cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityConfig.java

2002-11-07 Thread jfarcand 
jfarcand2002/11/07 14:52:25

  Modified:catalina/src/share/org/apache/catalina/security
SecurityConfig.java
  Log:
  By default (if the catalina.properties is not founded), do not protect 
org.apache.jsp, but org.apache.jasper. org.apache.jsp should not be protected.
  
  Revision  ChangesPath
  1.5   +2 -2  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityConfig.java
  
  Index: SecurityConfig.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityConfig.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- SecurityConfig.java   4 Nov 2002 05:16:23 -   1.4
  +++ SecurityConfig.java   7 Nov 2002 22:52:25 -   1.5
   -76,7 +76,7 
   
   private final static String PACKAGE_ACCESS =  sun.,
   + org.apache.catalina. 
  -+ ,org.apache.jsp.
  ++ ,org.apache.jasper.
   + ,org.apache.coyote.
   + ,org.apache.tomcat.;
   
   -84,7 +84,7 
   + ,org.apache.catalina. 
   + ,org.apache.coyote.
   + ,org.apache.tomcat.
  -+ ,org.apache.jsp.;
  ++ ,org.apache.jasper.;
   /**
* List of protected package from conf/catalina.properties
*/
  
  
  

--
To unsubscribe, e-mail:   mailto:tomcat-dev-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-dev-help;jakarta.apache.org

cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityConfig.java SecurityClassLoad.java

2002-11-03 Thread jfarcand 
jfarcand2002/11/03 21:16:23

  Modified:catalina/src/share/org/apache/catalina/security
SecurityConfig.java SecurityClassLoad.java
  Log:
  Use the catalina.properties file to customize the package protection/access. This 
new security m
  echanism enable the customization, at runtime, of which package should be protected.
  
  the following package will be protected by default:
  
  o.a.catalina
  o.a.jasper(*)
  o.a.coyote
  o.a.tomcat.util
  
  (*) Tomcat 5 is broken when a JSP use a class from jsp20el.jar and when the 
SecurityManager is t
  urned on. Even if you remove all the protection, Tomcat fail to properly runs the 
example.
  
  o.a.coyote.tomcat5 has been securized in order to support package protection.
  
  Revision  ChangesPath
  1.4   +48 -14
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityConfig.java
  
  Index: SecurityConfig.java
  ===
  RCS file: 
/home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityConfig.java,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- SecurityConfig.java   24 Oct 2002 02:43:20 -  1.3
  +++ SecurityConfig.java   4 Nov 2002 05:16:23 -   1.4
   -59,6 +59,7 
   package org.apache.catalina.security;
   
   import java.security.Security;
  +import org.apache.catalina.startup.CatalinaProperties;
   
   /**
* Util class to protect Catalina against package access and insertion.
   -68,27 +69,51 
*/
   public final class SecurityConfig{
   private static SecurityConfig singleton = null;
  +
  +private static org.apache.commons.logging.Log log=
  +org.apache.commons.logging.LogFactory.getLog( SecurityConfig.class );
  +
   
  -private final static String PACKAGE_ACCESS =  org.apache.catalina. 
  -+ ,org.apache.jasper.
  +private final static String PACKAGE_ACCESS =  sun.,
  ++ org.apache.catalina. 
   + ,org.apache.jsp.
  -+ ,org.apache.jk.;
  ++ ,org.apache.coyote.
  ++ ,org.apache.tomcat.;
   
  -private final static String PACKAGE_DEFINITION= java.
  +private final static String PACKAGE_DEFINITION= java.,sun.
   + ,org.apache.catalina. 
  -+ ,org.apache.jasper.
   + ,org.apache.coyote.
  -+ ,org.apache.jsp.
  -+ ,org.apache.jk.;
  ++ ,org.apache.tomcat.
  ++ ,org.apache.jsp.;
  +/**
  + * List of protected package from conf/catalina.properties
  + */
  +private String packageDefinition;
  +
  +
  +/**
  + * List of protected package from conf/catalina.properties
  + */
  +private String packageAccess; 
  +
  +
   /**
* Create a single instance of this class.
*/
  -private SecurityConfig(){   
  +private SecurityConfig(){  
  +try{
  +packageDefinition = 
CatalinaProperties.getProperty(package.definition);
  +packageAccess = CatalinaProperties.getProperty(package.access);
  +} catch (java.lang.Exception ex){
  +if (log.isDebugEnabled()){
  +log.debug(Unable to load properties using CatalinaProperties, 
ex); 
  +}
  +}
   }
   
   
   /**
  - * Retuens the singleton instance of that class.
  + * Returns the singleton instance of that class.
* return an instance of that class.
*/
   public static SecurityConfig newInstance(){
   -103,7 +128,12 
* Set the security package.access value.
*/
   public void setPackageAccess(){
  -setSecurityProperty(package.access, PACKAGE_ACCESS);
  +// If catalina.properties is missing, protect all by default.
  +if (packageAccess == null){
  +setSecurityProperty(package.access, PACKAGE_ACCESS);   
  +} else {
  +setSecurityProperty(package.access, packageAccess);   
  +}
   }
   
   
   -111,7 +141,12 
* Set the security package.definition value.
*/
public void setPackageDefinition(){
  -setSecurityProperty(package.definition, PACKAGE_DEFINITION);
  +// If catalina.properties is missing, protect all by default.
  + if (packageDefinition == null){
  +

cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security SecurityConfig.java

2002-10-16 Thread jfarcand 

jfarcand2002/10/16 13:05:29

  Added:   catalina/src/share/org/apache/catalina/security
SecurityConfig.java
  Log:
  Refactorize Catalina.java and CatalinaService.java. Merge the security code into a 
single class.
  
  Revision  ChangesPath
  1.1  
jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/security/SecurityConfig.java
  
  Index: SecurityConfig.java
  ===
  /*
   * 
   *
   * The Apache Software License, Version 1.1
   *
   * Copyright (c) 1999 The Apache Software Foundation.  All rights
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *notice, this list of conditions and the following disclaimer.
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *notice, this list of conditions and the following disclaimer in
   *the documentation and/or other materials provided with the
   *distribution.
   *
   * 3. The end-user documentation included with the redistribution, if
   *any, must include the following acknowlegement:
   *   This product includes software developed by the
   *Apache Software Foundation (http://www.apache.org/).
   *Alternately, this acknowlegement may appear in the software itself,
   *if and wherever such third-party acknowlegements normally appear.
   *
   * 4. The names The Jakarta Project, Tomcat, and Apache Software
   *Foundation must not be used to endorse or promote products derived
   *from this software without prior written permission. For written
   *permission, please contact [EMAIL PROTECTED]
   *
   * 5. Products derived from this software may not be called Apache
   *nor may Apache appear in their names without prior written
   *permission of the Apache Group.
   *
   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
   * 
   *
   * This software consists of voluntary contributions made by many
   * individuals on behalf of the Apache Software Foundation.  For more
   * information on the Apache Software Foundation, please see
   * http://www.apache.org/.
   *
   * [Additional notices, if required by prior licensing conditions]
   *
   */
  package org.apache.catalina.security;
  
  import java.security.Security;
  
  /**
   * Util class to protect Catalina against package access and insertion.
   * The code are been moved from Catalina.java
   * @author the Catalina.java authors
   * @author Jean-Francois Arcand
   */
  public final class SecurityConfig{
  private static SecurityConfig singleton = null;
  
  private final static String PACKAGE_ACCESS =  org.apache.catalina. 
  + ,org.apache.jasper.
  + ,org.apache.coyote.
  + ,org.apache.tomcat.;
  private final static String PACKAGE_DEFINITION= java.,
  + PACKAGE_ACCESS;
  /**
   * Create a single instance of this class.
   */
  private SecurityConfig(){   
  }
  
  
  /**
   * Retuens the singleton instance of that class.
   * @return an instance of that class.
   */
  public static SecurityConfig newInstance(){
  if (singleton == null){
  singleton = new SecurityConfig();
  }
  return singleton;
  }
  
  
  /**
   * Set the security package.access value.
   */
  public void setPackageAccess(){
  setSecurityProperty(package.access, PACKAGE_ACCESS);
  }
  
  
  /**
   * Set the security package.definition value.
   */
   public void setPackageDefinition(){
  setSecurityProperty(package.definition, PACKAGE_DEFINITION);
  }
   
   
  /**
   * Set the