背景知識(shí)
Java 的 SecurityManager 能讓 Web 瀏覽器在它自身的沙盒中運(yùn)行小型應(yīng)用(applet)��,從而具有防止不可信代碼訪問本地文件系統(tǒng)的文件以及防止其連接到主機(jī)����,而不是加載該應(yīng)用的位置,等等�。如同 SecurityManager 能防止不可信的小型應(yīng)用在你的瀏覽器上運(yùn)行�����,運(yùn)行 Tomcat 時(shí),使用 SecurityManager 也能保護(hù)服務(wù)器���,使其免受木馬型的 applet����、JSP�����、JSP Bean 以及標(biāo)簽庫(kù)的侵害����,甚至也可以防止由于無(wú)意中的疏忽所造成的問題。
假設(shè)網(wǎng)站有一位經(jīng)授權(quán)可發(fā)布 JSP 的用戶��,他在無(wú)意中將下面這些代碼加入了 JSP 中:
<% System.exit(1); %>
每當(dāng) Tomcat 執(zhí)行這個(gè) JSP 文件時(shí)��,Tomcat 都會(huì)退出�����。Java 的 SecurityManager 構(gòu)成了系統(tǒng)管理員保證服務(wù)器安全可靠的另一道防線。
警告:使用 Tomcat 代碼庫(kù)時(shí)會(huì)執(zhí)行一個(gè)安全審核����。大多數(shù)關(guān)鍵包已受到保護(hù),新的安全包保護(hù)機(jī)制已經(jīng)實(shí)施���。然而��,在允許不可信用戶發(fā)布 Web 應(yīng)用����、JSP�����、servlet����、bean 或標(biāo)簽庫(kù)之前,你仍要反復(fù)確定自己配置的 SecurityManager 是否滿足了要求��。但不管怎么說���,利用 SecurityManager 來運(yùn)行 Tomcat 肯定比沒有它好得多
權(quán)限
權(quán)限類用于定義 Tomcat 加載的類所具有的權(quán)限�����。標(biāo)準(zhǔn) JDK 中包含了很多標(biāo)準(zhǔn)權(quán)限類����,你還可以針對(duì)自己的 Web 應(yīng)用自定義權(quán)限類�����。Tomcat 支持這兩種技術(shù)���。
標(biāo)準(zhǔn)權(quán)限
關(guān)于適用于 Tomcat 的標(biāo)準(zhǔn)系統(tǒng) SecurityManager 權(quán)限類�����,以下僅是一個(gè)簡(jiǎn)短的總結(jié)��。詳情請(qǐng)查看http://docs.oracle.com/javase/7/docs/technotes/guides/security/��。
- java.util.PropertyPermission——控制對(duì) JVM 屬性的讀/寫��,比如說
java.home�����。
- java.lang.RuntimePermission——控制一些系統(tǒng)/運(yùn)行時(shí)函數(shù)的使用�,比如
exit() 和 exec()。 另外也控制包的訪問/定義����。
- java.io.FilePermission——控制對(duì)文件和目錄的讀/寫/執(zhí)行。
- java.net.SocketPermission——控制網(wǎng)絡(luò)套接字的使用�����。
- java.net.NetPermission——控制組播網(wǎng)絡(luò)連接的使用�。
- java.lang.reflect.ReflectPermission——控制類反射的使用。
- java.security.SecurityPermission——控制對(duì) Security 方法的訪問�����。
- java.security.AllPermission——允許訪問任何權(quán)限����,仿佛沒有 SecurityManager。
Tomcat 自定義權(quán)限
Tomcat 使用了一個(gè)自定義權(quán)限類 org.apache.naming.JndiPermission���。該權(quán)限能夠控制對(duì) JNDI 命名的基于文件的資源的可讀訪問�����。權(quán)限名就是 JNDI 名��,無(wú)任何行為��。后面的 * 可以用來在授權(quán)時(shí)進(jìn)行模糊匹配�����。比如����,可以在策略文件中加入以下內(nèi)容:
permission org.apache.naming.JndiPermission "jndi://localhost/examples/*";
從而為每個(gè)部署的 Web 應(yīng)用動(dòng)態(tài)生成這樣的權(quán)限項(xiàng)��,允許它們讀取自己的靜態(tài)資源����,而不允許讀取其他的文件(除非顯式地賦予這些文件權(quán)限)。
另外����,Tomcat 還能動(dòng)態(tài)生成下面這樣的文件權(quán)限。
permission java.io.FilePermission "** your application context**", "read";
permission java.io.FilePermission
"** application working directory**", "read,write";
permission java.io.FilePermission
"** application working directory**/-", "read,write,delete";
*application working directory 是部署應(yīng)用所用的文件夾或 WAR 文件��。 application working directory 是應(yīng) Servlet 規(guī)范需要而提供給應(yīng)用的暫時(shí)性目錄。
利用 SecurityManager 配置 Tomcat
策略文件格式
Java SecurityManager 所實(shí)現(xiàn)的安全策略配置在 $CATALINA_BASE/conf/catalina.policy 文件中�。該文件完全替代了 JDK 系統(tǒng)目錄中提供的 java.policy 文件。既可以手動(dòng)編輯 catalina.policy 文件����,也可以使用Java 1.2 或以后版本附帶的 policytool 應(yīng)用。
catalina.policy 文件中的項(xiàng)使用標(biāo)準(zhǔn)的 java.policy 文件格式���,如下所示:
// 策略文件項(xiàng)范例
grant [signedBy <signer>,] [codeBase <code source>] {
permission <class> [<name> [, <action list>]];
};
signedBy 和 codeBase 兩項(xiàng)在授予權(quán)限時(shí)是可選項(xiàng)�。注釋行以 // 開始���,在當(dāng)前行結(jié)束����。codeBase 以 URL 的形式����。對(duì)于文件 URL,可以使用 ${java.home} 與 ${catalina.home}屬性(這些屬性代表的是使用 JAVA_HOME�、CATALINA_HOME 和 CATALINA_BASE 環(huán)境變量為這些屬性定義的目錄路徑)。
默認(rèn)策略文件
默認(rèn)的 $CATALINA_BASE/conf/catalina.policy 文件如下所示:
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// ============================================================================
// catalina.policy - Security Policy Permissions for Tomcat
//
// This file contains a default set of security policies to be enforced (by the
// JVM) when Catalina is executed with the "-security" option. In addition
// to the permissions granted here, the following additional permissions are
// granted to each web application:
//
// * Read access to the web application's document root directory
// * Read, write and delete access to the web application's working directory
// ============================================================================
// ========== SYSTEM CODE PERMISSIONS =========================================
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the logging API
// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
// update this section accordingly.
// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.io.FilePermission
"${java.home}${file.separator}lib${file.separator}logging.properties", "read";
permission java.io.FilePermission
"${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
permission java.io.FilePermission
"${catalina.base}${file.separator}logs", "read, write";
permission java.io.FilePermission
"${catalina.base}${file.separator}logs${file.separator}*", "read, write";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.management.ManagementPermission "monitor";
permission java.util.logging.LoggingPermission "control";
permission java.util.PropertyPermission "java.util.logging.config.class", "read";
permission java.util.PropertyPermission "java.util.logging.config.file", "read";
permission java.util.PropertyPermission "org.apache.juli.AsyncLoggerPollInterval", "read";
permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read";
permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read";
permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
permission java.util.PropertyPermission "catalina.base", "read";
// Note: To enable per context logging configuration, permit read access to
// the appropriate file. Be sure that the logging configuration is
// secure before enabling such access.
// E.g. for the examples web application (uncomment and unwrap
// the following to be on a single line):
// permission java.io.FilePermission "${catalina.base}${file.separator}
// webapps${file.separator}examples${file.separator}WEB-INF
// ${file.separator}classes${file.separator}logging.properties", "read";
};
// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
// If using a per instance lib directory, i.e. ${catalina.base}/lib,
// then the following permission will need to be uncommented
// grant codeBase "file:${catalina.base}/lib/-" {
// permission java.security.AllPermission;
// };
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// for all files and directories in its document root.
grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.naming.*", "read";
permission java.util.PropertyPermission "javax.sql.*", "read";
// OS Specific properties to allow read access
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
// JVM properties to allow read access
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
// Required for OpenJMX
permission java.lang.RuntimePermission "getAttribute";
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
// All JSPs need to be able to read this package
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
// Precompiled JSPs need access to these packages.
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.runtime.*";
// Precompiled JSPs need access to these system properties.
permission java.util.PropertyPermission
"org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
permission java.util.PropertyPermission
"org.apache.el.parser.COERCE_TO_ZERO", "read";
// The cookie code needs these.
permission java.util.PropertyPermission
"org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
permission java.util.PropertyPermission
"org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
permission java.util.PropertyPermission
"org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
// Applications using Comet need to be able to access this package
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";
// Applications using WebSocket need to be able to access these packages
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
};
// The Manager application needs access to the following packages to support the
// session display functionality. These settings support the following
// configurations:
// - default CATALINA_HOME == CATALINA_BASE
// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
grant codeBase "file:${catalina.base}/webapps/manager/-" {
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
grant codeBase "file:${catalina.home}/webapps/manager/-" {
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
//
// Different permissions can be granted to JSP pages, classes loaded from
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
//
// For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to the
// corresponding database and used the scrape taglib to get the weather from
// the NOAA web server. You might create a "grant" entries like this:
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.base}/webapps/examples/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
// };
//
// The permission granted to your JDBC driver
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// };
// The permission granted to the scrape taglib
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
使用 SecurityManager 啟動(dòng) Tomcat
一旦配置好了用于 SecurityManager 的 catalina.policy 文件�����,就可以使用 -security 選項(xiàng)啟動(dòng)帶有 SecurityManager 的 Tomcat。
$CATALINA_HOME/bin/catalina.sh start -security (Unix)
%CATALINA_HOME%\bin\catalina start -security (Windows)
配置 Tomcat 中的包保護(hù)
從 Tomcat 5 開始�,可以通過配置保護(hù) Tomcat 內(nèi)部包,使其免于被定義與訪問��。詳情查看 http://www.oracle.com/technetwork/java/seccodeguide-139067.html���。
警告:假如去除默認(rèn)的包保護(hù)��,可能會(huì)造成安全漏洞���。
默認(rèn)屬性文件
默認(rèn)的 $CATALINA_BASE/conf/catalina.properties 文件如下所示:
#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageAccess unless the
# corresponding RuntimePermission ("accessClassInPackage."+package) has
# been granted.
package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,
org.apache.jasper.
#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageDefinition unless the
# corresponding RuntimePermission ("defineClassInPackage."+package) has
# been granted.
#
# by default, no packages are restricted for definition, and none of
# the class loaders supplied with the JDK call checkPackageDefinition.
#
package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,
org.apache.tomcat.,org.apache.jasper.
一旦為 SecurityManager 配置了 catalina.properties 文件 ,記得重啟 Tomcat����。
疑難解答
假如應(yīng)用執(zhí)行一個(gè)由于缺乏所需權(quán)限而被禁止的操作����,當(dāng) SecurityManager 偵測(cè)到這種違規(guī)時(shí),就會(huì)拋出 AccessControLException 或 SecurityException 異常����。雖然調(diào)試缺失的權(quán)限是很有難度的,但還是有一個(gè)辦法����,那就是將在執(zhí)行中制定的所有安全決策的調(diào)試輸出打開����,這需要在啟動(dòng) Tomcat 之前設(shè)置一個(gè)系統(tǒng)屬性����。最簡(jiǎn)單的方法就是通過 CATALINA_OPTS 環(huán)境變量來實(shí)現(xiàn),命令如下所示:
export CATALINA_OPTS=-Djava.security.debug=all (Unix)
set CATALINA_OPTS=-Djava.security.debug=all (Windows)
記住�,一定要在啟動(dòng) Tomcat 之前去做。
警告:這將生成很多兆的輸出內(nèi)容�!但是,它能通過搜索關(guān)鍵字 FAILED 來鎖定問題所在位置��,確定需要檢查的權(quán)限�。此外,查閱 Java 安全文檔可了解更多的可設(shè)置選項(xiàng)�����。
