Using catalina.policy for Access Control | Pro Apache Tomcat 5/5.5 (Experts Voice in Java)

Because you’ll see more on Tomcat security in a later chapter, in this chapter you’ll take only a quick look through catalina.policy to learn how it provides fine-grained access control to a Tomcat server administrator through the built-in security model of Java 2.

Any access to system resources that isn’t explicitly allowed is prohibited; therefore, you must anticipate all the resources that Tomcat will need and explicitly grant permission for it to do so. By default, Tomcat starts without security. To start it with security, use the -security switch.

 > $CATALINA_HOME/bin/startup security

Tomcat only reads, processes, and enforces the catalina.policy file when started in the security manager in this manner. The general policy entry is in the following form:

 grant <security principal> { permission list... };

Here <security principal> is typically a body of trusted code.

Looking at the catalina.policy file, the first set of permissions grants access to all resources for code from the Java compiler directories; this is essentially the Java compiler and runtime system code. (See http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html for details of permissions.)

 // These permissions apply to javac  grant codeBase "file:${java.home}/lib/-" {          permission java.security.AllPermission;  };  // These permissions apply to all shared system extensions  grant codeBase "file:${java.home}/jre/lib/ext/-" {          permission java.security.AllPermission;  };  // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre  grant codeBase "file:${java.home}/../lib/-" {          permission java.security.AllPermission;  };  // These permissions apply to all shared system extensions when  // ${java.home} points at $JAVA_HOME/jre  grant codeBase "file:${java.home}/lib/ext/-" {          permission java.security.AllPermission;  };

As these directories have access to the entire system, it’s vital that you protect them using your operating system file protection features (see Chapter 12 for details). Without this precaution, malicious code could run unchecked on your system.

The next section of catalina.policy grants the Catalina server and API libraries access to all resources.

 // These permissions apply to the launcher code  grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {          permission java.security.AllPermission;  };  // These permissions apply to the daemon code  grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {          permission java.security.AllPermission;  };  // These permissions apply to the commons-logging API  grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" {          permission java.security.AllPermission;  };  // These permissions apply to the server startup code  grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {          permission java.security.AllPermission;  };  // These permissions apply to the JMX server  grant codeBase "file:${catalina.home}/bin/jmx.jar" {          permission java.security.AllPermission;  };  // These permissions apply to the servlet API classes  // and those that are shared across all class loaders  // located in the "common" directory  grant codeBase "file:${catalina.home}/common/-" {          permission java.security.AllPermission;  };  // These permissions apply to the container's core code, plus any additional  // libraries installed in the "server" directory  grant codeBase "file:${catalina.home}/server/-" {          permission java.security.AllPermission;  };

Again, you must secure the previous directories on the file system, thus avoiding the possibility of an attacker adding malicious code to them. Any class files you place in these directories will be granted access to all system resources.

The final set of permissions in catalina.policy contains the default Web application permissions. They’re significantly more restrictive than those shown previously. In other words, they’re never granted the java.security.AllPermission super permission.

The first section enables access to system properties that enable Java Naming and Directory Interface (JNDI) and JDBC access.

 grant {      // Required for JNDI lookup of named JDBC DataSource's and      // javamail named MimePart DataSource used to send mail      permission java.util.PropertyPermission "java.home", "read";      permission java.util.PropertyPermission "java.naming.*", "read";      permission java.util.PropertyPermission "javax.sql.*", "read";

The next section enables read-only access to some operating system description properties: the type of operating system Tomcat is running under and what this operating system uses to separate file extensions in a filename.

 // OS-specific properties to allow read access  permission java.util.PropertyPermission "os.name", "read";  permission java.util.PropertyPermission "os.version", "read";  permission java.util.PropertyPermission "os.arch", "read";  permission java.util.PropertyPermission "file.separator", "read";  permission java.util.PropertyPermission "path.separator", "read";  permission java.util.PropertyPermission "line.separator", "read";

The third section enables read-only access to some JVM-specific properties that are often used in application programming:

 // JVM properties to allow read access  permission java.util.PropertyPermission "java.version", "read";  permission java.util.PropertyPermission "java.vendor", "read";  permission java.util.PropertyPermission "java.vendor.url", "read";  permission java.util.PropertyPermission "java.class.version", "read";  permission java.util.PropertyPermission "java.specification.version", "read";  permission java.util.PropertyPermission "java.specification.vendor", "read";  permission java.util.PropertyPermission "java.specification.name", "read";  permission java.util.PropertyPermission "java.vm.specification.version", "read";  permission java.util.PropertyPermission "java.vm.specification.vendor", "read";  permission java.util.PropertyPermission "java.vm.specification.name", "read";  permission java.util.PropertyPermission "java.vm.version", "read";  permission java.util.PropertyPermission "java.vm.vendor", "read";  permission java.util.PropertyPermission "java.vm.name", "read";

The next two sections provide access for JavaBean getAttribute methods and the XML parser debug, frequently required during code development (see the JavaBean and JAXP specifications for more details on these properties).

 // Required for OpenJMX  permission java.lang.RuntimePermission "getAttribute";  // Allow read of JAXP-compliant XML parser debug  permission java.util.PropertyPermission "jaxp.debug", "read";

The final section gives permission to the Jasper runtime classes for precompiled JSP pages. Internal Tomcat classes aren’t available by default, but they can be made available in the catalina.properties file, which is described next.

     // Precompiled JSPs need access to this package.      permission java.lang.RuntimePermission        "accessClassInPackage.org.apache.jasper.runtime";      permission java.lang.RuntimePermission        "accessClassInPackage.org.apache.jasper.runtime.*";  };

These are the minimal permissions that are granted by default to Web applications. Your secured production configuration may require additional access to a JDBC server or network access to an external authentication system. You can find examples of these at the end of catalina.policy.

 // The permissions granted to the context root directory apply to JSP pages.  // grant codeBase "file:${catalina.home}/webapps/examples/-" {  //      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";  //      permission java.net.SocketPermission "*.noaa.gov:80", "connect";  // };  //  // The permissions granted to the context WEB-INF/classes directory  // grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {  // };  //  // The permission granted to your JDBC driver  // grant codeBase "jar:file:${catalina.home}       /webapps/examples/WEB-INF/lib/driver.jar!/-" {  //      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";  // };  // The permission granted to the scrape taglib  // grant codeBase "jar:file:${catalina.home}       /webapps/examples/WEB-INF/lib/scrape.jar!/-" {  //      permission java.net.SocketPermission "*.noaa.gov:80", "connect";  // };