Hello,
In my playing around with security, I've been attempting to break-out
the AllPermission for the $(catalina.home}/server classes into
something more granular to allow more refined tweaking. Here's what I
have so far:
grant codeBase "file:${catalina.home}/server/-" {
permission java.lang.RuntimePermission "*";
permission java.io.FilePermission "<<ALL FILES>>",
"read,write,delete";
permission java.util.PropertyPermission "*", "read,write";
permission java.security.SecurityPermission "*";
permission java.net.SocketPermission "*:0-",
"accept,connect,listen,resolve";
permission java.net.NetPermission "*";
permission java.io.SerializablePermission "*";
permission org.apache.naming.JndiPermission "*";
};
I've already removed the execute from the FilePermission and I've
left out the reflection permission since that's a really really ugly
one. Some of the above are probably way too broad... but certainly
no broader than AllPermission. I decided to start from the other
end of the spectrum and work backwards. With the above, I can still
run my own stuff and the tester stuff.
Incidentally, the tester webapp fails to initialize when the security
manager is enabled. Since it uses PropertyEditorManager in one of
its files, it requires PropertyPermission "*", "read,write" in order
to run. I'm still trying to figure out how to enabled this just for
the tester app (I have it working if I stick it in the general grant
section). The docs in catalina.policy don't seem to be helping much.
The other curious thing about this particular error is that it doesn't
show up as an access failure when using the debugging built into the
security manager.
-Paul
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
