Gitiles
Code Review Sign In
source.supwisdom.com / portal_platform / tomcat-liferay / 8d26a3cd0407ea2b8d12d015e73d6835aa0e264e / . / tomcat-7 / conf / catalina.policy
blob: 9a3388355f4317365a76429ed0b92465e62530e0 [file] [log] [blame]
刘洪青65827522016-10-19 16:10:39 +0800[diff] [blame]1// Licensed to the Apache Software Foundation (ASF) under one or more
2// contributor license agreements. See the NOTICE file distributed with
3// this work for additional information regarding copyright ownership.
4// The ASF licenses this file to You under the Apache License, Version 2.0
5// (the "License"); you may not use this file except in compliance with
6// the License. You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15
16// ============================================================================
17// catalina.policy - Security Policy Permissions for Tomcat 7
18//
19// This file contains a default set of security policies to be enforced (by the
20// JVM) when Catalina is executed with the "-security" option. In addition
21// to the permissions granted here, the following additional permissions are
22// granted to each web application:
23//
24// * Read access to the web application's document root directory
25// * Read, write and delete access to the web application's working directory
26// ============================================================================
27
28
29// ========== SYSTEM CODE PERMISSIONS =========================================
30
31
32// These permissions apply to javac
33grant codeBase "file:${java.home}/lib/-" {
34 permission java.security.AllPermission;
35};
36
37// These permissions apply to all shared system extensions
38grant codeBase "file:${java.home}/jre/lib/ext/-" {
39 permission java.security.AllPermission;
40};
41
42// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
43grant codeBase "file:${java.home}/../lib/-" {
44 permission java.security.AllPermission;
45};
46
47// These permissions apply to all shared system extensions when
48// ${java.home} points at $JAVA_HOME/jre
49grant codeBase "file:${java.home}/lib/ext/-" {
50 permission java.security.AllPermission;
51};
52
53
54// ========== CATALINA CODE PERMISSIONS =======================================
55
56
57// These permissions apply to the daemon code
58grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
59 permission java.security.AllPermission;
60};
61
62// These permissions apply to the logging API
63// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
64// update this section accordingly.
65// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
66grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
67 permission java.io.FilePermission
68 "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
69
70 permission java.io.FilePermission
71 "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
72 permission java.io.FilePermission
73 "${catalina.base}${file.separator}logs", "read, write";
74 permission java.io.FilePermission
刘洪青8d26a3c2018-02-28 18:16:21 +0800[diff] [blame^]75 "${catalina.base}${file.separator}logs${file.separator}*", "read, write, delete";
刘洪青65827522016-10-19 16:10:39 +0800[diff] [blame]76
77 permission java.lang.RuntimePermission "shutdownHooks";
78 permission java.lang.RuntimePermission "getClassLoader";
79 permission java.lang.RuntimePermission "setContextClassLoader";
80
81 permission java.util.logging.LoggingPermission "control";
82
83 permission java.util.PropertyPermission "java.util.logging.config.class", "read";
84 permission java.util.PropertyPermission "java.util.logging.config.file", "read";
85 permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
86 permission java.util.PropertyPermission "catalina.base", "read";
87
88 // Note: To enable per context logging configuration, permit read access to
89 // the appropriate file. Be sure that the logging configuration is
90 // secure before enabling such access.
91 // E.g. for the examples web application (uncomment and unwrap
92 // the following to be on a single line):
93 // permission java.io.FilePermission "${catalina.base}${file.separator}
94 // webapps${file.separator}examples${file.separator}WEB-INF
95 // ${file.separator}classes${file.separator}logging.properties", "read";
96};
97
98// These permissions apply to the server startup code
99grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
100 permission java.security.AllPermission;
101};
102
103// These permissions apply to the servlet API classes
104// and those that are shared across all class loaders
105// located in the "lib" directory
106grant codeBase "file:${catalina.home}/lib/-" {
107 permission java.security.AllPermission;
108};
109
110
111// If using a per instance lib directory, i.e. ${catalina.base}/lib,
112// then the following permission will need to be uncommented
113// grant codeBase "file:${catalina.base}/lib/-" {
114// permission java.security.AllPermission;
115// };
116
117
118// ========== WEB APPLICATION PERMISSIONS =====================================
119
120
121// These permissions are granted by default to all web applications
122// In addition, a web application will be given a read FilePermission
123// and JndiPermission for all files and directories in its document root.
124grant {
125 // Required for JNDI lookup of named JDBC DataSource's and
126 // javamail named MimePart DataSource used to send mail
127 permission java.util.PropertyPermission "java.home", "read";
128 permission java.util.PropertyPermission "java.naming.*", "read";
129 permission java.util.PropertyPermission "javax.sql.*", "read";
130
131 // OS Specific properties to allow read access
132 permission java.util.PropertyPermission "os.name", "read";
133 permission java.util.PropertyPermission "os.version", "read";
134 permission java.util.PropertyPermission "os.arch", "read";
135 permission java.util.PropertyPermission "file.separator", "read";
136 permission java.util.PropertyPermission "path.separator", "read";
137 permission java.util.PropertyPermission "line.separator", "read";
138
139 // JVM properties to allow read access
140 permission java.util.PropertyPermission "java.version", "read";
141 permission java.util.PropertyPermission "java.vendor", "read";
142 permission java.util.PropertyPermission "java.vendor.url", "read";
143 permission java.util.PropertyPermission "java.class.version", "read";
144 permission java.util.PropertyPermission "java.specification.version", "read";
145 permission java.util.PropertyPermission "java.specification.vendor", "read";
146 permission java.util.PropertyPermission "java.specification.name", "read";
147
148 permission java.util.PropertyPermission "java.vm.specification.version", "read";
149 permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
150 permission java.util.PropertyPermission "java.vm.specification.name", "read";
151 permission java.util.PropertyPermission "java.vm.version", "read";
152 permission java.util.PropertyPermission "java.vm.vendor", "read";
153 permission java.util.PropertyPermission "java.vm.name", "read";
154
155 // Required for OpenJMX
156 permission java.lang.RuntimePermission "getAttribute";
157
158 // Allow read of JAXP compliant XML parser debug
159 permission java.util.PropertyPermission "jaxp.debug", "read";
160
161 // All JSPs need to be able to read this package
162 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
163
164 // Precompiled JSPs need access to these packages.
165 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
166 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
167 permission java.lang.RuntimePermission
168 "accessClassInPackage.org.apache.jasper.runtime.*";
169
170 // Precompiled JSPs need access to these system properties.
171 permission java.util.PropertyPermission
172 "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
173 permission java.util.PropertyPermission
174 "org.apache.el.parser.COERCE_TO_ZERO", "read";
175
176 // The cookie code needs these.
177 permission java.util.PropertyPermission
178 "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
179 permission java.util.PropertyPermission
180 "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
181 permission java.util.PropertyPermission
182 "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
183
184 // Applications using Comet need to be able to access this package
185 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";
186
187 // Applications using the legacy WebSocket implementation need to be able to access this package
188 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.websocket";
189
190 // Applications using the JSR-356 WebSocket implementation need to be able to access these packages
191 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
192 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
193};
194
195
196// The Manager application needs access to the following packages to support the
刘洪青8d26a3c2018-02-28 18:16:21 +0800[diff] [blame^]197// session display functionality. It also requires the custom Tomcat
198// DeployXmlPermission to enable the use of META-INF/context.xml
199// These settings support the following configurations:
刘洪青65827522016-10-19 16:10:39 +0800[diff] [blame]200// - default CATALINA_HOME == CATALINA_BASE
201// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
202// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
203grant codeBase "file:${catalina.base}/webapps/manager/-" {
204 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
205 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
206 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
207 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
208 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
刘洪青8d26a3c2018-02-28 18:16:21 +0800[diff] [blame^]209 permission org.apache.catalina.security.DeployXmlPermission "manager";
刘洪青65827522016-10-19 16:10:39 +0800[diff] [blame]210};
211grant codeBase "file:${catalina.home}/webapps/manager/-" {
212 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
213 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
214 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
215 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
216 permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
刘洪青8d26a3c2018-02-28 18:16:21 +0800[diff] [blame^]217 permission org.apache.catalina.security.DeployXmlPermission "manager";
刘洪青65827522016-10-19 16:10:39 +0800[diff] [blame]218};
219
刘洪青8d26a3c2018-02-28 18:16:21 +0800[diff] [blame^]220// The Host Manager application needs the custom Tomcat DeployXmlPermission to
221// enable the use of META-INF/context.xml
222// These settings support the following configurations:
223// - default CATALINA_HOME == CATALINA_BASE
224// - CATALINA_HOME != CATALINA_BASE, per instance Host Manager in CATALINA_BASE
225// - CATALINA_HOME != CATALINA_BASE, shared Host Manager in CATALINA_HOME
226grant codeBase "file:${catalina.base}/webapps/host-manager/-" {
227 permission org.apache.catalina.security.DeployXmlPermission "host-manager";
228};
229grant codeBase "file:${catalina.home}/webapps/host-manager/-" {
230 permission org.apache.catalina.security.DeployXmlPermission "host-manager";
231};
232
233
刘洪青65827522016-10-19 16:10:39 +0800[diff] [blame]234// You can assign additional permissions to particular web applications by
235// adding additional "grant" entries here, based on the code base for that
236// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
237//
238// Different permissions can be granted to JSP pages, classes loaded from
239// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
240// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
241//
242// For instance, assume that the standard "examples" application
243// included a JDBC driver that needed to establish a network connection to the
244// corresponding database and used the scrape taglib to get the weather from
245// the NOAA web server. You might create a "grant" entries like this:
246//
247// The permissions granted to the context root directory apply to JSP pages.
248// grant codeBase "file:${catalina.base}/webapps/examples/-" {
249// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
250// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
251// };
252//
253// The permissions granted to the context WEB-INF/classes directory
254// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
255// };
256//
257// The permission granted to your JDBC driver
258// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
259// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
260// };
261// The permission granted to the scrape taglib
262// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
263// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
264// };
265