Permalink
Browse files

#3950 created security policy

  • Loading branch information...
1 parent d60cce4 commit 3a629cb6eb20daeb93748e6ba657fbde883edcfc @ddossot ddossot committed Nov 2, 2013
Showing with 279 additions and 0 deletions.
  1. +273 −0 src/misc/catalina.policy
  2. +6 −0 tomcat-distribution-assembly.xml
View
@@ -0,0 +1,273 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// ============================================================================
+// catalina.policy - Security Policy Permissions for Tomcat 7
+//
+// This file contains a default set of security policies to be enforced (by the
+// JVM) when Catalina is executed with the "-security" option. In addition
+// to the permissions granted here, the following additional permissions are
+// granted to each web application:
+//
+// * Read access to the web application's document root directory
+// * Read, write and delete access to the web application's working directory
+//
+// $Id: catalina.policy 1460221 2013-03-23 20:17:29Z kkolinko $
+// ============================================================================
+
+
+// ========== SYSTEM CODE PERMISSIONS =========================================
+
+
+// These permissions apply to javac
+grant codeBase "file:${java.home}/lib/-" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to all shared system extensions
+grant codeBase "file:${java.home}/jre/lib/ext/-" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
+grant codeBase "file:${java.home}/../lib/-" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to all shared system extensions when
+// ${java.home} points at $JAVA_HOME/jre
+grant codeBase "file:${java.home}/lib/ext/-" {
+ permission java.security.AllPermission;
+};
+
+
+// ========== CATALINA CODE PERMISSIONS =======================================
+
+
+// These permissions apply to the daemon code
+grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to the logging API
+// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
+// update this section accordingly.
+// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
+grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
+ permission java.io.FilePermission
+ "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
+
+ permission java.io.FilePermission
+ "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
+ permission java.io.FilePermission
+ "${catalina.base}${file.separator}logs", "read, write";
+ permission java.io.FilePermission
+ "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+
+ permission java.lang.RuntimePermission "shutdownHooks";
+ permission java.lang.RuntimePermission "getClassLoader";
+ permission java.lang.RuntimePermission "setContextClassLoader";
+
+ permission java.util.logging.LoggingPermission "control";
+
+ permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+ permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+ permission java.util.PropertyPermission "catalina.base", "read";
+
+ // Note: To enable per context logging configuration, permit read access to
+ // the appropriate file. Be sure that the logging configuration is
+ // secure before enabling such access.
+ // E.g. for the examples web application (uncomment and unwrap
+ // the following to be on a single line):
+ // permission java.io.FilePermission "${catalina.base}${file.separator}
+ // webapps${file.separator}examples${file.separator}WEB-INF
+ // ${file.separator}classes${file.separator}logging.properties", "read";
+};
+
+// These permissions apply to the server startup code
+grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to the servlet API classes
+// and those that are shared across all class loaders
+// located in the "lib" directory
+grant codeBase "file:${catalina.home}/lib/-" {
+ permission java.security.AllPermission;
+};
+
+
+// If using a per instance lib directory, i.e. ${catalina.base}/lib,
+// then the following permission will need to be uncommented
+// grant codeBase "file:${catalina.base}/lib/-" {
+// permission java.security.AllPermission;
+// };
+
+
+// ========== WEB APPLICATION PERMISSIONS =====================================
+
+
+// These permissions are granted by default to all web applications
+// In addition, a web application will be given a read FilePermission
+// and JndiPermission for all files and directories in its document root.
+grant {
+ // Required for JNDI lookup of named JDBC DataSource's and
+ // javamail named MimePart DataSource used to send mail
+ permission java.util.PropertyPermission "java.home", "read";
+ permission java.util.PropertyPermission "java.naming.*", "read";
+ permission java.util.PropertyPermission "javax.sql.*", "read";
+
+ // OS Specific properties to allow read access
+ permission java.util.PropertyPermission "os.name", "read";
+ permission java.util.PropertyPermission "os.version", "read";
+ permission java.util.PropertyPermission "os.arch", "read";
+ permission java.util.PropertyPermission "file.separator", "read";
+ permission java.util.PropertyPermission "path.separator", "read";
+ permission java.util.PropertyPermission "line.separator", "read";
+
+ // JVM properties to allow read access
+ permission java.util.PropertyPermission "java.version", "read";
+ permission java.util.PropertyPermission "java.vendor", "read";
+ permission java.util.PropertyPermission "java.vendor.url", "read";
+ permission java.util.PropertyPermission "java.class.version", "read";
+ permission java.util.PropertyPermission "java.specification.version", "read";
+ permission java.util.PropertyPermission "java.specification.vendor", "read";
+ permission java.util.PropertyPermission "java.specification.name", "read";
+
+ permission java.util.PropertyPermission "java.vm.specification.version", "read";
+ permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
+ permission java.util.PropertyPermission "java.vm.specification.name", "read";
+ permission java.util.PropertyPermission "java.vm.version", "read";
+ permission java.util.PropertyPermission "java.vm.vendor", "read";
+ permission java.util.PropertyPermission "java.vm.name", "read";
+
+ // Required for OpenJMX
+ permission java.lang.RuntimePermission "getAttribute";
+
+ // Allow read of JAXP compliant XML parser debug
+ permission java.util.PropertyPermission "jaxp.debug", "read";
+
+ // All JSPs need to be able to read this package
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
+
+ // Precompiled JSPs need access to these packages.
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
+ permission java.lang.RuntimePermission
+ "accessClassInPackage.org.apache.jasper.runtime.*";
+
+ // Precompiled JSPs need access to these system properties.
+ permission java.util.PropertyPermission
+ "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
+ permission java.util.PropertyPermission
+ "org.apache.el.parser.COERCE_TO_ZERO", "read";
+
+ // The cookie code needs these.
+ permission java.util.PropertyPermission
+ "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
+ permission java.util.PropertyPermission
+ "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
+ permission java.util.PropertyPermission
+ "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
+
+ // Applications using Comet need to be able to access this package
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";
+
+ // Applications using WebSocket need to be able to access this package
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.websocket";
+};
+
+
+// The Manager application needs access to the following packages to support the
+// session display functionality. These settings support the following
+// configurations:
+// - default CATALINA_HOME == CATALINA_BASE
+// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
+// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
+grant codeBase "file:${catalina.base}/webapps/manager/-" {
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
+};
+grant codeBase "file:${catalina.home}/webapps/manager/-" {
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
+};
+
+// You can assign additional permissions to particular web applications by
+// adding additional "grant" entries here, based on the code base for that
+// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
+//
+// Different permissions can be granted to JSP pages, classes loaded from
+// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
+// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
+//
+// For instance, assume that the standard "examples" application
+// included a JDBC driver that needed to establish a network connection to the
+// corresponding database and used the scrape taglib to get the weather from
+// the NOAA web server. You might create a "grant" entries like this:
+//
+// The permissions granted to the context root directory apply to JSP pages.
+// grant codeBase "file:${catalina.base}/webapps/examples/-" {
+// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
+//
+// The permissions granted to the context WEB-INF/classes directory
+// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
+// };
+//
+// The permission granted to your JDBC driver
+// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
+// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// };
+// The permission granted to the scrape taglib
+// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
+// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
+
+// ========== RSB CODE PERMISSIONS =========================================
+grant codeBase "file:${catalina.home}/webapps/rsb/-" {
+ permission java.lang.RuntimePermission "accessClassInPackage.com.sun.jmx.mbeanserver";
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.rmi.registry";
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.RuntimePermission "getenv.spring.liveBeansView.mbeanDomain";
+ permission java.lang.RuntimePermission "getClassLoader";
+ permission java.lang.RuntimePermission "getFileSystemAttributes";
+ permission java.lang.RuntimePermission "modifyThread";
+ permission java.lang.RuntimePermission "setContextClassLoader";
+
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+
+ permission java.util.PropertyPermission "*", "read";
+ permission java.util.PropertyPermission "org.apache.*", "write";
+
+ permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
+
+ permission java.net.SocketPermission "localhost:*", "listen,connect,accept,resolve";
+
+ permission javax.management.MBeanServerPermission "findMBeanServer";
+ permission javax.management.MBeanServerPermission "createMBeanServer";
+ permission javax.management.MBeanTrustPermission "register";
+ permission javax.management.MBeanPermission "*", "registerMBean,unregisterMBean,invoke";
+
+ permission javax.xml.ws.WebServicePermission "*";
+};
+
@@ -45,6 +45,7 @@
<exclude>webapps/examples/**</exclude>
<exclude>webapps/ROOT/favicon.ico</exclude>
<exclude>conf/tomcat-users.xml</exclude>
+ <exclude>conf/catalina.policy</exclude>
</excludes>
<fileMode>0644</fileMode>
</fileSet>
@@ -83,6 +84,11 @@
<outputDirectory>/conf</outputDirectory>
<fileMode>0644</fileMode>
</file>
+ <file>
+ <source>src/misc/catalina.policy</source>
+ <outputDirectory>/conf</outputDirectory>
+ <fileMode>0644</fileMode>
+ </file>
<file>
<source>LICENSE</source>
<outputDirectory>/</outputDirectory>

0 comments on commit 3a629cb

Please sign in to comment.