The Apache Jakarta Tomcat 5.5 Servlet/JSP Container

Security Manager HOW-TO

Java的SecurityManager允許瀏覽器在它可執行的范圍內運行，這樣可以防止不可靠的程序讀寫用戶在局部文件系統里的文件，或者未經授權進行網絡連接，等等。同樣，SecurityManager可用來防止不可靠的程序在你的瀏覽器上運行，在運行Tomcat時使用SecurityManager可以保護你的服務器不受到類似于木馬的servlets, JSPs, JSP beans 和 tag libraries的影響，或者發生錯誤。

試想某個被允許在你的網站上發表JSPs的人不慎包括了以下的語句在他們的JSP里：

	<%System.exit(1);%>

每次Tomcat運行該JSP都會導致Tomcat中斷。使用Java SecurityManager如同多了一層防護，可以讓服務器更加安全可靠。

警告——雖然Tomcat 5的程序通過了安全檢查，最重要的程序包都已被保護，新的安全機制也已實施，但在允許用戶發表網絡程序，JSPs, servlets, beans, 或 tag libraries之前，你還是有必要確保SecurityManager的各項配置符合你的要求。當然，有SecurityManager絕對比沒有它要安全的多。

Permission類是用來定義Tomcat載入的類所擁有的權限。Java本身包括了一些Permission類，你也可以在你的網絡應用中加入你自己的Permission類。這兩種技術在Tomcat 5里都被應用。

標準許可權限

這里簡單總結了標準系統中適用于Tomcat的SecurityManager Permission 類。更多信息請參看http://java.sun.com/security/。 java.util.PropertyPermission - 控制讀/寫Java虛擬器的屬性，如java.home 。 java.lang.RuntimePermission - 控制使用一些系統/運行時(System/Runtime)的功能，如exit() 和 exec()。它也控制包(package)的訪問/定義。 java.io.FilePermission - 控制對文件和目錄的讀/寫/執行操作。 java.net.SocketPermission - 控制使用網路sockets連接。 java.net.NetPermission - 控制使用multicast網路連接。 java.lang.reflect.ReflectPermission - 控制使用reflection來對類進行檢視。 java.security.SecurityPermission - 控制對安全方法的訪問。 java.security.AllPermission - 給予所有訪問權限，就如你運行一個沒有SecurityManager的Tomcat 。

Tomcat用戶特有權限

Tomcat利用一個叫做org.apache.naming.JndiPermission 客戶許可類。它用來控制以JNDI命名的文件資源的可讀權限。該許可的名稱是以JNDI來表達，沒有命令。在給予許可時，"*"的結尾可以用來以wild card方式映射JNDI命名的文件資源。例如，你可以在你的政策(policy)文件加入以下一行： permission org.apache.naming.JndiPermission "jndi://localhost/examples/*"; 一個象這樣的許可(Permission)會在部署網絡程序時被自動產生，允許它讀取它自己的靜態資源，但不允許它使用文件訪問權來讀取其它文件(除非你明確地給出訪問那些文件的許可). 并且, Tomcat 總是自動產生以下文件許可: permission java.io.FilePermission "** your application context**", "read"; 這里**your application context**代表那個擁有你的應用程序的文件夾(或者是WAR文件)。

政策文件的格式

由Java SecurityManager實現的安全政策被配置存放在$CATALINA_HOME/conf/catalina.policy 文件里。這個文件完全替代了JDK系統目錄里的java.policy文件。這個catalina.policy 文件可以手動修改，或者使用Java 1.2 及其后版本的policytool程序修改。 ?$CATALINA_HOME/conf/catalina.policy

catalina.policy 文件中的條文使用了標準的java.policy文件格式，如下：

	// Example policy file entry grant [signedBy <signer>,] [codeBase <code source>] { permission <class> [<name> [, <action list>]]; };

其中signedBy 和 codeBase是選擇項。注釋行是以"http://"開始，直到該行結束。codeBase是URL的格式，文件的URL中可用如${java.home}和${catalina.home}等屬性(這些屬性會被擴展到由環境變量JAVA_HOME 和 CATALINA_HOME為他們定義的目錄路徑)。 ?${catalina.home}

缺省政策文件

缺省$CATALINA_HOME/conf/catalina.policy 文件看起來象這樣： ?$CATALINA_HOME/conf/catalina.policy

	// ============================================================================ // catalina.corepolicy - Security Policy Permissions for Tomcat 5 // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the "-security" option. In addition // to the permissions granted here, the following additional permissions are // granted to the codebase specific to each web application: // // * Read access to the document root directory // // $Id: security-manager-howto.xml,v 1.5 2003/01/15 03:40:43 glenn Exp $ // ============================================================================ // ========== SYSTEM CODE PERMISSIONS ========================================= // These permissions apply to javac grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase "file:${java.home}/jre/lib/ext/-" { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // ========== CATALINA CODE PERMISSIONS ======================================= // These permissions apply to the launcher code grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" { permission java.security.AllPermission; }; // These permissions apply to the server startup code grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; // These permissions apply to the servlet API classes // and those that are shared across all class loaders // located in the "common" directory grant codeBase "file:${catalina.home}/common/-" { permission java.security.AllPermission; }; // These permissions apply to the container's core code, plus any additional // libraries installed in the "server" directory grant codeBase "file:${catalina.home}/server/-" { permission java.security.AllPermission; }; // ========== WEB APPLICATION PERMISSIONS ===================================== // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "java.naming.*", "read"; permission java.util.PropertyPermission "javax.sql.*", "read"; // OS Specific properties to allow read access permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; // JVM properties to allow read access permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; // Required for getting BeanInfo permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.*"; // Required for OpenJMX permission java.lang.RuntimePermission "getAttribute"; // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission "jaxp.debug", "read"; }; // You can assign additional permissions to particular web applications by // adding additional "grant" entries here, based on the code base for that // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. // // Different permissions can be granted to JSP pages, classes loaded from // the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ // directory, or even to individual jar files in the /WEB-INF/lib/ directory. // // For instance, assume that the standard "examples" application // included a JDBC driver that needed to establish a network connection to the // corresponding database and used the scrape taglib to get the weather from // the NOAA web server. You might create a "grant" entries like this: // // The permissions granted to the context root directory apply to JSP pages. // grant codeBase "file:${catalina.home}/webapps/examples/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; // // The permissions granted to the context WEB-INF/classes directory // grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" { // }; // // The permission granted to your JDBC driver // grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // }; // The permission granted to the scrape taglib // grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // };

啟動附帶SecurityManager的Tomcat

在你配置好與SecurityManager一起使用的catalina.policy文件之后，你可以使用"-security"選項來啟動Tomcat。

	$CATALINA_HOME/bin/catalina.sh start -security (Unix) %CATALINA_HOME%\bin\catalina start -security (Windows)

從Tomcat 5開始，現在可以配置Tomcat內部包的許可。更多信息請參看 http://java.sun.com/security/seccodeguide.html 。

警告：刪除缺省的包保護，可能打開一個安全漏洞。

缺省的屬性文件

缺省的$CATALINA_HOME/conf/catalina.properties 文件看起來象這樣： ?$CATALINA_HOME/conf/catalina.properties

	# # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when # passed to checkPackageAccess unless the # corresponding RuntimePermission ("accessClassInPackage."+package) has # been granted. package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat., org.apache.jasper. # # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when # passed to checkPackageDefinition unless the # corresponding RuntimePermission ("defineClassInPackage."+package) has # been granted. # # by default, no packages are restricted for definition, and none of # the class loaders supplied with the JDK call checkPackageDefinition. # package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote., org.apache.tomcat.,org.apache.jasper.

當你完成配置SecurityManager所需的catalina.properties 文件，記住要重新啟動Tomcat。

如果你的網絡應用程序試圖執行沒有許可而被阻止的操作，SecurityManager探查出這樣的違規后，就會拋出一個AccessControLException 或 SecurityException 。 要查出究竟缺少哪個許可往往非常困難，一個方法是打印執行過程中的所有關于安全決定的排錯信息。這可以在啟動Tomcat之前通過設置系統屬性來實現。最簡單的辦法是修改CATALINA_OPTS 環境變量。在啟動Tomcat之前，執行下面這個命令：

	export CATALINA_OPTS=-Djava.security.debug=all (Unix) set CATALINA_OPTS=-Djava.security.debug=all (Windows)

（在啟動Tomcat之前）。

警告——這會產生很多megabytes的輸出。不過，通過查找"FAILED"這個詞可以幫助你搜索問題所在，并確定哪個許可是要找的問題。請參看Java安全文檔資料，那里有你可指定的更多選項。