is recompiled, a new instance of the URLClassLoader for that page will be created. [...] +1. Great! Hans -- Hans Bergsten [EMAIL PROTECTED] Gefion Software http://www.gefionsoftware.com Author of JavaServer Pages (O'Reilly), http://TheJSPBook.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: [PROPOSAL] Tomcat 4 SecurityManager implementation
Tomcat would be a great tool to provide catalogs and presentations on CD - with additional advantages if there are already web versions of such applications. I know of a lot of people (me included) that would like to use Tomcat this way. I already implemented a proof of concept where a Delphi application is used to configure and start a Java application using JNI and a JVM on the CD (not installed in the PC). It works very well in Windows. After this, using a small Delphi GUI to start Tomcat and run the installed Web Browser over a Tomcat's site is quite trivial. But we must be able to place work files on the temporary file directory or we can't use JSPs. I am not talking about a weird idea, it is something I am working on and with commercial interest. I even researched, found and tested (with very positive results) a java database (HypersonicSQL) to do the catalog thing. Have fun, Paulo Gaspar -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Hans Bergsten Sent: Sunday, January 14, 2001 22:05 The work directory will be moved inside the web application context /WEB-INF/ directory. [...] -1. It should be possible to configure Tomcat so that the work directory is located under /tmp, or any other standard OS location for temporary files. Besides, creating files under /WEB-INF will not work if we one day support running applications straight from the WAR file. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: [PROPOSAL] Tomcat 4 SecurityManager implementation
At 12:46 14/1/01 -0600, Glenn Nielsen wrote:
Tomcat 4 Java SecurityManager Proposal
Tomcat 4 will require the Java SecurityManager, use of the
SecurityManager will be optional when Tomcat is embedded in
another application.
Why not always have it optional possibly determined by a system property
value ? This way you won't have people complainig about slow down if they
don't care about security ;) It will also be easier to integrate into other
products.
Setting policies for web application contexts
-
A web application has its security based on either the default grant in
tomcat.policy or an entry for the context which uses the Context path
file URL as the codeBase. This policy will be in affect for any Class running
within the Context thread no matter which ClassLoader loaded the class
which triggered a security check. A default permission to read files in
the Context path is granted.
// Default permissions for a Context, all contexts have these permissions
grant {
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
};
// Additional Permissions for tomcat examples context
grant codeBase="file:${tomcat.home}/webapps/examples/- {
permission java.util.PropertyPermission "*", "read";
};
I have actually implemented something similar this in Avalon about 7 hours
ago checking it in. Avalon has notion of .sars (Server Application
Archives) which are very similar to .wars in idea. I was having some issues
with JVM wide policy which you advocate above so I started playing around
with a per-sar policy.
To do this I had to subclass SecureClassLoader (I did this via
URLClassLoader) and overide it's method
protected PermissionCollection getPermissions( final CodeSource codeSource );
I overode this to access a per-sar Policy object. If no policy was given it
would give full access to the system. As I was embedding policy information
in another file (an XML file) it looked something like
policy
!--
keystore name="foo-keystore"
location="file:${sar.home}${/}conf${/}keystore"
type="JKS" /
grant signed-by="Fred" code-base="file:${sar.home}/blocks/*"
key-store="foo-keystore"
permission class="java.io.FilePermission" target="/tmp/*"
action="read,write" /
/grant
--
grant code-base="file:${sar.home}${/}blocks${/}*"
permission class="java.security.AllPermission" /
/grant
grant code-base="file:${sar.home}${/}lib${/}*"
permission class="java.security.AllPermission" /
/grant
To do this I implemented AbstractPolicy (for generic facilities) and
SarPolicy (for configuring it from XML file). I have attached the relevent
classes just in case you are interested.
Future enhancements
---
See if it is possible and secure to let an individual
web application set its security policies in its own
policy file located in its /WEB-INF/ directory.
This is a great facility - when implementing the equivelent for Avalon I
found it vital for a usable system ;)
/*
* Copyright (C) The Apache Software Foundation. All rights reserved.
*
* This software is published under the terms of the Apache Software License
* version 1.1, a copy of which has been included with this distribution in
* the LICENSE file.
*/
package org.apache.avalon.engine;
import java.io.File;
import java.net.URL;
import java.net.MalformedURLException;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.Policy;
import java.security.PrivilegedExceptionAction;
import java.security.PrivilegedActionException;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.PropertyPermission;
import org.apache.avalon.util.io.FileUtil;
import org.apache.avalon.Component;
import org.apache.avalon.Loggable;
import org.apache.log.Logger;
/**
* Abstract policy extended in avalon.
*
* @author a href="mailto:[EMAIL PROTECTED]"Peter Donald/a
*/
public abstract class AbstractPolicy
extends Policy
implements Component, Loggable
{
protected final static boolean DEBUG = true;
protected final ArrayListm_entries = new ArrayList();
protected Logger m_logger;
/**
* Internal Policy Entry holder class.
*/
protected final static class PolicyEntry
{
CodeSource m_codeSource;
Permissions m_permissions;
}
public void setLogger( final Logger logger )
{
m_logger = logger;
}
/**
* Overide so we can have a per-application security policy
Re: [PROPOSAL] Tomcat 4 SecurityManager implementation
-0. Why not make it optional for standard use as well? If I use Tomcat for development only, I'm not concerned with security and don't want to mess with policy files. Same here. There's a switch for the naming features, and I think it should be the same with the security manager. Remy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: [PROPOSAL] Tomcat 4 SecurityManager implementation
Peter Donald wrote:
At 12:46 14/1/01 -0600, Glenn Nielsen wrote:
Tomcat 4 Java SecurityManager Proposal
Tomcat 4 will require the Java SecurityManager, use of the
SecurityManager will be optional when Tomcat is embedded in
another application.
Why not always have it optional possibly determined by a system property
value ? This way you won't have people complainig about slow down if they
don't care about security ;) It will also be easier to integrate into other
products.
Setting policies for web application contexts
-
A web application has its security based on either the default grant in
tomcat.policy or an entry for the context which uses the Context path
file URL as the codeBase. This policy will be in affect for any Class running
within the Context thread no matter which ClassLoader loaded the class
which triggered a security check. A default permission to read files in
the Context path is granted.
// Default permissions for a Context, all contexts have these permissions
grant {
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
};
// Additional Permissions for tomcat examples context
grant codeBase="file:${tomcat.home}/webapps/examples/- {
permission java.util.PropertyPermission "*", "read";
};
I have actually implemented something similar this in Avalon about 7 hours
ago checking it in. Avalon has notion of .sars (Server Application
Archives) which are very similar to .wars in idea. I was having some issues
with JVM wide policy which you advocate above so I started playing around
with a per-sar policy.
To do this I had to subclass SecureClassLoader (I did this via
URLClassLoader) and overide it's method
protected PermissionCollection getPermissions( final CodeSource codeSource );
Duh! Somehow that method never popped out when I was looking at the URLClassLoader
class. That will make things even easier.
Your per application config below would work for Tomcat, but it would be nice
to see if a standard java policy file per web application could be used instead.
I overode this to access a per-sar Policy object. If no policy was given it
would give full access to the system. As I was embedding policy information
in another file (an XML file) it looked something like
policy
!--
keystore name="foo-keystore"
location="file:${sar.home}${/}conf${/}keystore"
type="JKS" /
grant signed-by="Fred" code-base="file:${sar.home}/blocks/*"
key-store="foo-keystore"
permission class="java.io.FilePermission" target="/tmp/*"
action="read,write" /
/grant
--
grant code-base="file:${sar.home}${/}blocks${/}*"
permission class="java.security.AllPermission" /
/grant
grant code-base="file:${sar.home}${/}lib${/}*"
permission class="java.security.AllPermission" /
/grant
To do this I implemented AbstractPolicy (for generic facilities) and
SarPolicy (for configuring it from XML file). I have attached the relevent
classes just in case you are interested.
Future enhancements
---
See if it is possible and secure to let an individual
web application set its security policies in its own
policy file located in its /WEB-INF/ directory.
This is a great facility - when implementing the equivelent for Avalon I
found it vital for a usable system ;)
--
Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder|
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
--
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
