In the same way the SecurityManager protects you from an untrusted applet running in your browser, use of a SecurityManager while running Tomcat can protect your server from trojan servlets, JSP's, JSP beans, and tag libraries. Or even inadvertent mistakes.
Imagine if someone who is authorized to publish JSP's on your site invadvertently included the following in their JSP:
<% System.exit(1); %>
Every time that JSP was executed by Tomcat, Tomcat would exit.
Using the Java SecurityManager is just one more line of defense a system administrator can use to keep the server secure and reliable.
Still, running with a SecurityManager is definitely better than running
without one.
This is just a short summary of the System SecurityManager Permission classes applicable to Tomcat. Please refer to the JDK documentation for more information on using the below Permissions.
java.util.PropertyPermission
Controls read/write access to JVM properties such
as java.home.
java.lang.RuntimePermission
Controls use of some System/Runtime functions like
exit() and exec().
java.io.FilePermission
Controls read/write/execute access to files and
directories.
java.net.SocketPermission
Controls use of network sockets.
java.net.NetPermission
Controls use of multicast network connections.
java.lang.reflect.ReflectPermission
Controls use of reflection to do class introspection.
java.security.SecurityPermission
Controls access to Security methods.
java.security.AllPermission
Allows access to all permissions, just as if you
were running Tomcat without a SecurityManager.
The security policies implemented by the Java SecurityManager are configured in the tomcat.policy file located in the tomcat conf directory. The tomcat.policy file replaces any system java.policy file. The tomcat.policy file can be edited by hand or you can use the policytool application that comes with Java 1.2.
Entries in the tomcat.policy file use the standard java.policy file format as follows:
// Example policy file entry
grant [signedBy <signer> [,codeBase <code source>] {
permission <class> [<name> [, <action list>]];
};
|
The codeBase is in the form of a URL and for a file URL can use the ${java.home} and ${tomcat.home} properties which are expanded out to the directory paths defined for them.
Default tomcat.policy file
// Permissions for tomcat.
// javac needs this
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// Tomcat gets all permissions
grant codeBase "file:${tomcat.home}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${tomcat.home}/classes/-" {
permission java.security.AllPermission;
};
// Example webapp policy
// By default we grant read access on webapp dir
// and read of the line.separator PropertyPermission
grant codeBase "file:${tomcat.home}/webapps/examples" {
permission java.net.SocketPermission "localhost:1024-","listen";
permission java.util.PropertyPermission "*","read";
};
|
Here is an example where in addition to the above, we want to grant the examples web application the ability to connect to the localhost smtp port so that it can send mail.
grant codeBase "file:${tomcat.home}/webapps/examples" {
permission java.net.SocketPermission "localhost:25","connect";
permission java.net.SocketPermission "localhost:1024","listen";
permission java.util.PropertyPermission "*","read";
};
|
grant {
permission java.net.SocketPermission "localhost:1024","listen";
permission java.util.PropertyPermission "*","read";
};
|
// Permissions for tomcat.
// javac needs this
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// Tomcat with IP filtering
grant codeBase "file:${tomcat.home}/lib/-" {
// Tomcat should be able to read/write all properties
permission java.util.PropertyPermission "*","read,write";
// Tomcat needs to be able to read files in its own directory
permission java.io.FilePermission "${tomcat.home}/-","read";
// Tomcat has to be able to write its logs
permission java.io.FilePermission "${tomcat.home}/logs/-","read,write";
// Tomcat has to be able to write to the conf directory
permission java.io.FilePermission "${tomcat.home}/conf/-","read,write";
// Tomcat has to be able to compile JSP's
permission java.io.FilePermission "${tomcat.home}/work/-","read,write,delete";
// Tomcat needs all the RuntimePermission's
permission java.lang.RuntimePermission "*";
// Needed so Tomcat can set security policy for a Context
permission java.security.SecurityPermission "*";
// Needed so that Tomcat will accept connections from a remote web server
// Replace XXX.XXX.XXX.XXX with the IP address of the remote web server
permission java.net.SocketPermission "XXX.XXX.XXX.XXX:1024-","accept,listen,resolve";
// Tomcat has to be able to use its port on the localhost
permission java.net.SocketPermission "localhost:1024-","connect,accept,listen,resolve";
};
// Example webapp policy
// By default we grant read access on webapp dir
// and read of the line.separator PropertyPermission
grant codeBase "file:${tomcat.home}/webapps/examples" {
permission java.net.SocketPermission "localhost:1024-","listen";
permission java.util.PropertyPermission "*","read";
};
|
server.xml
Uncomment out the entry in server.xml for the ContextInterceptor which
defines the class named PolicyInterceptor.
Check your JAVA_HOME/jre/lib/security/java.security file configuration. Comment out the line "package.access=sun.".
JSP Compile using JVM internal javac fails with AccessControlException for FilePermission read of tomcat work directory.
Try defining an absolute path for the codeBase needed in the policy grant for java itself instead of the ${java.home} property.
// javac needs this
grant codeBase "file:/usr/java/lib/-" {
permission java.security.AllPermission;
};