"Fossies" - the Fresh Open Source Software Archive

Member "apache-tomcat-8.5.58/conf/catalina.policy" (10 Sep 2020, 13717 Bytes) of package /windows/www/apache-tomcat-8.5.58-windows-x86.zip:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "catalina.policy": 9.0.34_vs_9.0.35.

    1 // Licensed to the Apache Software Foundation (ASF) under one or more
    2 // contributor license agreements.  See the NOTICE file distributed with
    3 // this work for additional information regarding copyright ownership.
    4 // The ASF licenses this file to You under the Apache License, Version 2.0
    5 // (the "License"); you may not use this file except in compliance with
    6 // the License.  You may obtain a copy of the License at
    7 //
    8 //     http://www.apache.org/licenses/LICENSE-2.0
    9 //
   10 // Unless required by applicable law or agreed to in writing, software
   11 // distributed under the License is distributed on an "AS IS" BASIS,
   12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   13 // See the License for the specific language governing permissions and
   14 // limitations under the License.
   15 
   16 // ============================================================================
   17 // catalina.policy - Security Policy Permissions for Tomcat
   18 //
   19 // This file contains a default set of security policies to be enforced (by the
   20 // JVM) when Catalina is executed with the "-security" option.  In addition
   21 // to the permissions granted here, the following additional permissions are
   22 // granted to each web application:
   23 //
   24 // * Read access to the web application's document root directory
   25 // * Read, write and delete access to the web application's working directory
   26 // ============================================================================
   27 
   28 
   29 // ========== SYSTEM CODE PERMISSIONS =========================================
   30 
   31 
   32 // These permissions apply to javac
   33 grant codeBase "file:${java.home}/lib/-" {
   34         permission java.security.AllPermission;
   35 };
   36 
   37 // These permissions apply to all shared system extensions
   38 grant codeBase "file:${java.home}/jre/lib/ext/-" {
   39         permission java.security.AllPermission;
   40 };
   41 
   42 // These permissions apply to javac when ${java.home} points at $JAVA_HOME/jre
   43 grant codeBase "file:${java.home}/../lib/-" {
   44         permission java.security.AllPermission;
   45 };
   46 
   47 // These permissions apply to all shared system extensions when
   48 // ${java.home} points at $JAVA_HOME/jre
   49 grant codeBase "file:${java.home}/lib/ext/-" {
   50         permission java.security.AllPermission;
   51 };
   52 
   53 
   54 // ========== CATALINA CODE PERMISSIONS =======================================
   55 
   56 
   57 // These permissions apply to the daemon code
   58 grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
   59         permission java.security.AllPermission;
   60 };
   61 
   62 // These permissions apply to the logging API
   63 // Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
   64 // update this section accordingly.
   65 //  grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
   66 grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
   67         permission java.io.FilePermission
   68          "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
   69 
   70         permission java.io.FilePermission
   71          "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
   72         permission java.io.FilePermission
   73          "${catalina.base}${file.separator}logs", "read, write";
   74         permission java.io.FilePermission
   75          "${catalina.base}${file.separator}logs${file.separator}*", "read, write, delete";
   76 
   77         permission java.lang.RuntimePermission "shutdownHooks";
   78         permission java.lang.RuntimePermission "getClassLoader";
   79         permission java.lang.RuntimePermission "setContextClassLoader";
   80 
   81         permission java.lang.management.ManagementPermission "monitor";
   82 
   83         permission java.util.logging.LoggingPermission "control";
   84 
   85         permission java.util.PropertyPermission "java.util.logging.config.class", "read";
   86         permission java.util.PropertyPermission "java.util.logging.config.file", "read";
   87         permission java.util.PropertyPermission "org.apache.juli.AsyncLoggerPollInterval", "read";
   88         permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read";
   89         permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read";
   90         permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
   91         permission java.util.PropertyPermission "catalina.base", "read";
   92 
   93         // Note: To enable per context logging configuration, permit read access to
   94         // the appropriate file. Be sure that the logging configuration is
   95         // secure before enabling such access.
   96         // E.g. for the examples web application (uncomment and unwrap
   97         // the following to be on a single line):
   98         // permission java.io.FilePermission "${catalina.base}${file.separator}
   99         //  webapps${file.separator}examples${file.separator}WEB-INF
  100         //  ${file.separator}classes${file.separator}logging.properties", "read";
  101 };
  102 
  103 // These permissions apply to the server startup code
  104 grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
  105         permission java.security.AllPermission;
  106 };
  107 
  108 // These permissions apply to the servlet API classes
  109 // and those that are shared across all class loaders
  110 // located in the "lib" directory
  111 grant codeBase "file:${catalina.home}/lib/-" {
  112         permission java.security.AllPermission;
  113 };
  114 
  115 
  116 // If using a per instance lib directory, i.e. ${catalina.base}/lib,
  117 // then the following permission will need to be uncommented
  118 // grant codeBase "file:${catalina.base}/lib/-" {
  119 //         permission java.security.AllPermission;
  120 // };
  121 
  122 
  123 // ========== WEB APPLICATION PERMISSIONS =====================================
  124 
  125 
  126 // These permissions are granted by default to all web applications
  127 // In addition, a web application will be given a read FilePermission
  128 // for all files and directories in its document root.
  129 grant {
  130     // Required for JNDI lookup of named JDBC DataSource's and
  131     // javamail named MimePart DataSource used to send mail
  132     permission java.util.PropertyPermission "java.home", "read";
  133     permission java.util.PropertyPermission "java.naming.*", "read";
  134     permission java.util.PropertyPermission "javax.sql.*", "read";
  135 
  136     // OS Specific properties to allow read access
  137     permission java.util.PropertyPermission "os.name", "read";
  138     permission java.util.PropertyPermission "os.version", "read";
  139     permission java.util.PropertyPermission "os.arch", "read";
  140     permission java.util.PropertyPermission "file.separator", "read";
  141     permission java.util.PropertyPermission "path.separator", "read";
  142     permission java.util.PropertyPermission "line.separator", "read";
  143 
  144     // JVM properties to allow read access
  145     permission java.util.PropertyPermission "java.version", "read";
  146     permission java.util.PropertyPermission "java.vendor", "read";
  147     permission java.util.PropertyPermission "java.vendor.url", "read";
  148     permission java.util.PropertyPermission "java.class.version", "read";
  149     permission java.util.PropertyPermission "java.specification.version", "read";
  150     permission java.util.PropertyPermission "java.specification.vendor", "read";
  151     permission java.util.PropertyPermission "java.specification.name", "read";
  152 
  153     permission java.util.PropertyPermission "java.vm.specification.version", "read";
  154     permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
  155     permission java.util.PropertyPermission "java.vm.specification.name", "read";
  156     permission java.util.PropertyPermission "java.vm.version", "read";
  157     permission java.util.PropertyPermission "java.vm.vendor", "read";
  158     permission java.util.PropertyPermission "java.vm.name", "read";
  159 
  160     // Required for OpenJMX
  161     permission java.lang.RuntimePermission "getAttribute";
  162 
  163     // Allow read of JAXP compliant XML parser debug
  164     permission java.util.PropertyPermission "jaxp.debug", "read";
  165 
  166     // All JSPs need to be able to read this package
  167     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
  168 
  169     // Precompiled JSPs need access to these packages.
  170     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
  171     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
  172     permission java.lang.RuntimePermission
  173      "accessClassInPackage.org.apache.jasper.runtime.*";
  174 
  175     // The cookie code needs these.
  176     permission java.util.PropertyPermission
  177      "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
  178     permission java.util.PropertyPermission
  179      "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
  180     permission java.util.PropertyPermission
  181      "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
  182 
  183     // Applications using WebSocket need to be able to access these packages
  184     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
  185     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
  186 
  187     // Applications need to access these packages to use the Servlet 4.0 Preview
  188     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.servlet4preview.http";
  189 };
  190 
  191 
  192 // The Manager application needs access to the following packages to support the
  193 // session display functionality. It also requires the custom Tomcat
  194 // DeployXmlPermission to enable the use of META-INF/context.xml
  195 // These settings support the following configurations:
  196 // - default CATALINA_HOME == CATALINA_BASE
  197 // - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
  198 // - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
  199 grant codeBase "file:${catalina.base}/webapps/manager/-" {
  200     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
  201     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
  202     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
  203     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
  204     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
  205     permission org.apache.catalina.security.DeployXmlPermission "manager";
  206 };
  207 grant codeBase "file:${catalina.home}/webapps/manager/-" {
  208     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
  209     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
  210     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
  211     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
  212     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
  213     permission org.apache.catalina.security.DeployXmlPermission "manager";
  214 };
  215 
  216 // The Host Manager application needs the custom Tomcat DeployXmlPermission to
  217 // enable the use of META-INF/context.xml
  218 // These settings support the following configurations:
  219 // - default CATALINA_HOME == CATALINA_BASE
  220 // - CATALINA_HOME != CATALINA_BASE, per instance Host Manager in CATALINA_BASE
  221 // - CATALINA_HOME != CATALINA_BASE, shared Host Manager in CATALINA_HOME
  222 grant codeBase "file:${catalina.base}/webapps/host-manager/-" {
  223     permission org.apache.catalina.security.DeployXmlPermission "host-manager";
  224 };
  225 grant codeBase "file:${catalina.home}/webapps/host-manager/-" {
  226     permission org.apache.catalina.security.DeployXmlPermission "host-manager";
  227 };
  228 
  229 
  230 // You can assign additional permissions to particular web applications by
  231 // adding additional "grant" entries here, based on the code base for that
  232 // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
  233 //
  234 // Different permissions can be granted to JSP pages, classes loaded from
  235 // the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
  236 // directory, or even to individual jar files in the /WEB-INF/lib/ directory.
  237 //
  238 // For instance, assume that the standard "examples" application
  239 // included a JDBC driver that needed to establish a network connection to the
  240 // corresponding database and used the scrape taglib to get the weather from
  241 // the NOAA web server.  You might create a "grant" entries like this:
  242 //
  243 // The permissions granted to the context root directory apply to JSP pages.
  244 // grant codeBase "file:${catalina.base}/webapps/examples/-" {
  245 //      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
  246 //      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
  247 // };
  248 //
  249 // The permissions granted to the context WEB-INF/classes directory
  250 // grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
  251 // };
  252 //
  253 // The permission granted to your JDBC driver
  254 // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
  255 //      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
  256 // };
  257 // The permission granted to the scrape taglib
  258 // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
  259 //      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
  260 // };
  261 
  262 // To grant permissions for web applications using packed WAR files, use the
  263 // Tomcat specific WAR url scheme.
  264 //
  265 // The permissions granted to the entire web application
  266 // grant codeBase "war:file:${catalina.base}/webapps/examples.war*/-" {
  267 // };
  268 //
  269 // The permissions granted to a specific JAR
  270 // grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" {
  271 // };