From: kkolinko Date: Tue, 17 Nov 2009 18:28:52 +0000 (+0000) Subject: Update comments and examples in catalina.policy file X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=937317af71fde0ba4f82fde72a36e549023d5e8e;p=tomcat7.0 Update comments and examples in catalina.policy file Especially replace ${catalina.home} with ${catalina.base} git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@881432 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/conf/catalina.policy b/conf/catalina.policy index 677a7603c..2db96a197 100644 --- a/conf/catalina.policy +++ b/conf/catalina.policy @@ -14,14 +14,15 @@ // limitations under the License. // ============================================================================ -// catalina.corepolicy - Security Policy Permissions for Tomcat 6 +// catalina.policy - Security Policy Permissions for Tomcat 7 // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the "-security" option. In addition // to the permissions granted here, the following additional permissions are -// granted to the codebase specific to each web application: +// granted specific to each web application: // -// * Read access to the document root directory +// * Read access to its document root directory +// * Read, write and delete access to its working directory // // $Id$ // ============================================================================ @@ -64,18 +65,18 @@ grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.util.PropertyPermission "catalina.base", "read"; permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; - permission java.lang.RuntimePermission "shutdownHooks"; permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; - permission java.util.PropertyPermission "catalina.base", "read"; - permission java.util.logging.LoggingPermission "control"; permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write"; permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; + permission java.lang.RuntimePermission "shutdownHooks"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; + permission java.util.logging.LoggingPermission "control"; // To enable per context logging configuration, permit read access to the appropriate file. - // Be sure that the logging configuration is secure before enabling such access - // eg for the examples web application: + // Be sure that the logging configuration is secure before enabling such access. + // E.g. for the examples web application: // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; @@ -137,16 +138,16 @@ grant { // All JSPs need to be able to read this package permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat"; - + // Precompiled JSPs need access to these packages. permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; - + // Precompiled JSPs need access to these system properties. permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; permission java.util.PropertyPermission "org.apache.el.parser.COERCE_TO_ZERO", "read"; - + // Applications using Comet need to be able to access this package permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet"; }; @@ -166,21 +167,21 @@ grant { // the NOAA web server. You might create a "grant" entries like this: // // The permissions granted to the context root directory apply to JSP pages. -// grant codeBase "file:${catalina.home}/webapps/examples/-" { +// grant codeBase "file:${catalina.base}/webapps/examples/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; // // The permissions granted to the context WEB-INF/classes directory -// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" { +// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { // }; // // The permission granted to your JDBC driver -// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" { +// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // }; // The permission granted to the scrape taglib -// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { +// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // };