Re: Tomcat + Hibernate2 + Security Manager

Jeanfrancois Arcand Tue, 27 Jan 2004 13:53:14 -0800

Webmaster wrote:

Hi all,

I know this is a little bit out of topic, but the general concept is useful for everybody.

I run tomcat with security manager for a dozen users. Recently, people started to use the hibernate 2 which requires some funky permissions.

I had to put these lines in the 'global' permission to make it work:

grant {

...
 permission java.lang.RuntimePermission "accessDeclaredMembers";
 permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
 permission java.lang.RuntimePermission "defineCGLIBClassInJavaPackage";
...
}
Note: I DID test using a codebase like:

grant codeBase "file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/-" { ....

but the classes hibernate creates after reflection stop obeying the security manager.

Do you have the exception? Which Tomcat version are you using?

Are there any security risks on a security setup with those 3 lines for all classes in the JVM ?

Yes. It will now allow a Servlet to "load" tomcat internal classes and "maybe" do malicious things.

-- Jeanfrancois

Thanks
Renato.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat + Hibernate2 + Security Manager

Reply via email to