`

Using the Java SecurityManager with Tomcat

阅读更多

Why use a SecurityManager?

The Java SecurityManager is what allows a web browser to run an applet in its own sandbox to prevent untrusted code from accessing files on the local system, connecting to a host other than the one the applet was loaded from, etc.

In the same way the SecurityManager protects you from an untrusted applet running in your browser, use of a SecurityManager while running Tomcat can protect your server from trojan servlets, JSP's, JSP beans, and tag libraries.  Or even inadvertent mistakes.

Imagine if someone who is authorized to publish JSP's on your site inadvertently included the following in their JSP:

<% System.exit(1); %>


Every time that JSP was executed by Tomcat, Tomcat would exit.

Using the Java SecurityManager is just one more line of defense a system administrator can use to keep the server secure and reliable.

System Requirements

Use of the SecurityManager requires a JVM that supports JDK 1.2.

Precautions

Implementation of a SecurityManager in Tomcat has not been fully tested to ensure the security of Tomcat.  No special Permissions have been created to prevent access to internal Tomcat classes by JSP's, web applications, servlets, beans, or tag libraries. Make sure that you are satisfied with your SecurityManager configuration before allowing untrusted users to publish web applications, JSP's, servlets, beans, or tag libraries.

Still, running with a SecurityManager is definitely better than running without one.

Types of Permissions

Permission classes are used to define what Permissions a class loaded by Tomcat will have.  There are a number of Permission classes as part of the JDK and you can even create your own Permission class for use in your own web applications.

This is just a short summary of the System SecurityManager Permission classes applicable to Tomcat.  Please refer to the JDK documentation for more information on using the below Permissions.

java.util.PropertyPermission
Controls read/write access to JVM properties such as java.home.

java.lang.RuntimePermission
Controls use of some System/Runtime functions like exit() and exec().

java.io.FilePermission
Controls read/write/execute access to files and directories.

java.net.SocketPermission
Controls use of network sockets.

java.net.NetPermission
Controls use of multicast network connections.

java.lang.reflect.ReflectPermission
Controls use of reflection to do class introspection.

java.security.SecurityPermission
Controls access to Security methods.

java.security.AllPermission
Allows access to all permissions, just as if you were running Tomcat without a SecurityManager.

Configuring Tomcat for use with a SecurityManager

tomcat.policy

The security policies implemented by the Java SecurityManager are configured in the tomcat.policy file located in the tomcat conf directory.  The tomcat.policy file replaces any system java.policy file.  The tomcat.policy file can be edited by hand or you can use the policytool application that comes with Java 1.2, or later.

Entries in the tomcat.policy file use the standard java.policy file format as follows:

// Example policy file entry

grant [signedBy <signer> [,codeBase <code source>] {
    permission <class> [<name> [, <action list>]];
};

The signedBy and codeBase entries are optional when granting permissions. Comment lines begin with // and end at a new line.

The codeBase is in the form of a URL and for a file URL can use the ${java.home} and ${tomcat.home} properties which are expanded out to the directory paths defined for them.

Default tomcat.policy file

// Permissions for tomcat.
 
// javac needs this
grant codeBase "file:${java.home}/lib/-" {
  permission java.security.AllPermission;
};
 
// Tomcat gets all permissions
grant codeBase "file:${tomcat.home}/lib/-" {
  permission java.security.AllPermission;
};
 
grant codeBase "file:${tomcat.home}/classes/-" {
  permission java.security.AllPermission;
};
 
// Example webapp policy
// By default we grant read access on webapp dir
// and read of the line.separator PropertyPermission
grant codeBase "file:${tomcat.home}/webapps/examples" {
  permission java.net.SocketPermission "localhost:1024-","listen";
  permission java.util.PropertyPermission "*","read";
};


Here is an example where in addition to the above, we want to grant the examples web application the ability to connect to the localhost smtp port so that it can send mail.

grant codeBase "file:${tomcat.home}/webapps/examples" {
  permission java.net.SocketPermission "localhost:25","connect";
  permission java.net.SocketPermission "localhost:1024","listen";
  permission java.util.PropertyPermission "*","read";
};

Now what if we wanted to give all contexts not configured by their own grant entry some default permissions in addition to what Tomcat assigns by default.

grant {
  permission java.net.SocketPermission "localhost:1024","listen";
  permission java.util.PropertyPermission "*","read";
};

Finally, a more complex tomcat.policy file.  In this case we are using Tomcat as an app server for a number of remote web servers.  We want to limit what remote web servers can connect to Tomcat by using the Java SecurityManager.

// Permissions for tomcat.
// javac needs this
grant codeBase "file:${java.home}/lib/-" {
  permission java.security.AllPermission;
};
 
// Tomcat with IP filtering
grant codeBase "file:${tomcat.home}/lib/-" {
  // Tomcat should be able to read/write all properties
  permission java.util.PropertyPermission "*","read,write";
  // Tomcat needs to be able to read files in its own directory
  permission java.io.FilePermission "${tomcat.home}/-","read";
  // Tomcat has to be able to write its logs
  permission java.io.FilePermission "${tomcat.home}/logs/-","read,write";
  // Tomcat has to be able to write to the conf directory
  permission java.io.FilePermission "${tomcat.home}/conf/-","read,write";
  // Tomcat has to be able to compile JSP's
  permission java.io.FilePermission "${tomcat.home}/work/-","read,write,delete";
  // Tomcat needs all the RuntimePermission's
  permission java.lang.RuntimePermission "*";
  // Needed so Tomcat can set security policy for a Context
  permission java.security.SecurityPermission "*";
  // Needed so that Tomcat will accept connections from a remote web server
  // Replace XXX.XXX.XXX.XXX with the IP address of the remote web server
  permission java.net.SocketPermission "XXX.XXX.XXX.XXX:1024-","accept,listen,resolve";
  // Tomcat has to be able to use its port on the localhost
  permission java.net.SocketPermission "localhost:1024-","connect,accept,listen,resolve";
};
 
// Example webapp policy
// By default we grant read access on webapp dir
// and read of the line.separator PropertyPermission
grant codeBase "file:${tomcat.home}/webapps/examples" {
  permission java.net.SocketPermission "localhost:1024-","listen";
  permission java.util.PropertyPermission "*","read";
};

Starting Tomcat with a SecurityManager

Once you have configured the tomcat.policy for use with a SecurityManager, Tomcat can be started with the SecurityManager in place by adding the "-security" option to bin/startup.bat or bin/startup.

What happens when the SecurityManager detects a Security violation?

The JVM will throw an AccessControlException or a SecurityException when the SecurityManager detects a security policy violation.

Trouble shooting tomcat.policy configuration and Security Violations

You can turn on Java SecurityManager debug logging by setting the environmental variable:

TOMCAT_OPTS=-Djava.security.debug=all

The debug output will be written to Tomcat's log file, or the console if no log file is defined.

Note: This gives the most complete debugging information, but generates many MB's of output, for less verbose security debug output, use:

TOMCAT_OPTS=-Djava.security.debug=access,failure

Use the following shell command to determine all the security debug options available: java -Djava.security.debug=help

JSP Compile using JVM internal javac fails with AccessControlException for RuntimePermission accessClassInPackage sun.tools.javac.

Check your JAVA_HOME/jre/lib/security/java.security file configuration.  Comment out the line "package.access=sun.".

分享到:
评论

相关推荐

    SecurityManager使用

    在Java编程语言中,`SecurityManager`(安全管理器)是一个重要的安全组件,它允许开发者对应用程序的安全性进行精细控制。`SecurityManager`是Java虚拟机(JVM)的一部分,用于实施一套安全策略,以防止代码执行...

    tomcat7.0学习笔记

    Tomcat 7.0是Apache软件基金会的Jakarta项目下的一个开源Java Servlet容器,它实现了Java Servlet和JavaServer Pages(JSP)规范,为Web应用程序提供服务。本笔记主要涵盖了在Linux环境下安装和配置Tomcat 7.0以及...

    tomcat权威指南第二版.pdf

    5. 与Apache Web Server的集成(第5章:Integration with the Apache Web Server): - 探讨了集成的优缺点。 - 提供了安装和配置Apache与Tomcat集成的具体步骤。 - 讨论了通过APR(Apache Portable Runtime)...

    Advanced Programming for the Java 2 Platform.chm

    Advanced Programming for the Java 2 Platform.chm 里边有很多不怎么为人所知的东西,时常参考,还是蛮有好处的 Chapter 1: Matching Project Requirements with Technology &lt;br&gt;Project Requirements ...

    tomcat源码,servlet-api源码

    Tomcat,作为Apache软件基金会的顶级项目,是Java Servlet和JavaServer Pages(JSP)的开源Web应用服务器,被广泛应用于中小型企业的Web服务部署。7.0.59版本是Tomcat的一个稳定版本,提供了良好的性能和兼容性。...

    apache-tomcat-8.5.50.rar

    Apache Tomcat是一个开源的软件应用服务器,主要用于运行Java Servlet和JavaServer Pages(JSP)应用程序。它是Apache软件基金会Jakarta项目的一部分,以其轻量级、高效和稳定的性能而受到广泛欢迎。标题中的"apache...

    tomcat6修改配置文件

    在IT行业中,Tomcat是一个广泛使用的开源Web服务器和Java应用服务器,特别适合于运行Servlet和JSP应用。这里我们关注的是Tomcat 6版本,它在2009年发布,是许多企业和个人开发者的选择。在Linux环境中部署Tomcat6时...

    Tomcat6.0.14

    Tomcat 6.0.14提供了安全管理器功能,通过修改conf/server.xml中的`&lt;SecurityManager&gt;`元素启用,并配置相应的角色和权限,确保只有授权用户才能访问特定资源。 五、监控与优化 Tomcat内置的JMX(Java Management ...

    tomcat6.0程序包

    【标题】"Tomcat6.0程序包"是Apache软件基金会开发的一款开源的Java Servlet容器,主要用于运行Java Web应用程序。这个版本的Tomcat是6.0.26,发布于2010年,它是对早期版本的改进,提供了一些新特性和性能优化。 ...

    Java权限控制源码实例.rar

    在Java 7及更高版本中,可以使用try-with-resources语句自动关闭资源。 这个实例的代码可能包含了这些步骤的实现,以展示如何在Java中进行文件权限控制。通过分析和学习这个源码,你可以更好地理解Java的安全模型...

    tomcat 安全配制

    - **SecurityManager配置**:Tomcat提供了一个内置的SecurityManager组件,它可以控制Java安全策略文件中的策略设置,从而增强安全性。 - **Valve组件**:Valve是Tomcat的一个组件,用于实现过滤器功能。可以通过...

    tomcat源码

    Apache Tomcat是一款开源的Java Servlet容器,它实现了Java EE中的Web应用服务器规范,特别是Servlet和JSP标准。源代码分析是深入理解Tomcat工作原理、性能优化和自定义配置的关键。下面将对Tomcat源码进行详细的...

    Java-API-1.6.rar_java 1.6api_java api 1.6 115_java doc_java-a_ja

    Java的权限模型在1.6中进一步完善,包括了Policy类、SecurityManager类和Permission类,用于控制代码的执行权限。 这个“Java API 1.6中文手册.chm”文件提供了所有这些知识点的详细文档,便于开发者查询和学习。...

    Java-the application of TCPIP

    此外,Java安全经理(SecurityManager)可以进一步定制安全策略,控制程序的运行行为。 多线程在网络编程中尤为重要,Java提供了丰富的多线程支持。通过继承Thread类或者实现Runnable接口,开发者可以创建并管理多...

    S06-tomcat之servlet内存马1

    同时,我们也可以使用 Tomcat 的安全机制,例如使用 SecurityManager 来限制访问权限。 本文对 Servlet 内存马的工作原理和实现机制进行了详细的分析和解释,并对其实现机制进行了详细的分析和解释。

    java 权限实例代码

    在Java中,安全管理器(SecurityManager)是控制权限的核心组件。如果一个应用程序设置了安全管理器,那么所有可能引起安全问题的操作都会被检查,看是否拥有执行该操作的相应权限。如果没有,将会抛出...

    浅谈shiro的SecurityManager类结构

    Apache Shiro 是一个强大且易用的 Java 安全框架,提供认证、授权、加密和会话管理功能,简化了企业级应用的安全实现。在 Shiro 中,`SecurityManager` 是核心组件,它负责整个安全体系的管理和协调工作。本文将深入...

    Java2 类库详解

    如AccessController、Permission和SecurityManager等类,用于控制代码的执行权限,防止恶意代码的运行。 10. **JavaBeans**:JavaBeans是一种可重用的软件组件,可以通过JavaBeans API进行序列化和属性访问,常用于...

    JavaSetup8u101.zip 编程工具

    Java 对通过网络下载的类具有一个安全防范机制(类 ClassLoader),如分配不同的名字空间以防替代本地的同名类、字节代码检查,并提供安全管理机制(类 SecurityManager)让 Java 应用设置安全哨兵。 Java 语言是可...

    Java2平台安全技术

    Java提供了丰富的安全相关的API,如java.security包下的Permission、SecurityManager、Policy等类。Permission类用于表示特定的操作权限,SecurityManager是实现自定义安全策略的接口,Policy类则用来存储和管理系统...

Global site tag (gtag.js) - Google Analytics