server/modules/org.argeo.server.catalina/conf/catalina.policy

   1 // Licensed to the Apache Software Foundation (ASF) under one or more
   2 // contributor license agreements.  See the NOTICE file distributed with
   3 // this work for additional information regarding copyright ownership.
   4 // The ASF licenses this file to You under the Apache License, Version 2.0
   5 // (the "License"); you may not use this file except in compliance with
   6 // the License.  You may obtain a copy of the License at
   7 //
   8 //     http://www.apache.org/licenses/LICENSE-2.0
   9 //
  10 // Unless required by applicable law or agreed to in writing, software
  11 // distributed under the License is distributed on an "AS IS" BASIS,
  12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 // See the License for the specific language governing permissions and
  14 // limitations under the License.
  15
  16 // ============================================================================
  17 // catalina.corepolicy - Security Policy Permissions for Tomcat 6
  18 //
  19 // This file contains a default set of security policies to be enforced (by the
  20 // JVM) when Catalina is executed with the "-security" option.  In addition
  21 // to the permissions granted here, the following additional permissions are
  22 // granted to the codebase specific to each web application:
  23 //
  24 // * Read access to the document root directory
  25 //
  26 // $Id: catalina.policy 648343 2008-04-15 17:21:29Z markt $
  27 // ============================================================================
  28
  29
  30 // ========== SYSTEM CODE PERMISSIONS =========================================
  31
  32
  33 // These permissions apply to javac
  34 grant codeBase "file:${java.home}/lib/-" {
  35         permission java.security.AllPermission;
  36 };
  37
  38 // These permissions apply to all shared system extensions
  39 grant codeBase "file:${java.home}/jre/lib/ext/-" {
  40         permission java.security.AllPermission;
  41 };
  42
  43 // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
  44 grant codeBase "file:${java.home}/../lib/-" {
  45         permission java.security.AllPermission;
  46 };
  47
  48 // These permissions apply to all shared system extensions when
  49 // ${java.home} points at $JAVA_HOME/jre
  50 grant codeBase "file:${java.home}/lib/ext/-" {
  51         permission java.security.AllPermission;
  52 };
  53
  54
  55 // ========== CATALINA CODE PERMISSIONS =======================================
  56
  57
  58 // These permissions apply to the daemon code
  59 grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
  60         permission java.security.AllPermission;
  61 };
  62
  63 // These permissions apply to the logging API
  64 grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
  65         permission java.util.PropertyPermission "java.util.logging.config.class", "read";
  66         permission java.util.PropertyPermission "java.util.logging.config.file", "read";
  67         permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
  68         permission java.lang.RuntimePermission "shutdownHooks";
  69         permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
  70         permission java.util.PropertyPermission "catalina.base", "read";
  71         permission java.util.logging.LoggingPermission "control";
  72         permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
  73         permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
  74         permission java.lang.RuntimePermission "getClassLoader";
  75         // To enable per context logging configuration, permit read access to the appropriate file.
  76         // Be sure that the logging configuration is secure before enabling such access
  77         // eg for the examples web application:
  78         // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
  79 };
  80
  81 // These permissions apply to the server startup code
  82 grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
  83         permission java.security.AllPermission;
  84 };
  85
  86 // These permissions apply to the servlet API classes
  87 // and those that are shared across all class loaders
  88 // located in the "lib" directory
  89 grant codeBase "file:${catalina.home}/lib/-" {
  90         permission java.security.AllPermission;
  91 };
  92
  93
  94 // ========== WEB APPLICATION PERMISSIONS =====================================
  95
  96
  97 // These permissions are granted by default to all web applications
  98 // In addition, a web application will be given a read FilePermission
  99 // and JndiPermission for all files and directories in its document root.
 100 grant {
 101     // Required for JNDI lookup of named JDBC DataSource's and
 102     // javamail named MimePart DataSource used to send mail
 103     permission java.util.PropertyPermission "java.home", "read";
 104     permission java.util.PropertyPermission "java.naming.*", "read";
 105     permission java.util.PropertyPermission "javax.sql.*", "read";
 106
 107     // OS Specific properties to allow read access
 108     permission java.util.PropertyPermission "os.name", "read";
 109     permission java.util.PropertyPermission "os.version", "read";
 110     permission java.util.PropertyPermission "os.arch", "read";
 111     permission java.util.PropertyPermission "file.separator", "read";
 112     permission java.util.PropertyPermission "path.separator", "read";
 113     permission java.util.PropertyPermission "line.separator", "read";
 114
 115     // JVM properties to allow read access
 116     permission java.util.PropertyPermission "java.version", "read";
 117     permission java.util.PropertyPermission "java.vendor", "read";
 118     permission java.util.PropertyPermission "java.vendor.url", "read";
 119     permission java.util.PropertyPermission "java.class.version", "read";
 120     permission java.util.PropertyPermission "java.specification.version", "read";
 121     permission java.util.PropertyPermission "java.specification.vendor", "read";
 122     permission java.util.PropertyPermission "java.specification.name", "read";
 123
 124     permission java.util.PropertyPermission "java.vm.specification.version", "read";
 125     permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
 126     permission java.util.PropertyPermission "java.vm.specification.name", "read";
 127     permission java.util.PropertyPermission "java.vm.version", "read";
 128     permission java.util.PropertyPermission "java.vm.vendor", "read";
 129     permission java.util.PropertyPermission "java.vm.name", "read";
 130
 131     // Required for OpenJMX
 132     permission java.lang.RuntimePermission "getAttribute";
 133
 134     // Allow read of JAXP compliant XML parser debug
 135     permission java.util.PropertyPermission "jaxp.debug", "read";
 136
 137     // Precompiled JSPs need access to this package.
 138     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
 139     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
 140
 141     // Precompiled JSPs need access to this system property.
 142     permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
 143
 144 };
 145
 146
 147 // You can assign additional permissions to particular web applications by
 148 // adding additional "grant" entries here, based on the code base for that
 149 // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
 150 //
 151 // Different permissions can be granted to JSP pages, classes loaded from
 152 // the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
 153 // directory, or even to individual jar files in the /WEB-INF/lib/ directory.
 154 //
 155 // For instance, assume that the standard "examples" application
 156 // included a JDBC driver that needed to establish a network connection to the
 157 // corresponding database and used the scrape taglib to get the weather from
 158 // the NOAA web server.  You might create a "grant" entries like this:
 159 //
 160 // The permissions granted to the context root directory apply to JSP pages.
 161 // grant codeBase "file:${catalina.home}/webapps/examples/-" {
 162 //      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
 163 //      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
 164 // };
 165 //
 166 // The permissions granted to the context WEB-INF/classes directory
 167 // grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {
 168 // };
 169 //
 170 // The permission granted to your JDBC driver
 171 // grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
 172 //      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
 173 // };
 174 // The permission granted to the scrape taglib
 175 // grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
 176 //      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
 177 // };
 178