Glenn Nielsen wrote: > Tomcat SecurityManager XML Policy configuration > ----------------------------------------------- > > I have finished implementing support within Tomcat for using XML based > security policy > files. This was proposed and discussed on the list back 3-4 months ago. > > I would like to commit this to the jakarta-tomcat-4.0 CVS HEAD and have it > included in future 4.1.x releases. Initially it could be listed as either > experimental, alpha, or beta. Whichever we decide. > > - This new feature is fully backward compatible with current methods > of using catalina.policy. Use of the XML based policy is > invoked by using the -security-xml startup option instead of -security. > > - Catalina can be compiled without support for use of an XML policy. > To build with support for an XML policy the Castor XML Schema > jar file and the Jakarta ORO jar files must both be present. > > http://castor.exolab.org/ > http://jakarta.apache.org/oro/ > > Here is a URL to the updated Security Manager HOW-TO which documents > the new XML Policy features. > > http://duke.more.net/~glenn/tomcat-docs/security-manager-howto.html#Optional%20XML%20Policy%20Configuration > > Please review the above before voting. > > If you are interested in looking at the code before I commit I could > create a patch file with all the changes against jakarta-tomcat-4.0 > CVS HEAD and make it available. Just let me know. > > Here is a ballot. I would prefer not creating a Tomcat 4.2 development > branch yet, that just adds more CVS branches to commit bug fixes to. > > <ballot> > [ ] commit XML Policy source to jakarta-tomcat-4.0 HEAD > and include it in future release of Tomcat 4.1.x > [ ] commit to CVS but don't add to the next release > [ ] create a Tomcat 4.2 development branch and commit there (Ugh!) > [ ] -1 Don't commit to CVS (Please explain why) > </ballot>
I'm -0 on adding yet another config file - WEB-INF/policy.xml is also strange as webapps ( which shouldn't be trusted ) get to set the security policy. This is very tricky - and will need a lot of review. However I'm -1 on adding deps on castor and doing schema validations - at least at this stage ( and after the experience we had with web.xml schemas ). Castor is very nice, but is also a big thing. The current policy file is standard and likely to be understood by tools. XML may be in theory easier, however I doubt too many tools understand this particular DTD. So I prefer keeping the current file format as default, at least until a standard security policy DTD is defined ( standard == we're not the only ones using it :-). If you need this functionality - I would propose making it a separate module ( sort of add-on to tomcat ), instead of bundling it with tomcat by default. Costin > > Thanks, > > Glenn -- Costin -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
