Webmaster wrote:
Hi !Yes. But you should only grant those permission to the Hibernate jar files, not the entire folder.
On Tue, 27 Jan 2004 12:14:16 -0500, Jeanfrancois Arcand <[EMAIL PROTECTED]> escreveu:
De: Jeanfrancois Arcand <[EMAIL PROTECTED]> Data: Tue, 27 Jan 2004 12:14:16 -0500 Para: Tomcat Users List <[EMAIL PROTECTED]> Assunto: Re: Tomcat + Hibernate2 + Security Manager
Webmaster wrote:
Hi all,Do you have the exception? Which Tomcat version are you using?
I know this is a little bit out of topic, but the general concept is useful for everybody.
I run tomcat with security manager for a dozen users. Recently, people started to use the hibernate 2 which requires some funky permissions.
I had to put these lines in the 'global' permission to make it work:
grant {
...
permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "defineCGLIBClassInJavaPackage";
... }
Note: I DID test using a codebase like:
grant codeBase "file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/-" { ....
but the classes hibernate creates after reflection stop obeying the security manager.
I'm using 4.1.29. The classes that hibernate creates dinamically are the ones that don't follow the codebase anymore, it's like they have a 'null' codebase after they are created.
Are there any security risks on a security setup with those 3 lines for all classes in the JVM ?Yes. It will now allow a Servlet to "load" tomcat internal classes and "maybe" do malicious things.
Right now, my clients don't have permissions to read the classes in /server/lib directory ( I don't give file io permission to this directory, only to /common/lib ). Would that be enough to stop these malicious things ?
-- Jeanfrancois
-- Jeanfrancois
Thanks Renato.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
