glenn 01/02/03 08:41:32
Added: catalina/docs tomcat-security-unix.html
Log:
Implement SecurityManager
Revision Changes Path
1.1 jakarta-tomcat-4.0/catalina/docs/tomcat-security-unix.html
Index: tomcat-security-unix.html
===================================================================
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<title>Tomcat SecurityManager setup with Unix</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="GENERATOR" content="Mozilla/4.7 [en] (X11; I; SunOS 5.7 i86pc)
[Netscape]">
</head>
<body text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#FF0000"
alink="#000088">
<h1>
Tomcat SecurityManager setup with Unix</h1>
<ul>
<li>
<a href="#config">Configuring Tomcat for use with a SecurityManager</a></li>
<li>
<a href="#start">Starting Tomcat with a SecurityManager</a></li>
<li>
<a href="#trouble">Trouble shooting catalina.policy configuration and Security
Violations</a></li>
</ul>
<h3>
<a NAME="config"></a>Configuring Tomcat for use with a SecurityManager</h3>
<b>catalina.policy</b>
<p>The security policies implemented by the Java SecurityManager are configured
in the <code>catalina.policy</code> file located in the tomcat <code>conf</code>
directory.
The <code>catalina.policy</code> file replaces any system <code>java.policy</code>
file. The
<code>catalina.policy</code> file can be edited by hand or you can use the
<a
href="http://java.sun.com/products/jdk/1.2/docs/tooldocs/solaris/policytool.html">policytool</a>
</b>application
that comes with Java 1.2.
<p>Entries in the <code>catalina.policy</code> file use the standard
<code>java.policy</code> file
format as follows:
<table BORDER=0 cellpadding=8 width="95%" bgcolor="#eeeeee">
<tr>
<td>
<pre>// Example policy file entry
grant [signedBy <signer> [,codeBase <code source>] {
permission <class> [<name> [, <action list>]];
};</pre>
</td>
</tr>
</table>
The <b>signedBy</b> and <b>codeBase </b>entries are optional when granting
permissions. Comment lines begin with <code>//</code> and end at a new line.
<p>The codeBase is in the form of a URL and for a file URL can use the
${java.home} and ${catalina.home} properties which are expanded out to the
directory paths defined for them.
<p>Default catalina.policy file
<table BORDER=0 cellpadding=8 width="95%" bgcolor="#eeeeee">
<tr>
<td>
<pre>
// ========== SYSTEM CODE PERMISSIONS =========================================
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the server startup code, and the servlet API
// classes that are shared across all class loaders
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/servlet.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/naming.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the container's core code, plus any additional
// libraries installed in the "server" directory
grant codeBase "file:${catalina.home}/server/-" {
permission java.security.AllPermission;
};
// These permissions apply to all extension libraries (including Jasper,
// if present) installed in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// for all files and directories in its document root.
grant {
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
permission java.io.FilePermission "jndi:/WEB-INF/-", "read";
};
// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application. For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to the
// corresponding database. You might create a "grant" entry like this:
//
// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// }
</pre>
</td>
</tr>
</table>
<h3>
<a NAME="start"></a>Starting Tomcat with a SecurityManager</h3>
Once you have configured the catalina.policy file for use
with a SecurityManager, Tomcat can be started with the SecurityManager
in place by using the "-security" option to bin/startup.sh.
<br>
<h2>
<a NAME="trouble"></a>Trouble shooting catalina.policy configuration and
Security Violations</h2>
You can turn on Java SecurityManager debug logging by settting the
environmental variable <code>CATALINA_OPTS=-Djava.security.debug=all</code>.
You will find the debug output in the log file <code>logs/catalina.out</code>.
</body>
</html>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
