tags:

views:

219

answers:

1
Q: 

How to grant AllPermission to not extracted war file in tomcat

Hello,

I'm developing a web application and have created a war file. If I deploy it to my tomcat server, it is used without being unpacked (which is the setting I want to have for this server).

For unpacked web apps I have a policy file to grant AllPermission to my application. The file is served with the application and installed into e.g. /etc/tomcat5.5/policy.d/40tc.policy. It contains these lines:

grant codeBase "file:${catalina.base}/webapps/tc/-" {
    permission java.security.AllPermission;
};

But what has the codeBase to be for packed war files? The war file is located at ${catalina.base}/webapps/tc.war

I've tried the following:

grant codeBase "file:${catalina.base}/webapps/tc.war" {
    permission java.security.AllPermission;
};

and

grant codeBase "jar:file:${catalina.base}/webapps/tc.war" {
    permission java.security.AllPermission;
};

But nothings works. There are several permissions that must be granted, so AllPermission should be set for only the application. (Global changes in the server configuration are not allowed.)

Any suggestion what to do next?

Thanks, André

A:  
grant codeBase "file:${catalina.base}/webapps/tc.war" { 
permission java.security.AllPermission;

};

Is this what you're looking for?

JoseK  2010-03-19 09:09:38
I already tried this one. But it does not work. Result is the same:java.security.AccessControlException: access denied (java.util.PropertyPermission user.dir read)
André  2010-03-19 09:15:51
Ah - you should post the complete stack trace as well in the post. Is your code trying to access the "user.dir" referred in the error?
JoseK  2010-03-19 09:20:35
In catalina.policy, can you add this line within the ========== WEB APPLICATION PERMISSIONS ======== block permission java.util.PropertyPermission "user.dir", "read";
JoseK  2010-03-19 09:27:49
"user.dir" is not the only Permission that shall work (FilePermission, ...). My installer provides a single .policy file for the application and that should be configured to grant AllPermission. The settings should not affect other applications of the tomcat server.
André  2010-03-19 09:35:40
So you have tried putting the policy entry in the webapps individual policy file as well?grant codeBase "file:${catalina.base}/webapps/tc.war" { permission java.security.AllPermission; };
JoseK  2010-03-19 10:06:42
Yes, I tried the code from your answer in the policy file. And I also changed the codeBase to "jar:file:${catalina.base}/webapps/tc.war" which didn't work either.
André  2010-03-19 10:16:43
I suggest that you post the full path and name of the war file, as well as error stack trace so someone might be able to help
JoseK  2010-03-19 11:22:04
K, I've edited my question. Hopefully there is someone out there that has the answer I'm looking for. Thanks for you help.
André  2010-03-19 13:26:52
Okay one more option I've seen is with trailing !/- like grant codeBase "jar:file:${catalina.base}/webapps/tc.war!/-" {
JoseK  2010-03-22 11:44:15
I tried this option but had no success. Seems that this is not possible.
André  2010-03-30 06:17:43

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security