Am 09.08.2016 um 19:48 schrieb Mark Thomas:
On 09/08/2016 18:29, Stefan Mayr wrote:
Hi,
two colleagues came with an idea that our new java platform should only
run signed code. In the java world I've only seen signed java applets.
From a bit of internet research it looks like any JAR, WAR or EAR can be
signed with jarsigner (maybe all zip files?).
Some sources indicate that this is supported or verified in WebLogic. So
how about Tomcat? Is there any verification of signed code or are there
any configuration flags to enable/enforce/disable this?
I would guess the signature is ignored. Am I wrong?
You are correct. Signatures on a WAR will be ignored.
https://bz.apache.org/bugzilla/show_bug.cgi?id=52489
I don't see a signature verification in the patch. But from the
description it might be enough to trigger the SecurityManager somehow.
I'm far from convinced that the proposed patch on that issue is sufficient.
I'm also not convinced that there is a standard for signing WARs. Some
authoritative references (i.e. to official Java SE or Java EE docs)
would be very helpful.
Mark
Specs are hard to find. For jars a nice description can be found in [1].
The servlet spec [2] mentions that "Web applications can be packaged and
signed into a Web ARchive format (WAR) file using the standard Java
archive tools." But when I ran over the servlet spec I did not find a
description how the servlet container should handle signed war files. Or
is this delegated to the security manager? This is still a mystery to
me. Especially when I think of think of JSPs and their on-demand
compilation. What can be the magic phrase we should look for?
Stefan Mayr
[1]
http://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File
[2]
http://download.oracle.com/otndocs/jcp/servlet-2.4-fr-spec-oth-JSpec/
see SRV.9.6
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
