The Apache Jakarta Tomcat 5.5 Servlet/JSP Container

Security Manager HOW-TO

Java的SecurityManager允許瀏覽器在它可執(zhí)行的范圍內(nèi)運(yùn)行，這樣可以防止不可靠的程序讀寫(xiě)用戶(hù)在局部文件系統(tǒng)里的文件，或者未經(jīng)授權(quán)進(jìn)行網(wǎng)絡(luò)連接，等等。同樣，SecurityManager可用來(lái)防止不可靠的程序在你的瀏覽器上運(yùn)行，在運(yùn)行Tomcat時(shí)使用SecurityManager可以保護(hù)你的服務(wù)器不受到類(lèi)似于木馬的servlets, JSPs, JSP beans 和 tag libraries的影響，或者發(fā)生錯(cuò)誤。

試想某個(gè)被允許在你的網(wǎng)站上發(fā)表JSPs的人不慎包括了以下的語(yǔ)句在他們的JSP里：

	<%System.exit(1);%>

每次Tomcat運(yùn)行該JSP都會(huì)導(dǎo)致Tomcat中斷。使用Java SecurityManager如同多了一層防護(hù)，可以讓服務(wù)器更加安全可靠。

警告——雖然Tomcat 5的程序通過(guò)了安全檢查，最重要的程序包都已被保護(hù)，新的安全機(jī)制也已實(shí)施，但在允許用戶(hù)發(fā)表網(wǎng)絡(luò)程序，JSPs, servlets, beans, 或 tag libraries之前，你還是有必要確保SecurityManager的各項(xiàng)配置符合你的要求。當(dāng)然，有SecurityManager絕對(duì)比沒(méi)有它要安全的多。

Permission類(lèi)是用來(lái)定義Tomcat載入的類(lèi)所擁有的權(quán)限。Java本身包括了一些Permission類(lèi)，你也可以在你的網(wǎng)絡(luò)應(yīng)用中加入你自己的Permission類(lèi)。這兩種技術(shù)在Tomcat 5里都被應(yīng)用。

標(biāo)準(zhǔn)許可權(quán)限

這里簡(jiǎn)單總結(jié)了標(biāo)準(zhǔn)系統(tǒng)中適用于Tomcat的SecurityManager Permission 類(lèi)。更多信息請(qǐng)參看http://java.sun.com/security/。 java.util.PropertyPermission - 控制讀/寫(xiě)Java虛擬器的屬性，如java.home 。 java.lang.RuntimePermission - 控制使用一些系統(tǒng)/運(yùn)行時(shí)(System/Runtime)的功能，如exit() 和 exec()。它也控制包(package)的訪(fǎng)問(wèn)/定義。 java.io.FilePermission - 控制對(duì)文件和目錄的讀/寫(xiě)/執(zhí)行操作。 java.net.SocketPermission - 控制使用網(wǎng)路sockets連接。 java.net.NetPermission - 控制使用multicast網(wǎng)路連接。 java.lang.reflect.ReflectPermission - 控制使用reflection來(lái)對(duì)類(lèi)進(jìn)行檢視。 java.security.SecurityPermission - 控制對(duì)安全方法的訪(fǎng)問(wèn)。 java.security.AllPermission - 給予所有訪(fǎng)問(wèn)權(quán)限，就如你運(yùn)行一個(gè)沒(méi)有SecurityManager的Tomcat 。

Tomcat用戶(hù)特有權(quán)限

Tomcat利用一個(gè)叫做org.apache.naming.JndiPermission 客戶(hù)許可類(lèi)。它用來(lái)控制以JNDI命名的文件資源的可讀權(quán)限。該許可的名稱(chēng)是以JNDI來(lái)表達(dá)，沒(méi)有命令。在給予許可時(shí)，"*"的結(jié)尾可以用來(lái)以wild card方式映射JNDI命名的文件資源。例如，你可以在你的政策(policy)文件加入以下一行： permission org.apache.naming.JndiPermission "jndi://localhost/examples/*"; 一個(gè)象這樣的許可(Permission)會(huì)在部署網(wǎng)絡(luò)程序時(shí)被自動(dòng)產(chǎn)生，允許它讀取它自己的靜態(tài)資源，但不允許它使用文件訪(fǎng)問(wèn)權(quán)來(lái)讀取其它文件(除非你明確地給出訪(fǎng)問(wèn)那些文件的許可). 并且, Tomcat 總是自動(dòng)產(chǎn)生以下文件許可: permission java.io.FilePermission "** your application context**", "read"; 這里**your application context**代表那個(gè)擁有你的應(yīng)用程序的文件夾(或者是WAR文件)。

政策文件的格式

由Java SecurityManager實(shí)現(xiàn)的安全政策被配置存放在$CATALINA_HOME/conf/catalina.policy 文件里。這個(gè)文件完全替代了JDK系統(tǒng)目錄里的java.policy文件。這個(gè)catalina.policy 文件可以手動(dòng)修改，或者使用Java 1.2 及其后版本的policytool程序修改。 ?$CATALINA_HOME/conf/catalina.policy

catalina.policy 文件中的條文使用了標(biāo)準(zhǔn)的java.policy文件格式，如下：

	// Example policy file entry grant [signedBy <signer>,] [codeBase <code source>] { permission <class> [<name> [, <action list>]]; };

其中signedBy 和 codeBase是選擇項(xiàng)。注釋行是以"http://"開(kāi)始，直到該行結(jié)束。codeBase是URL的格式，文件的URL中可用如${java.home}和${catalina.home}等屬性(這些屬性會(huì)被擴(kuò)展到由環(huán)境變量JAVA_HOME 和 CATALINA_HOME為他們定義的目錄路徑)。 ?${catalina.home}

缺省政策文件

缺省$CATALINA_HOME/conf/catalina.policy 文件看起來(lái)象這樣： ?$CATALINA_HOME/conf/catalina.policy

	// ============================================================================ // catalina.corepolicy - Security Policy Permissions for Tomcat 5 // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the "-security" option. In addition // to the permissions granted here, the following additional permissions are // granted to the codebase specific to each web application: // // * Read access to the document root directory // // $Id: security-manager-howto.xml,v 1.5 2003/01/15 03:40:43 glenn Exp $ // ============================================================================ // ========== SYSTEM CODE PERMISSIONS ========================================= // These permissions apply to javac grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase "file:${java.home}/jre/lib/ext/-" { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // ========== CATALINA CODE PERMISSIONS ======================================= // These permissions apply to the launcher code grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" { permission java.security.AllPermission; }; // These permissions apply to the server startup code grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; // These permissions apply to the servlet API classes // and those that are shared across all class loaders // located in the "common" directory grant codeBase "file:${catalina.home}/common/-" { permission java.security.AllPermission; }; // These permissions apply to the container's core code, plus any additional // libraries installed in the "server" directory grant codeBase "file:${catalina.home}/server/-" { permission java.security.AllPermission; }; // ========== WEB APPLICATION PERMISSIONS ===================================== // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "java.naming.*", "read"; permission java.util.PropertyPermission "javax.sql.*", "read"; // OS Specific properties to allow read access permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; // JVM properties to allow read access permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; // Required for getting BeanInfo permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.*"; // Required for OpenJMX permission java.lang.RuntimePermission "getAttribute"; // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission "jaxp.debug", "read"; }; // You can assign additional permissions to particular web applications by // adding additional "grant" entries here, based on the code base for that // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. // // Different permissions can be granted to JSP pages, classes loaded from // the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ // directory, or even to individual jar files in the /WEB-INF/lib/ directory. // // For instance, assume that the standard "examples" application // included a JDBC driver that needed to establish a network connection to the // corresponding database and used the scrape taglib to get the weather from // the NOAA web server. You might create a "grant" entries like this: // // The permissions granted to the context root directory apply to JSP pages. // grant codeBase "file:${catalina.home}/webapps/examples/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; // // The permissions granted to the context WEB-INF/classes directory // grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" { // }; // // The permission granted to your JDBC driver // grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // }; // The permission granted to the scrape taglib // grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // };

啟動(dòng)附帶SecurityManager的Tomcat

在你配置好與SecurityManager一起使用的catalina.policy文件之后，你可以使用"-security"選項(xiàng)來(lái)啟動(dòng)Tomcat。

	$CATALINA_HOME/bin/catalina.sh start -security (Unix) %CATALINA_HOME%\bin\catalina start -security (Windows)

從Tomcat 5開(kāi)始，現(xiàn)在可以配置Tomcat內(nèi)部包的許可。更多信息請(qǐng)參看 http://java.sun.com/security/seccodeguide.html 。

警告：刪除缺省的包保護(hù)，可能打開(kāi)一個(gè)安全漏洞。

缺省的屬性文件

缺省的$CATALINA_HOME/conf/catalina.properties 文件看起來(lái)象這樣： ?$CATALINA_HOME/conf/catalina.properties

	# # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when # passed to checkPackageAccess unless the # corresponding RuntimePermission ("accessClassInPackage."+package) has # been granted. package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat., org.apache.jasper. # # List of comma-separated packages that start with or equal this string # will cause a security exception to be thrown when # passed to checkPackageDefinition unless the # corresponding RuntimePermission ("defineClassInPackage."+package) has # been granted. # # by default, no packages are restricted for definition, and none of # the class loaders supplied with the JDK call checkPackageDefinition. # package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote., org.apache.tomcat.,org.apache.jasper.

當(dāng)你完成配置SecurityManager所需的catalina.properties 文件，記住要重新啟動(dòng)Tomcat。

如果你的網(wǎng)絡(luò)應(yīng)用程序試圖執(zhí)行沒(méi)有許可而被阻止的操作，SecurityManager探查出這樣的違規(guī)后，就會(huì)拋出一個(gè)AccessControLException 或 SecurityException 。 要查出究竟缺少哪個(gè)許可往往非常困難，一個(gè)方法是打印執(zhí)行過(guò)程中的所有關(guān)于安全決定的排錯(cuò)信息。這可以在啟動(dòng)Tomcat之前通過(guò)設(shè)置系統(tǒng)屬性來(lái)實(shí)現(xiàn)。最簡(jiǎn)單的辦法是修改CATALINA_OPTS 環(huán)境變量。在啟動(dòng)Tomcat之前，執(zhí)行下面這個(gè)命令：

	export CATALINA_OPTS=-Djava.security.debug=all (Unix) set CATALINA_OPTS=-Djava.security.debug=all (Windows)

（在啟動(dòng)Tomcat之前）。

警告——這會(huì)產(chǎn)生很多megabytes的輸出。不過(guò)，通過(guò)查找"FAILED"這個(gè)詞可以幫助你搜索問(wèn)題所在，并確定哪個(gè)許可是要找的問(wèn)題。請(qǐng)參看Java安全文檔資料，那里有你可指定的更多選項(xiàng)。