Port tomcat5 config files to tomcat6

We copy a number of tomcat config files from the tomcat distribution
and keep them in our own location. Some of those config files had
changes between tomcat5 and tomcat6. This patch just merges the
tomcat6 changes into our copy of the files making them very close to
the original tomcat6 version of the file.


git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1559 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

3 files changed, 82 insertions, 93 deletions

diff --git a/pki/base/ca/shared/conf/catalina.policy b/pki/base/ca/shared/conf/catalina.policy
index 8f481e333..b519e602a 100644
--- a/pki/base/ca/shared/conf/catalina.policy
+++ b/pki/base/ca/shared/conf/catalina.policy
@@ -1,5 +1,20 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 // ============================================================================
-// catalina.corepolicy - Security Policy Permissions for Tomcat 5
+// catalina.corepolicy - Security Policy Permissions for Tomcat 6
 //
 // This file contains a default set of security policies to be enforced (by the
 // JVM) when Catalina is executed with the "-security" option.  In addition
@@ -40,35 +55,16 @@ grant codeBase "file:${java.home}/lib/ext/-" {
 // ========== CATALINA CODE PERMISSIONS =======================================
 
 
-// These permissions apply to the launcher code
-grant codeBase "file:${catalina.home}/bin/commons-launcher.jar" {
-        permission java.security.AllPermission;
-};
-
 // These permissions apply to the daemon code
 grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
         permission java.security.AllPermission;
 };
 
-// These permissions apply to the commons-logging API
-grant codeBase "file:${catalina.home}/bin/commons-logging-api.jar" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to the server startup code
-grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to the JMX server
-grant codeBase "file:${catalina.home}/bin/jmx.jar" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to JULI
+// These permissions apply to the logging API
 grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
         permission java.util.PropertyPermission "java.util.logging.config.class", "read";
         permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+        permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; 
         permission java.lang.RuntimePermission "shutdownHooks";
         permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
         permission java.util.PropertyPermission "catalina.base", "read";
@@ -82,24 +78,19 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
         // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
 };
 
-// These permissions apply to the servlet API classes
-// and those that are shared across all class loaders
-// located in the "common" directory
-grant codeBase "file:${catalina.home}/common/-" {
+// These permissions apply to the server startup code
+grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
         permission java.security.AllPermission;
 };
 
-// These permissions apply to the container's core code, plus any additional
-// libraries installed in the "server" directory
-grant codeBase "file:${catalina.home}/server/-" {
+// These permissions apply to the servlet API classes
+// and those that are shared across all class loaders
+// located in the "lib" directory
+grant codeBase "file:${catalina.home}/lib/-" {
         permission java.security.AllPermission;
 };
 
-// The permissions granted to the balancer WEB-INF/classes and WEB-INF/lib directory
-grant codeBase "file:${catalina.home}/webapps/balancer/-" {
-        permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester";
-        permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester.*";
-};
+
 // ========== WEB APPLICATION PERMISSIONS =====================================
 
 
@@ -147,6 +138,9 @@ grant {
     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
     
+    // Precompiled JSPs need access to this system property.
+    permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
+
 };
 
 
@@ -182,58 +176,3 @@ grant {
 //      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
 // };
 
-
-
-// These permissions apply to Tomcat5 java
-grant codeBase "file:/usr/share/java/tomcat5/-" {
-        permission java.security.AllPermission;
-};
-grant codeBase "file:/usr/share/java/jakarta-commons-modeler.jar" {
-        permission java.security.AllPermission;
-};
-grant codeBase "file:/usr/share/java/jasper5-compiler.jar" {
-        permission java.security.AllPermission;
-};
-grant codeBase "file:/usr/share/java/jasper5-runtime.jar" {
-        permission java.security.AllPermission;
-};
-
-
-
-// These permissions apply to PKI configuration
-grant codeBase "file:/usr/share/java/velocity.jar" {
-        permission java.security.AllPermission;
-};
-grant codeBase "file:/usr/share/java/tomcat5-servlet-2.4-api.jar" {
-        permission java.security.AllPermission;
-};
-
-
-
-
-// These permissions apply to PKI support
-grant codeBase "file:/usr/share/java/ldapjdk.jar" {
-        permission java.security.AllPermission;
-};
-
-
-
-// These permissions apply to PKI
-grant codeBase "file:/usr/lib/java/jss4.jar" {
-        permission java.security.AllPermission;
-};
-grant codeBase "file:/usr/share/java/tomcatjss.jar" {
-        permission java.security.AllPermission;
-};
-grant codeBase "file:/usr/lib/java/osutil.jar" {
-        permission java.security.AllPermission;
-};
-grant codeBase "file:/usr/lib/java/symkey.jar" {
-        permission java.security.AllPermission;
-};
-grant codeBase "file:/usr/share/java/pki/-" {
-        permission java.security.AllPermission;
-};
-
-
-
diff --git a/pki/base/ca/shared/conf/context.xml b/pki/base/ca/shared/conf/context.xml
index 4998ad27d..8eb2d2b7f 100644
--- a/pki/base/ca/shared/conf/context.xml
+++ b/pki/base/ca/shared/conf/context.xml
@@ -1,5 +1,22 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
 <!-- The contents of this file will be loaded for each web application -->
-<Context crossContext="true">
+<Context>
 
     <!-- Default set of monitored resources -->
     <WatchedResource>WEB-INF/web.xml</WatchedResource>
@@ -9,4 +26,10 @@
     <Manager pathname="" />
     -->
 
+    <!-- Uncomment this to enable Comet connection tacking (provides events
+         on session expiration as well as webapp lifecycle) -->
+    <!--
+    <Valve className="org.apache.catalina.valves.CometConnectionManagerValve" />
+    -->
+
 </Context>
diff --git a/pki/base/ca/shared/conf/tomcat-users.xml b/pki/base/ca/shared/conf/tomcat-users.xml
index 920e68240..c0c9964be 100644
--- a/pki/base/ca/shared/conf/tomcat-users.xml
+++ b/pki/base/ca/shared/conf/tomcat-users.xml
@@ -1,13 +1,40 @@
 <?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+<!--
+  <role rolename="tomcat"/>
+  <role rolename="role1"/>
+  <user username="tomcat" password="tomcat" roles="tomcat"/>
+  <user username="both" password="tomcat" roles="tomcat,role1"/>
+  <user username="role1" password="tomcat" roles="role1"/>
+-->
+
+<!-- The host manager webapp is restricted to users with role "admin" -->
+<!--<user name="tomcat" password="password" roles="admin" />-->
+<!-- The manager webapp is restricted to users with role "manager" -->
+<!--<user name="tomcat" password="password" roles="manager" />-->
 <tomcat-users>
   <role rolename="pkiuser"/>
   <role rolename="tomcat"/>
-  <role rolename="role1"/>
   <role rolename="manager"/>
   <role rolename="admin"/>
+
   <user username="pkiuser" password="pkiuser" roles="pkiuser"/>
   <user username="tomcat" password="tomcat" roles="tomcat"/>
-  <user username="both" password="tomcat" roles="tomcat,role1"/>
-  <user username="role1" password="tomcat" roles="role1"/>
   <user username="admin" password="netscape" roles="admin,manager"/>
 </tomcat-users>