Tomcat 6:访问控制异常?

tag-icon tag-icon java tomcat6 jsp
Tomcat 6:访问控制异常?

我正在尝试设置一个 tomcat6 服务器,并尝试匹配其他人建立的另一个设置。但是,我的部署(默认 Ubuntu 安装)使用policy.d/目录结构,而建立的服务器仅使用文件catalina.policy。我尝试设置 policy.d 中的每个条目以匹配给定的 catalina.policy,但我仍然在启动时收到以下堆栈跟踪(来自 localhost 日志)。

那么,我有两个问题。首先,如何让 tomcat 使用单个策略文件,而不是 提供的目录结构policy.d/?其次,为什么当我指定所有文件使用相同的策略时,我仍然会得到下面的堆栈跟踪?

堆栈跟踪:

SEVERE: Servlet /myapp threw load() exception
java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.jasper)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:342)
        at java.security.AccessController.checkPermission(AccessController.java:553)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1529)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:291)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:264)
        at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1314)
        at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1245)
        at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332)
        at org.apache.jasper.servlet.JspServlet.init(JspServlet.java:100)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:537)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:115)
        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1166)
        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:992)
        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4058)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4367)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
        at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:123)
        at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:769)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
        at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:978)
        at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:941)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:499)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1201)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:318)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
        at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
        at org.apache.catalina.core.StandardService.start(StandardService.java:516)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:177)

政策.d

grant codeBase "file:${java.home}/lib/-" {
        permission java.security.AllPermission;
};

// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
        permission java.security.AllPermission;
};

// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
        permission java.security.AllPermission;
};

// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
        permission java.security.AllPermission;
};

// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
        permission java.security.AllPermission;
};

// These permissions apply to the logging API
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
        permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; 
        permission java.lang.RuntimePermission "shutdownHooks";
        permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
        permission java.util.PropertyPermission "catalina.base", "read";
        permission java.util.logging.LoggingPermission "control";
        permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
        permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
        permission java.lang.RuntimePermission "getClassLoader";
        // To enable per context logging configuration, permit read access to the appropriate file.
        // Be sure that the logging configuration is secure before enabling such access
        // eg for the examples web application:
        // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
};

// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
        permission java.security.AllPermission;
};

// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
        permission java.security.AllPermission;
};


// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant { 
    // Required for JNDI lookup of named JDBC DataSource's and
    // javamail named MimePart DataSource used to send mail
    permission java.util.PropertyPermission "java.home", "read";
    permission java.util.PropertyPermission "java.naming.*", "read";
    permission java.util.PropertyPermission "javax.sql.*", "read";

    // OS Specific properties to allow read access
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.version", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";

    // JVM properties to allow read access
    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "java.vendor", "read";
    permission java.util.PropertyPermission "java.vendor.url", "read";
    permission java.util.PropertyPermission "java.class.version", "read";
    permission java.util.PropertyPermission "java.specification.version", "read";
    permission java.util.PropertyPermission "java.specification.vendor", "read";
    permission java.util.PropertyPermission "java.specification.name", "read";

    permission java.util.PropertyPermission "java.vm.specification.version", "read";
    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
    permission java.util.PropertyPermission "java.vm.specification.name", "read";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";

    // Required for OpenJMX
    permission java.lang.RuntimePermission "getAttribute";

    // Allow read of JAXP compliant XML parser debug
    permission java.util.PropertyPermission "jaxp.debug", "read";

    // Precompiled JSPs need access to this package.
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";

    // Precompiled JSPs need access to this system property.
    permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";

};

答案1

我一直都不喜欢 Ubuntu 将 Tomcat 文件分散到各处。相反,我更喜欢下载 Tomcat 二进制发行版并设置自定义配置,我认为这更简单、更灵活、更易于维护。我在我的网站上的几篇博客文章中解释了如何执行此操作http://www.brianshowalter.com

我还想问是否真的有必要使用 Java 安全策略。在某些情况下,它确实为处理敏感数据的应用程序提供了有价值的额外安全性,但我怀疑在许多情况下,额外的复杂性和正确配置的需求不值得花费额外的时间和精力。

答案2

好的,第一件事:您真的需要使用 Java 安全策略吗?迄今为止最简单的解决方案是在 tomcat 的启动脚本中禁用此功能:

在 /etc/init.d/tomcat6 中替换

    TOMCAT6_SECURITY=yes


    TOMCAT6_SECURITY=no

假设您必须使用安全管理器,并且必须匹配现有安装,我建议卸载 tomcat6,从网上下载,然后运行 ​​/opt 或 /usr/local 中的整个目录。这意味着您必须自己跟踪安全更新,但至少所有文件都在同一个位置,并且更容易获得配置帮助。

好的,现在让我们尝试使用您已有的内容。如果您有自定义策略文件,则这应该是仅有的在 policy.d 中创建文件,或者至少将您的权限添加到“50local.policy”,该权限旨在覆盖所有其他文件。或者,您可以将路径更改为 /etc/init.d/tomcat6 中的安全策略

您还应该将“-Djava.security.debug=failure”添加到安全部分,如下所示:

    if [ "$TOMCAT6_SECURITY" = "yes" ]; then
       JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=$POLICY_CACHE -Djava.security.debug=failure"
    fi

这将为您提供更多有用的错误消息,通常会告诉您应该向策略中添加哪些权限以避免错误。

注意:如果在 Eclipse 中使用 TOMCAT,请在服务器选项卡中双击 TOMCAT,然后取消选中“使用安全性”

相关内容