glenn 01/04/24 21:14:06
Modified: catalina/src/conf catalina.policy
Log:
Java SecurityManager implementation changes
-------------------------------------------
Changed the naming convention for JNDI DirContextURL to
"jndi:/hostname/webappname/" and "jar:jndi:/hostname/webappname/...".
This works better with java.io.FilePermission.
Modified how permissions are granted to the codeBase for a
web application so that different permissions can be granted.
Permissions assigned to the root of a web application apply
to JSP pages. Different permissions can be assigned to the
/WEB-INF/classes/ directory, the /WEB-INF/lib/ directory,
or even to individual jar files in /WEB-INF/lib/. This allows
much finer control of permissions granted within a web
application.
Fixed Jasper so that it uses the correct codeBase for a
web application, it had been using the work dir instead
of the context dir for getting permissions from the
policy file.
Added more default read FilePermissions for classes
loaded from within a web application so that getResources()
works. Added:
"jndi:/hostname/webappname/-"
"jar:jndi:/hostname/webappname/WEB-INF/lib/-"
"file:/realcontextpath/-"
Revision Changes Path
1.10 +28 -11 jakarta-tomcat-4.0/catalina/src/conf/catalina.policy
Index: catalina.policy
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/conf/catalina.policy,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- catalina.policy 2001/04/11 21:32:50 1.9
+++ catalina.policy 2001/04/25 04:14:05 1.10
@@ -8,7 +8,7 @@
//
// * Read access to the document root directory
//
-// $Id: catalina.policy,v 1.9 2001/04/11 21:32:50 glenn Exp $
+// $Id: catalina.policy,v 1.10 2001/04/25 04:14:05 glenn Exp $
// ============================================================================
@@ -113,13 +113,8 @@
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
- // Required for reading resources using JNDI lookup
- permission java.io.FilePermission "jndi:/-", "read";
- permission java.io.FilePermission "jar:jndi:/WEB-INF/lib/-", "read";
// Required for getting BeanInfo
permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.*";
- // Requried for sending email
- permission java.io.FilePermission "${java.home}${/}lib${/}ext${/}mail.jar",
"read";
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
@@ -128,12 +123,34 @@
// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
-// application. For instance, assume that the standard "examples" application
+// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
+//
+// Different permissions can be granted to JSP pages, classes loaded from
+// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
+// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
+//
+// For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to the
-// corresponding database. You might create a "grant" entry like this:
+// corresponding database and used the scrape taglib to get the weather from
+// the NOAA web server. You might create a "grant" entries like this:
//
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/-" {
+// The permissions granted to the context root directory apply to JSP pages.
+// grant codeBase "file:${catalina.home}/webapps/examples/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-// }
-
+// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+//
+// };
+//
+// The permissions granted to the context WEB-INF/classes directory
+// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {
+// };
+//
+// The permission granted to your JDBC driver
+// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar" {
+// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// };
+// The permission granted to the scrape taglib
+// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar" {
+// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
