[pkg-java] r2783 - in branches/tomcat5.5/feature/debian/debian: .
policy
Marcus Better
marcusb-guest at alioth.debian.org
Wed Nov 22 11:50:32 CET 2006
Author: marcusb-guest
Date: 2006-11-22 11:50:31 +0100 (Wed, 22 Nov 2006)
New Revision: 2783
Added:
branches/tomcat5.5/feature/debian/debian/policy/50user.policy
Removed:
branches/tomcat5.5/feature/debian/debian/policy/99examples.policy
Modified:
branches/tomcat5.5/feature/debian/debian/README.Debian
branches/tomcat5.5/feature/debian/debian/policy/01system.policy
branches/tomcat5.5/feature/debian/debian/policy/02debian.policy
branches/tomcat5.5/feature/debian/debian/policy/03catalina.policy
branches/tomcat5.5/feature/debian/debian/policy/04webapps.policy
Log:
Update security policy from upstream. Add 50user.policy for user customizations.
Modified: branches/tomcat5.5/feature/debian/debian/README.Debian
===================================================================
--- branches/tomcat5.5/feature/debian/debian/README.Debian 2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/README.Debian 2006-11-22 10:50:31 UTC (rev 2783)
@@ -1,4 +1,4 @@
-Apache-Tomcat 5.5 for Debian
+Apache Tomcat 5.5 for Debian
============================
- The home directory (CATALINA_HOME) for Tomcat 5.5 (a.k.a. Catalina) is
@@ -40,7 +40,7 @@
browser to http://localhost:8180/ and testing some of the Servlet and JSP
examples. This requires installation of the tomcat5.5-webapps package.
-- You can install our own web applications as .war files or in extracted form
+- You can install your own web applications as .war files or in extracted form
into a subdirectory of /var/lib/tomcat5.5/webapps. The name of the WAR file
or subdirectory is the servlet context for this webapp.
@@ -49,15 +49,10 @@
conf, logs, webapps, work and temp. See RUNNING.txt for more about this.
- When Tomcat runs with a security manager, you can define the permissions
- for your servlets and JSPs in /etc/tomcat5.5/policy.d/*. All files in this
- directory are joined to create /etc/tomcat5.5/catalina.policy at startup.
+ for your servlets and JSPs in /etc/tomcat5.5/policy.d/. For
+ example, you can put your customizations in 50user.policy in this
+ directory.
- If your webapp does not work with the tomcat5.5 Debian package but works fine
- with the binary distribution from Jakarta, try to disable the security
- manager in /etc/default/tomcat5.5 first. If this works, add the required
- permissions in a new file in /etc/tomcat5.5/policy.d/ restart and re-enable
- the security manager.
-
- There is a webapp for basic web-based administration of Tomcat's webapps
in the tomcat5.5-admin package. You need to add one of the users in
/var/lib/tomcat5.5/conf/tomcat-users.xml to the manager role and probably
@@ -80,6 +75,6 @@
home page at <http://tomcat.apache.org/index.html>.
- This package is heavily based on the great work of Stephan Gybas on
- the tomcat4 package
+ the tomcat4 package.
- -- Marcus Better <marcus at better.se>, Tue, 21 Nov 2006 11:01:41 +0100
+ -- Marcus Better <marcus at better.se>, Wed, 22 Nov 2006 11:49:16 +0100
Modified: branches/tomcat5.5/feature/debian/debian/policy/01system.policy
===================================================================
--- branches/tomcat5.5/feature/debian/debian/policy/01system.policy 2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/policy/01system.policy 2006-11-22 10:50:31 UTC (rev 2783)
@@ -1,5 +1,5 @@
// ============================================================================
-// catalina.policy - Security Policy Permissions for Tomcat 4.1
+// catalina.corepolicy - Security Policy Permissions for Tomcat 5
//
// This file contains a default set of security policies to be enforced (by the
// JVM) when Catalina is executed with the "-security" option. In addition
@@ -8,6 +8,7 @@
//
// * Read access to the document root directory
//
+// $Id$
// ============================================================================
@@ -16,22 +17,21 @@
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
-// These permissions apply to javac when ${java.home} points at $JAVA_HOME/jre
+// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
-
Modified: branches/tomcat5.5/feature/debian/debian/policy/02debian.policy
===================================================================
--- branches/tomcat5.5/feature/debian/debian/policy/02debian.policy 2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/policy/02debian.policy 2006-11-22 10:50:31 UTC (rev 2783)
@@ -5,4 +5,3 @@
grant codeBase "file:/usr/share/ant/lib/-" {
permission java.security.AllPermission;
};
-
Modified: branches/tomcat5.5/feature/debian/debian/policy/03catalina.policy
===================================================================
--- branches/tomcat5.5/feature/debian/debian/policy/03catalina.policy 2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/policy/03catalina.policy 2006-11-22 10:50:31 UTC (rev 2783)
@@ -1,5 +1,15 @@
// ========== CATALINA CODE PERMISSIONS =======================================
+// These permissions apply to the launcher code
+grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to the daemon code
+grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
+ permission java.security.AllPermission;
+};
+
// These permissions apply to the commons-logging API
grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" {
permission java.security.AllPermission;
@@ -15,7 +25,7 @@
permission java.security.AllPermission;
};
-// These permissions apply to the JMX server
+// These permissions apply to JULI
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.security.AllPermission;
};
@@ -24,11 +34,11 @@
// and those that are shared across all class loaders
// located in the "common" directory
grant codeBase "file:${catalina.home}/common/-" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
// These permissions apply to the container's core code, plus any additional
// libraries installed in the "server" directory
grant codeBase "file:${catalina.home}/server/-" {
- permission java.security.AllPermission;
+ permission java.security.AllPermission;
};
Modified: branches/tomcat5.5/feature/debian/debian/policy/04webapps.policy
===================================================================
--- branches/tomcat5.5/feature/debian/debian/policy/04webapps.policy 2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/policy/04webapps.policy 2006-11-22 10:50:31 UTC (rev 2783)
@@ -5,59 +5,50 @@
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
- // Required for JNDI lookup of named JDBC DataSource's and
- // javamail named MimePart DataSource used to send mail
- permission java.util.PropertyPermission "java.home", "read";
- permission java.util.PropertyPermission "java.naming.*", "read";
- permission java.util.PropertyPermission "javax.sql.*", "read";
+ // Required for JNDI lookup of named JDBC DataSource's and
+ // javamail named MimePart DataSource used to send mail
+ permission java.util.PropertyPermission "java.home", "read";
+ permission java.util.PropertyPermission "java.naming.*", "read";
+ permission java.util.PropertyPermission "javax.sql.*", "read";
- // OS Specific properties to allow read access
- permission java.util.PropertyPermission "os.name", "read";
- permission java.util.PropertyPermission "os.version", "read";
- permission java.util.PropertyPermission "os.arch", "read";
- permission java.util.PropertyPermission "file.separator", "read";
- permission java.util.PropertyPermission "path.separator", "read";
- permission java.util.PropertyPermission "line.separator", "read";
+ // OS Specific properties to allow read access
+ permission java.util.PropertyPermission "os.name", "read";
+ permission java.util.PropertyPermission "os.version", "read";
+ permission java.util.PropertyPermission "os.arch", "read";
+ permission java.util.PropertyPermission "file.separator", "read";
+ permission java.util.PropertyPermission "path.separator", "read";
+ permission java.util.PropertyPermission "line.separator", "read";
- // JVM properties to allow read access
- permission java.util.PropertyPermission "java.version", "read";
- permission java.util.PropertyPermission "java.vendor", "read";
- permission java.util.PropertyPermission "java.vendor.url", "read";
- permission java.util.PropertyPermission "java.class.version", "read";
- permission java.util.PropertyPermission "java.specification.version", "read";
- permission java.util.PropertyPermission "java.specification.vendor", "read";
- permission java.util.PropertyPermission "java.specification.name", "read";
+ // JVM properties to allow read access
+ permission java.util.PropertyPermission "java.version", "read";
+ permission java.util.PropertyPermission "java.vendor", "read";
+ permission java.util.PropertyPermission "java.vendor.url", "read";
+ permission java.util.PropertyPermission "java.class.version", "read";
+ permission java.util.PropertyPermission "java.specification.version", "read";
+ permission java.util.PropertyPermission "java.specification.vendor", "read";
+ permission java.util.PropertyPermission "java.specification.name", "read";
- permission java.util.PropertyPermission "java.vm.specification.version", "read";
- permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
- permission java.util.PropertyPermission "java.vm.specification.name", "read";
- permission java.util.PropertyPermission "java.vm.version", "read";
- permission java.util.PropertyPermission "java.vm.vendor", "read";
- permission java.util.PropertyPermission "java.vm.name", "read";
+ permission java.util.PropertyPermission "java.vm.specification.version", "read";
+ permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
+ permission java.util.PropertyPermission "java.vm.specification.name", "read";
+ permission java.util.PropertyPermission "java.vm.version", "read";
+ permission java.util.PropertyPermission "java.vm.vendor", "read";
+ permission java.util.PropertyPermission "java.vm.name", "read";
- // Required for getting BeanInfo
- permission java.lang.RuntimePermission "accessClassInPackage.sun.beans";
- permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.*";
+ // Required for OpenJMX
+ permission java.lang.RuntimePermission "getAttribute";
- // Required for sevlets and JSP's
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util.*";
- permission java.lang.RuntimePermission "defineClassInPackage.org.apache.catalina.util";
- permission java.lang.RuntimePermission "defineClassInPackage.org.apache.catalina.util.*";
+ // Allow read of JAXP compliant XML parser debug
+ permission java.util.PropertyPermission "jaxp.debug", "read";
- // Required for running servlets generated by JSPC
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
-
- // Required for MX4J
- permission java.lang.RuntimePermission "getAttribute";
-
- // Allow read of JAXP compliant XML parser debug
- permission java.util.PropertyPermission "jaxp.debug", "read";
+ // Precompiled JSPs need access to this package.
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
+
};
-// The permissions granted to the balancer WEB-INF/classes directory
-grant codeBase "file:/usr/share/tomcat5.5-webapps/balancer/WEB-INF/classes/-" {
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester";
- permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*";
+// The permissions granted to the balancer WEB-INF/classes and WEB-INF/lib directory
+grant codeBase "file:/usr/share/tomcat5.5-webapps/balancer/-" {
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*";
};
Added: branches/tomcat5.5/feature/debian/debian/policy/50user.policy
===================================================================
--- branches/tomcat5.5/feature/debian/debian/policy/50user.policy 2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/policy/50user.policy 2006-11-22 10:50:31 UTC (rev 2783)
@@ -0,0 +1,31 @@
+// You can assign additional permissions to particular web applications by
+// adding additional "grant" entries here, based on the code base for that
+// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
+//
+// Different permissions can be granted to JSP pages, classes loaded from
+// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
+// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
+//
+// For instance, assume that the standard "examples" application
+// included a JDBC driver that needed to establish a network connection to the
+// corresponding database and used the scrape taglib to get the weather from
+// the NOAA web server. You might create a "grant" entries like this:
+//
+// The permissions granted to the context root directory apply to JSP pages.
+// grant codeBase "file:${catalina.home}/webapps/examples/-" {
+// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
+//
+// The permissions granted to the context WEB-INF/classes directory
+// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {
+// };
+//
+// The permission granted to your JDBC driver
+// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
+// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// };
+// The permission granted to the scrape taglib
+// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
+// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
Deleted: branches/tomcat5.5/feature/debian/debian/policy/99examples.policy
===================================================================
--- branches/tomcat5.5/feature/debian/debian/policy/99examples.policy 2006-11-21 11:37:40 UTC (rev 2782)
+++ branches/tomcat5.5/feature/debian/debian/policy/99examples.policy 2006-11-22 10:50:31 UTC (rev 2783)
@@ -1,32 +0,0 @@
-// You can assign additional permissions to particular web applications by
-// adding additional "grant" entries here, based on the code base for that
-// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
-//
-// Different permissions can be granted to JSP pages, classes loaded from
-// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
-// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
-//
-// For instance, assume that the standard "examples" application
-// included a JDBC driver that needed to establish a network connection to the
-// corresponding database and used the scrape taglib to get the weather from
-// the NOAA web server. You might create a "grant" entries like this:
-//
-// The permissions granted to the context root directory apply to JSP pages.
-// grant codeBase "file:${catalina.home}/webapps/examples/-" {
-// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-//
-// The permissions granted to the context WEB-INF/classes directory
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {
-// };
-//
-// The permission granted to your JDBC driver
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
-// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-// };
-// The permission granted to the scrape taglib
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
-// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-
More information about the pkg-java-commits
mailing list