From 5eab7fedf1c78610b5e030b9e07e93f32633e9ad Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Tue, 2 Oct 2012 11:40:35 -0500 Subject: Enabled Tomcat security manager. The tomcat.conf and the template deployment configuration have been modified to enable the security manager. The operations script has been modified to generate a new catalina.policy from the standard Tomcat policy, the standard PKI policy and the custom policy every time the instance is started. The current catalina.policy has been changed to store a header for the dynamically generated catalina.policy. A new pki.policy has been added to store the default PKI security policy. An empty custom.policy has been added to store policy customization. Ticket #223 --- base/common/shared/conf/pki.policy | 188 +++++++++++++++++++++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100644 base/common/shared/conf/pki.policy (limited to 'base/common/shared/conf/pki.policy') diff --git a/base/common/shared/conf/pki.policy b/base/common/shared/conf/pki.policy new file mode 100644 index 000000000..d26598671 --- /dev/null +++ b/base/common/shared/conf/pki.policy @@ -0,0 +1,188 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// Copyright (C) 2012 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +// ============================================================================ +// pki.policy - Default Security Policy Permissions for PKI on Tomcat 7 +// +// This file contains a default set of security policies for PKI running inside +// Tomcat 7. +// ============================================================================ + +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; +}; + +grant codeBase "file:${catalina.base}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/lib/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/lib/java/jss4.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/lib64/java/jss4.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/commons-codec.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/apache-commons-collections.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/apache-commons-lang.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/apache-commons-logging.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/ecj.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/eclipse/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/glassfish-jsp.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/httpcomponents/httpclient.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/httpcomponents/httpcore.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/javassist.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/jaxb-api.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/jaxme/jaxmeapi.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/jaxp_parser_impl.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/jboss-web.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/jettison.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/ldapjdk.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/log4j.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/resteasy/jaxrs-api.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/resteasy/resteasy-atom-provider.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/resteasy/resteasy-jaxb-provider.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/resteasy/resteasy-jaxrs.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/resteasy/resteasy-jettison-provider.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/scannotation.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/servlet.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/tomcat/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/tomcat7jss.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/tomcat-el-api.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/tomcat-servlet-api.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/velocity.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/xerces-j2.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/xml-commons-apis.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/xml-commons-resolver.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/pki/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/webapps/pki/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/webapps/ca/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/webapps/kra/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/webapps/ocsp/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/webapps/tks/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/webapps/ROOT/-" { + permission java.security.AllPermission; +}; + -- cgit