Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.eclipse.org/gitroot/jetty/org.eclipse.jetty.project

This commit is contained in:
Greg Wilkins 2012-10-18 09:47:03 +11:00
parent 9e2b75314e 376303d02c
commit 45be2da7db
60 changed files with 257 additions and 4330 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
BUILDING.txt
View File

@ -1,9 +0,0 @@
BUILDING JETTY
--------------
Jetty is built with maven 3.x+
$ cd /my/work/directory/jetty-7
$ mvn clean install

202
LICENSE-APACHE-2.0.txt
View File

@ -1,202 +0,0 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

8
eclipse-jetty-templates.xml
View File

@ -1,8 +0,0 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<templates>
<template autoinsert="true" context="java" deleted="false" description="Create Jetty Logger constant" enabled="true" name="logjetty">${:import(
org.eclipse.jetty.util.log.Log,
org.eclipse.jetty.util.log.Logger)
}private static final Logger LOG = Log.getLogger(${enclosing_type}.class);
</template>
</templates>

138
jetty-policy/pom.xml
View File

@ -1,138 +0,0 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-project</artifactId>
<version>9.0.0-SNAPSHOT</version>
</parent>
<artifactId>jetty-policy</artifactId>
<name>Jetty :: Policy Tool</name>
<packaging>jar</packaging>
<properties>
<jetty.test.policy.loc>target/test-policy</jetty.test.policy.loc>
<bundle-symbolic-name>${project.groupId}.policy</bundle-symbolic-name>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-bundle-plugin</artifactId>
<extensions>true</extensions>
<executions>
<execution>
<id>generate-manifest</id>
<goals>
<goal>manifest</goal>
</goals>
<configuration>
<instructions>
<Export-Package>org.eclipse.jetty.policy.*;version="${parsedVersion.osgiVersion}"</Export-Package>
</instructions>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<!--
Required for OSGI
-->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
<archive>
<manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile>
</archive>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
<configuration>
<descriptorRefs>
<descriptorRef>config</descriptorRef>
</descriptorRefs>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>unpack</id>
<phase>generate-test-resources</phase>
<goals>
<goal>unpack</goal>
</goals>
<configuration>
<artifactItems>
<artifactItem>
<groupId>org.eclipse.jetty.toolchain</groupId>
<artifactId>jetty-test-policy</artifactId>
<version>${jetty-test-policy-version}</version>
<type>jar</type>
<overWrite>true</overWrite>
<includes>**/*.keystore</includes>
<outputDirectory>${jetty.test.policy.loc}</outputDirectory>
</artifactItem>
</artifactItems>
</configuration>
</execution>
<execution>
<id>copy</id>
<phase>generate-test-resources</phase>
<goals>
<goal>copy</goal>
</goals>
<configuration>
<artifactItems>
<artifactItem>
<groupId>org.eclipse.jetty.toolchain</groupId>
<artifactId>jetty-test-policy</artifactId>
<version>${jetty-test-policy-version}</version>
<type>jar</type>
<overWrite>true</overWrite>
<includes>**</includes>
<outputDirectory>${jetty.test.policy.loc}</outputDirectory>
<destFileName>jetty-test-policy.jar</destFileName>
</artifactItem>
</artifactItems>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<configuration>
<onlyAnalyze>org.eclipse.jetty.policy.*</onlyAnalyze>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-util</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-jmx</artifactId>
<version>${project.version}</version>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.eclipse.jetty.toolchain</groupId>
<artifactId>jetty-test-helper</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
</project>

23
jetty-policy/src/main/config/etc/jetty-policy.xml
View File

@ -1,23 +0,0 @@
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<!-- =============================================================== -->
<!-- mechanic for starting jetty policy -->
<!-- -->
<!-- =============================================================== -->
<Configure id="Policy" class="org.eclipse.jetty.policy.JettyPolicyConfigurator">
<Call name="setPolicyDirectory">
<Arg><Property name="jetty.home"/>/lib/policy</Arg>
</Call>
<Call name="addProperty">
<Arg>jetty.home</Arg>
<Arg><Property name="jetty.home"/></Arg>
</Call>
<Call name="initialize"/>
</Configure>

43
jetty-policy/src/main/config/lib/policy/global.policy
View File

@ -1,43 +0,0 @@
//
// These permissions are granted to all codebases whilst a security
// manager is installed and JettyPolicy is in play.
//
// Note the lack of codebase declared.
grant {
// allows anyone to listen on un-privileged ports
permission java.net.SocketPermission "localhost:1024-", "listen";
permission java.net.SocketPermission "localhost:1024-", "accept";
permission java.security.SecurityPermission "putProviderProperty.SunJCE";
permission java.util.PropertyPermission "org.eclipse.jetty.io.nio.JVMBUG_THRESHHOLD", "read, write";
// "standard" properties that can be read by anyone
permission java.util.PropertyPermission "entityExpansionLimit", "read";
permission java.util.PropertyPermission "elementAttributeLimit", "read";
permission java.util.PropertyPermission "maxOccurLimit", "read";
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission "java.io.tmpdir", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
};

54
jetty-policy/src/main/config/lib/policy/jetty-jmx.policy
View File

@ -1,54 +0,0 @@
// This file contains permissions related to jmx support
grant codeBase "file:${jetty.home}${/}lib${/}-" {
// related to using JMX
permission javax.management.MBeanTrustPermission "register";
permission javax.management.MBeanPermission "org.eclipse.jetty.client.HttpClient#-[org.eclipse.jetty.client:*,type=httpclient]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.deploy.ContextDeployer#-[org.eclipse.jetty.deploy:id=0,type=contextdeployer]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.deploy.DeploymentManager#-[org.eclipse.jetty.deploy:id=0,type=deploymentmanager]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.deploy.WebAppDeployer#-[org.eclipse.jetty.deploy:id=0,type=webappdeployer]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.deploy.providers.ContextProvider#-[org.eclipse.jetty.deploy.providers:id=0,type=contextprovider]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.jmx.MBeanContainer#-[org.eclipse.jetty.jmx:id=0,type=mbeancontainer]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.handler.ContextHandler#-[org.eclipse.jetty.server.handler:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.handler.ResourceHandler#-[org.eclipse.jetty.server.handler:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.handler.ContextHandlerCollection#-[org.eclipse.jetty.server.handler:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.handler.DefaultHandler#-[org.eclipse.jetty.server.handler:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.handler.ErrorHandler#-[org.eclipse.jetty.server.handler:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.handler.HandlerCollection#-[org.eclipse.jetty.server.handler:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.handler.MovedContextHandler#-[org.eclipse.jetty.server.handler:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.handler.MovedContextHandler$Redirector#-[org.eclipse.jetty.server.handler:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.handler.RequestLogHandler#-[org.eclipse.jetty.server.handler:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.NCSARequestLog#-[org.eclipse.jetty.server:id=0,type=ncsarequestlog]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.session.HashSessionIdManager#-[org.eclipse.jetty.server.session:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.session.HashSessionManager#-[org.eclipse.jetty.server.session:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.session.SessionHandler#-[org.eclipse.jetty.server.session:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.Server#-[org.eclipse.jetty.server:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.server.ssl.SslSelectChannelConnector#-[org.eclipse.jetty.server.ssl:id=0,type=sslselectchannelconnector]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.servlet.ServletMapping#-[org.eclipse.jetty.servlet:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.servlet.ServletHolder#-[org.eclipse.jetty.servlet:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.servlet.ServletHandler#-[org.eclipse.jetty.servlet:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.security.ConstraintSecurityHandler#-[org.eclipse.jetty.security:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.security.HashLoginService#-[org.eclipse.jetty.security:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.servlet.ErrorPageErrorHandler#-[org.eclipse.jetty.servlet:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.servlet.FilterHolder#-[org.eclipse.jetty.servlet:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.servlet.FilterMapping#-[org.eclipse.jetty.servlet:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.util.log.Slf4jLog#-[org.eclipse.jetty.util.log:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.util.log.StdErrLog#-[org.eclipse.jetty.util.log:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.util.Scanner#-[org.eclipse.jetty.util:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.util.thread.QueuedThreadPool#-[org.eclipse.jetty.util.thread:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.webapp.WebAppContext#-[org.eclipse.jetty.webapp:*]", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.eclipse.jetty.policy.JettyPolicy#-[org.eclipse.jetty.policy:*]", "registerMBean,unregisterMBean";
}

40
jetty-policy/src/main/config/lib/policy/jetty-start.policy
View File

@ -1,40 +0,0 @@
// This file contains permissions necessary for jetty-start to operate and to
// bootstrap jetty
//
// Once the required processing in jetty-start has completed jetty itself
// is started via XmlConfiguration which executes under AccessController
// doPrivledged freeing any further permissions being required to this
// module.
grant codeBase "file:${jetty.home}${/}start.jar" {
permission java.io.FilePermission "${jetty.home}${/}-", "read";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.security.SecurityPermission "getPolicy";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.util.PropertyPermission "jetty.home", "read, write";
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "jetty.class.path", "read, write";
permission java.util.PropertyPermission "java.class.path", "read, write";
permission java.util.PropertyPermission "repository", "read, write";
permission java.util.PropertyPermission "jetty.lib", "read";
permission java.util.PropertyPermission "jetty.server", "read";
permission java.util.PropertyPermission "jetty.host", "read";
permission java.util.PropertyPermission "jetty.port", "read";
permission java.util.PropertyPermission "start.class", "read";
permission java.util.PropertyPermission "main.class", "read";
permission java.util.PropertyPermission "ISO_8859_1", "read";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
permission javax.security.auth.AuthPermission "setReadOnly";
permission java.lang.RuntimePermission "getClassLoader";
}

19
jetty-policy/src/main/config/lib/policy/jetty-work.policy
View File

@ -1,19 +0,0 @@
//
// This file contains permissions for the work directory of jetty.
//
// Typical usage of secured jetty implies usage of a standard work
// style directory that web applications are unpacked into. These specific
// web applications should have their own policy files however this
// file exists to provide a codebase that all webapps under a certain code
// base can be given should there not be a more exclusive policy file
// provided.
grant codeBase "file:${jetty.home${/}work${/}-" {
permission java.io.FilePermission "${jetty.home}${/}webapps${/}-", "read"; // Ought to go up a specific codebase
permission java.io.FilePermission "${jetty.home}${/}work${/}-", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
};

96
jetty-policy/src/main/config/lib/policy/jetty.policy
View File

@ -1,96 +0,0 @@
// This file governs the permissions directly granted to all jar files
// listed under the jetty.home/lib directory.
//
// Review of this file is recommended and possible tweaking of the codeBase
// is likely in the future.
grant codeBase "file:${jetty.home}${/}lib${/}-" {
permission java.lang.RuntimePermission "getClassLoader";
permission java.util.PropertyPermission "org.eclipse.jetty.webapp.WebAppClassLoader.extensions", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.ajp.PathMap.separators", "read";
permission java.util.PropertyPermission "ROLLOVERFILE_BACKUP_FORMAT", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.server.webapp.parentLoaderPriority", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.server.Request.maxFormContentSize", "read";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
permission javax.security.auth.AuthPermission "setReadOnly";
permission java.io.FilePermission "${jetty.home}${/}-", "read";
permission java.io.FilePermission "${java.io.tmpdir}", "read, write";
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read, write";
permission java.io.FilePermission "${/}private${/}${java.io.tmpdir}", "read, write";
permission java.io.FilePermission "${/}private${/}${java.io.tmpdir}${/}-", "read, write";
permission java.io.FilePermission "${jetty.home}${/}lib${/}policy${/}-", "read";
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "delete";
permission java.io.FilePermission "${jetty.home}${/}logs", "read, write";
permission java.io.FilePermission "${jetty.home}${/}logs${/}*", "read, write";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.security.SecurityPermission "getPolicy";
permission java.lang.RuntimePermission "accessDeclaredMembers";
// jetty specific properties
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
permission java.util.PropertyPermission "START", "read";
permission java.util.PropertyPermission "STOP.PORT", "read";
permission java.util.PropertyPermission "STOP.KEY", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
permission java.util.PropertyPermission "CLASSPATH", "read";
permission java.util.PropertyPermission "OPTIONS", "read";
permission java.util.PropertyPermission "JETTY_NO_SHUTDOWN_HOOK", "read";
permission java.util.PropertyPermission "ISO_8859_1", "read";
permission java.util.PropertyPermission "jetty.home", "read, write";
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "jetty.class.path", "read, write";
permission java.util.PropertyPermission "java.class.path", "read, write";
permission java.util.PropertyPermission "jetty.lib", "read";
permission java.util.PropertyPermission "jetty.server", "read";
permission java.util.PropertyPermission "jetty.host", "read";
permission java.util.PropertyPermission "jetty.port", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.class", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.URI.charset", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.FileResource.checkAliases", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.xml.XmlParser.Validating", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.io.nio.JVMBUG_THRESHHOLD", "read, write";
permission java.util.PropertyPermission "org.eclipse.jetty.util.TypeUtil.IntegerCacheSize", "read, write";
permission java.util.PropertyPermission "org.eclipse.jetty.util.TypeUtil.LongCacheSize", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.io.AbstractBuffer.boundsChecking", "read";
// provides access to webapps
permission java.io.FilePermission "${jetty.home}${/}webapps${/}-", "read"; // Ought to go up a specific codebase
// Allows any thread to stop itself using the java.lang.Thread.stop()
// method that takes no argument.
permission java.lang.RuntimePermission "stopThread";
// jsp support
permission java.net.SocketPermission "java.sun.com:80", "connect,resolve";
};

30
jetty-policy/src/main/config/lib/policy/temp-dirs.policy
View File

@ -1,30 +0,0 @@
// This file contains permissions for various temporary directories that
// jetty might operate under.
//
// Careful auditing of this file is recommended for your particular use case
//
// the tmp directory is where webapps are unpacked by default so setup their restricted permissions
//
grant codeBase "file:${java.io.tmpdir}${/}" {
permission java.io.FilePermission "${jetty.home}${/}webapps${/}-", "read"; // Ought to go up a specific codebases
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
};
//
// some operating systems have tmp as a symbolic link to /private/tmp
//
grant codeBase "file:/private${java.io.tmpdir}${/}-" {
permission java.io.FilePermission "${jetty.home}${/}webapps${/}-", "read"; // Ought to go up a specific codebase
permission java.io.FilePermission "/private/${java.io.tmpdir}${/}-", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
};

462
jetty-policy/src/main/java/org/eclipse/jetty/policy/JettyPolicy.java
View File

@ -1,462 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy;
import java.io.PrintStream;
import java.io.PrintWriter;
import java.security.AccessControlException;
import java.security.CodeSource;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import org.eclipse.jetty.util.security.CertificateValidator;
/**
* Policy implementation that will load a set of policy files and manage the mapping of permissions and protection domains
*
* Features of JettyPolicy are:
*
* - we are able to follow the startup mechanic that jetty uses with jetty-start using OPTIONS=policy,default to be able to startup a security manager and policy implementation without have to rely on the existing JVM cli options
* - support for specifying multiple policy files to source permissions from
* - support for merging protection domains across multiple policy files for the same codesource
* - support for directories of policy files, just specify directory and all *.policy files will be loaded.
* Possible additions are:
* - scan policy directory for new policy files being added
* - jmx reporting
* - proxying of system security policy where we can proxy access to the system policy should the jvm have been started with one, I had support for this but ripped it
* out to add in again later
* - an xml policy file parser, had originally added this using modello but tore it out since it would have been a
* nightmare to get its dependencies through IP validation, could do this with jvm xml parser instead sometime
* - check performance of the synch'd map I am using for the protection domain mapping
*/
public class JettyPolicy extends Policy
{
private static final Logger LOG = Log.getLogger(JettyPolicy.class);
private static boolean __DEBUG = false;
private static boolean __RELOAD = false;
private boolean _STARTED = false;
private String _policyDirectory;
private final Set<PolicyBlock> _grants = new HashSet<PolicyBlock>();
/*
* TODO: make into a proper cache
*/
private final Map<Object, PermissionCollection> _cache = new ConcurrentHashMap<Object, PermissionCollection>();
private final static PolicyContext _context = new PolicyContext();
private CertificateValidator _validator = null;
private PolicyMonitor _policyMonitor = new PolicyMonitor()
{
@Override
public void onPolicyChange(PolicyBlock grant)
{
boolean setGrant = true;
if ( _validator != null )
{
if (grant.getCertificates() != null)
{
for ( Certificate cert : grant.getCertificates() )
{
try
{
_validator.validate(_context.getKeystore(), cert);
}
catch ( CertificateException ce )
{
setGrant = false;
}
}
}
}
if ( setGrant )
{
_grants.add( grant );
_cache.clear();
}
}
};
public JettyPolicy(String policyDirectory, Map<String, String> properties)
{
try
{
__RELOAD = Boolean.getBoolean("org.eclipse.jetty.policy.RELOAD");
__DEBUG = Boolean.getBoolean("org.eclipse.jetty.policy.DEBUG");
}
catch (AccessControlException ace)
{
__RELOAD = false;
__DEBUG = false;
}
_policyDirectory = policyDirectory;
_context.setProperties(properties);
try
{
_policyMonitor.setPolicyDirectory(_policyDirectory);
//_policyMonitor.setReload( __RELOAD );
}
catch ( Exception e)
{
throw new PolicyException(e);
}
}
@Override
public void refresh()
{
if ( !_STARTED )
{
initialize();
}
}
/**
* required for the jetty policy to start function, initializes the
* policy monitor and blocks for a full cycle of policy grant updates
*/
public void initialize()
{
if ( _STARTED )
{
return;
}
try
{
_policyMonitor.start();
_policyMonitor.waitForScan();
}
catch (Exception e)
{
e.printStackTrace();
throw new PolicyException(e);
}
_STARTED = true;
}
@Override
public PermissionCollection getPermissions(ProtectionDomain domain)
{
if (!_STARTED)
{
throw new PolicyException("JettyPolicy must be started.");
}
synchronized (_cache)
{
if (_cache.containsKey(domain))
{
return copyOf(_cache.get(domain));
}
PermissionCollection perms = new Permissions();
for (Iterator<PolicyBlock> i = _grants.iterator(); i.hasNext();)
{
PolicyBlock policyBlock = i.next();
ProtectionDomain grantPD = policyBlock.toProtectionDomain();
if (__DEBUG)
{
debug("----START----");
debug("PDCS: " + policyBlock.getCodeSource());
debug("CS: " + domain.getCodeSource());
}
// 1) if protection domain codesource is null, it is the global permissions (grant {})
// 2) if protection domain codesource implies target codesource and there are no prinicpals
if (grantPD.getCodeSource() == null
||
grantPD.getCodeSource().implies(domain.getCodeSource())
&&
grantPD.getPrincipals() == null
||
grantPD.getCodeSource().implies(domain.getCodeSource())
&&
validate(grantPD.getPrincipals(),domain.getPrincipals()))
{
for (Enumeration<Permission> e = policyBlock.getPermissions().elements(); e.hasMoreElements();)
{
Permission perm = e.nextElement();
if (__DEBUG)
{
debug("D: " + perm);
}
perms.add(perm);
}
}
if (__DEBUG)
{
debug("----STOP----");
}
}
_cache.put(domain,perms);
return copyOf(perms);
}
}
@Override
public PermissionCollection getPermissions(CodeSource codesource)
{
if (!_STARTED)
{
throw new PolicyException("JettyPolicy must be started.");
}
synchronized (_cache)
{
if (_cache.containsKey(codesource))
{
return copyOf(_cache.get(codesource));
}
PermissionCollection perms = new Permissions();
for (Iterator<PolicyBlock> i = _grants.iterator(); i.hasNext();)
{
PolicyBlock policyBlock = i.next();
ProtectionDomain grantPD = policyBlock.toProtectionDomain();
if (grantPD.getCodeSource() == null
||
grantPD.getCodeSource().implies(codesource))
{
if (__DEBUG)
{
debug("----START----");
debug("PDCS: " + grantPD.getCodeSource());
debug("CS: " + codesource);
}
for (Enumeration<Permission> e = policyBlock.getPermissions().elements(); e.hasMoreElements();)
{
Permission perm = e.nextElement();
if (__DEBUG)
{
debug("D: " + perm);
}
perms.add(perm);
}
if (__DEBUG)
{
debug("----STOP----");
}
}
}
_cache.put(codesource,perms);
return copyOf(perms);
}
}
@Override
public boolean implies(ProtectionDomain domain, Permission permission)
{
if (!_STARTED)
{
throw new PolicyException("JettyPolicy must be started.");
}
PermissionCollection pc = getPermissions(domain);
return (pc == null ? false : pc.implies(permission));
}
private static boolean validate(Principal[] permCerts, Principal[] classCerts)
{
if (classCerts == null)
{
return false;
}
for (int i = 0; i < permCerts.length; ++i)
{
boolean found = false;
for (int j = 0; j < classCerts.length; ++j)
{
if (permCerts[i].equals(classCerts[j]))
{
found = true;
break;
}
}
// if we didn't find the permCert in the classCerts then we don't match up
if (found == false)
{
return false;
}
}
return true;
}
/**
* returns the policy context which contains the map of properties that
* can be referenced in policy files and the keystore for validation
*
* @return the policy context
*/
public static PolicyContext getContext()
{
return _context;
}
/**
* Try and log to normal logging channels and should that not be allowed
* debug to system.out
*
* @param message
*/
private void debug( String message )
{
try
{
LOG.info(message);
}
catch ( AccessControlException ace )
{
System.out.println( "[DEBUG] " + message );
}
catch ( NoClassDefFoundError ace )
{
System.out.println( "[DEBUG] " + message );
//ace.printStackTrace();
}
}
/**
* Try and log to normal logging channels and should that not be allowed
* log to system.out
*
* @param message
*/
private void log( String message )
{
log( message, null );
}
/**
* Try and log to normal logging channels and should that not be allowed
* log to system.out
*
* @param message
*/
private void log( String message, Throwable t )
{
try
{
LOG.info(message, t);
}
catch ( AccessControlException ace )
{
System.out.println( message );
t.printStackTrace();
}
catch ( NoClassDefFoundError ace )
{
System.out.println( message );
t.printStackTrace();
}
}
public void dump(PrintStream out)
{
PrintWriter write = new PrintWriter(out);
write.println("JettyPolicy: policy settings dump");
synchronized (_cache)
{
for (Iterator<Object> i = _cache.keySet().iterator(); i.hasNext();)
{
Object o = i.next();
write.println(o.toString());
}
}
write.flush();
}
private PermissionCollection copyOf(final PermissionCollection in)
{
PermissionCollection out = new Permissions();
synchronized (in)
{
for (Enumeration<Permission> el = in.elements() ; el.hasMoreElements() ;)
{
out.add((Permission)el.nextElement());
}
}
return out;
}
public CertificateValidator getCertificateValidator()
{
return _validator;
}
public void setCertificateValidator(CertificateValidator validator)
{
if (_STARTED)
{
throw new PolicyException("JettyPolicy already started, unable to set validator on running policy");
}
_validator = validator;
}
}

58
jetty-policy/src/main/java/org/eclipse/jetty/policy/JettyPolicyConfigurator.java
View File

@ -1,58 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy;
import java.security.Policy;
import java.util.HashMap;
import java.util.Map;
/**
*
*
*/
public class JettyPolicyConfigurator
{
String _policyDirectory;
Map<String, String> _properties = new HashMap<String,String>();
public JettyPolicyConfigurator()
{
}
public void setPolicyDirectory( String policyDirectory )
{
_policyDirectory = policyDirectory;
}
public void addProperty( String name, String value )
{
_properties.put(name,value);
}
public void initialize()
{
JettyPolicy jpolicy = new JettyPolicy(_policyDirectory,_properties);
jpolicy.refresh();
Policy.setPolicy(jpolicy);
System.setSecurityManager(new SecurityManager());
}
}

102
jetty-policy/src/main/java/org/eclipse/jetty/policy/PolicyBlock.java
View File

@ -1,102 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy;
import java.security.CodeSource;
import java.security.KeyStore;
import java.security.PermissionCollection;
import java.security.Principal;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.util.Set;
public class PolicyBlock
{
public CodeSource codesource;
public KeyStore keyStore;
public Set<Certificate> certificates;
public Principal[] principals;
public PermissionCollection permissions;
private ProtectionDomain protectionDomain;
public ProtectionDomain toProtectionDomain()
{
if ( protectionDomain == null )
{
protectionDomain = new ProtectionDomain(codesource,null,Thread.currentThread().getContextClassLoader(),principals);
}
return protectionDomain;
}
public KeyStore getKeyStore()
{
return keyStore;
}
public void setKeyStore(KeyStore keyStore)
{
this.keyStore = keyStore;
}
public CodeSource getCodeSource()
{
return codesource;
}
public void setCodeSource( CodeSource codesource )
{
this.codesource = codesource;
}
public Set<Certificate> getCertificates()
{
return certificates;
}
public void setCertificates( Set<Certificate> certificates )
{
this.certificates = certificates;
}
public Principal[] getPrincipals()
{
return principals;
}
public void setPrincipals( Principal[] principals )
{
this.principals = principals;
}
public PermissionCollection getPermissions()
{
return permissions;
}
public void setPermissions( PermissionCollection permissions )
{
this.permissions = permissions;
}
}

200
jetty-policy/src/main/java/org/eclipse/jetty/policy/PolicyContext.java
View File

@ -1,200 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy;
import java.io.File;
import java.security.KeyStore;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
public class PolicyContext
{
private Map<String, String> properties = new HashMap<String, String>();
private Principal[] principals;
private KeyStore keystore;
public PolicyContext()
{
// special property case for resolving ${/} to native separator
properties.put( "/", File.separator );
}
public void addProperty( String name, String value )
{
this.properties.put( name, value );
}
public void setProperties( Map<String,String> properties )
{
this.properties.putAll( properties );
}
public KeyStore getKeystore()
{
return keystore;
}
public void setKeystore( KeyStore keystore )
{
this.keystore = keystore;
}
public Principal[] getPrincipals()
{
return principals;
}
public void setPrincipals( Principal[] principals )
{
this.principals = principals;
}
public String evaluate(String s) throws PolicyException
{
s = processProtocols( s );
int i1=0;
int i2=0;
while (s!=null)
{
i1=s.indexOf("${");
if (i1<0)
{
break;
}
i2=s.indexOf("}",i1+2);
if (i2<0)
{
break;
}
String property=getProperty(s.substring(i1+2,i2));
s=s.substring(0,i1)+property+s.substring(i2+1);
}
return s;
}
private String processProtocols( String s ) throws PolicyException
{
int i1=0;
int i2=0;
while (s!=null)
{
i1=s.indexOf("${{");
if (i1<0)
{
break;
}
i2=s.indexOf("}}",i1+2);
if (i2<0)
{
break;
}
String property;
String target = s.substring(i1+3,i2);
if ( target.indexOf( ":" ) >= 0 )
{
String[] resolve = target.split( ":" );
property = resolve(resolve[0], resolve[1] );
}
else
{
property = resolve( target, null );
}
s=s.substring(0,i1)+property+s.substring(i2+2);
}
return s;
}
public String getProperty(String name)
{
if (properties.containsKey(name))
{
return properties.get(name);
}
return System.getProperty(name);
}
private String resolve( String protocol, String data ) throws PolicyException
{
if ( "self".equals( protocol ) )
{
// need expanding to list of principals in grant clause
if ( principals != null && principals.length != 0 )
{
StringBuilder sb = new StringBuilder();
for ( int i = 0; i < principals.length; ++i )
{
sb.append( principals[i].getClass().getName() );
sb.append( " \"" );
sb.append( principals[i].getName() );
sb.append( "\" " );
}
return sb.toString();
}
else
{
throw new PolicyException( "self can not be expanded, missing principals" );
}
}
if ( "alias".equals( protocol ) )
{
try
{
Certificate cert = keystore.getCertificate(data);
if ( cert instanceof X509Certificate )
{
Principal principal = ((X509Certificate) cert).getSubjectX500Principal();
StringBuilder sb = new StringBuilder();
sb.append( principal.getClass().getName() );
sb.append( " \"" );
sb.append( principal.getName() );
sb.append( "\" " );
return sb.toString();
}
else
{
throw new PolicyException( "alias can not be expanded, bad cert" );
}
}
catch ( Exception e )
{
throw new PolicyException( "alias can not be expanded: " + data );
}
}
throw new PolicyException( "unknown protocol: " + protocol );
}
}

45
jetty-policy/src/main/java/org/eclipse/jetty/policy/PolicyException.java
View File

@ -1,45 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy;
@SuppressWarnings("serial")
public class PolicyException extends RuntimeException
{
public PolicyException()
{
super();
}
public PolicyException( final String message, final Throwable cause)
{
super( message, cause );
}
public PolicyException( final String message )
{
super( message );
}
public PolicyException( final Throwable cause )
{
super( cause );
}
}

328
jetty-policy/src/main/java/org/eclipse/jetty/policy/PolicyMonitor.java
View File

@ -1,328 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy;
import java.io.File;
import java.io.FileInputStream;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.atomic.AtomicInteger;
import org.eclipse.jetty.policy.loader.DefaultPolicyLoader;
import org.eclipse.jetty.util.Scanner;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
/**
* PolicyMonitor watches a directory for files ending in the *.policy extension,
* loads them and detects when they change. PolicyGrants are peeped out the
* onPolicyChange method to whoever is using this monitor.
*
*/
public abstract class PolicyMonitor extends AbstractLifeCycle
{
/**
* the directory to be scanned for policy files.
*/
private String _policyDirectory;
/**
* instance of the scanner that detects policy files
*/
private Scanner _scanner;
/**
* true if updates to policy grants will be pushed through the
* onPolicyChange() method
*/
private boolean _reload = true;
/**
* scan interval in seconds for policy file changes
*/
private int _scanInterval = 1;
/**
* specialized listener enabling waitForScan() functionality
*/
private LatchScannerListener _scanningListener;
/**
* true if the scanner has completed one cycle.
*/
private boolean _initialized = false;
/**
* record of the number of scans that have been made
*/
private AtomicInteger _scanCount = new AtomicInteger(0);
/**
* empty constructor
*/
public PolicyMonitor()
{
}
/**
* construtor with a predetermined directory to monitor
*
* @param directory
*/
public PolicyMonitor( String directory )
{
this();
_policyDirectory = directory;
}
/**
* set the policy directory to scan on a non-running monitor
*
* @param directory
*/
public void setPolicyDirectory( String directory )
{
if (isRunning())
{
throw new PolicyException("policy monitor is running, unable to set policy directory");
}
_policyDirectory = directory;
}
/**
* gets the scanner interval
*
* @return the scan interval
*/
public int getScanInterval()
{
return _scanInterval;
}
/**
* sets the scanner interval on a non-running instance of the monitor
*
* @param scanInterval in seconds
* @see Scanner#setScanInterval(int)
*/
public void setScanInterval( int scanInterval )
{
if (isRunning())
{
throw new PolicyException("policy monitor is running, unable to set scan interval");
}
_scanInterval = scanInterval;
}
/**
* true of the monitor is initialized, meaning that at least one
* scan cycle has completed and any policy grants found have been chirped
*
* @return true if initialized
*/
public boolean isInitialized()
{
return _initialized;
}
/**
* gets the number of times the scan has been run
*
* @return scan count
*/
public int getScanCount()
{
return _scanCount.get();
}
/**
* initiates a scan and blocks until it has been completed
*
* @throws Exception
*/
public synchronized void waitForScan() throws Exception
{
// wait for 2 scans for stable files
CountDownLatch latch = new CountDownLatch(2);
_scanningListener.setScanningLatch(latch);
_scanner.scan();
latch.await();
}
/**
* true of reload is enabled, false otherwise
*
* @return true if reload is enabled
*/
public boolean isReloadEnabled()
{
return _reload;
}
/**
* sets the monitor to reload or not, but only if the monitor isn't already running
*
* TODO this doesn't really _have_ to be on a non-running monitor
*
* @param reload
*/
public void setReload(boolean reload)
{
if (isRunning())
{
throw new PolicyException("policy monitor is running, unable to set reload at this time");
}
_reload = reload;
}
/**
* processes a policy file via the default policy loader and chirps
* changes to the onPolicyChange() abstract method
*
* @param filename
*/
private void processPolicyFile(String filename)
{
try
{
File policyFile = new File(filename);
Set<PolicyBlock> policyBlocks = DefaultPolicyLoader.load(new FileInputStream(policyFile),JettyPolicy.getContext());
for (PolicyBlock policy : policyBlocks)
{
onPolicyChange(policy);
}
}
catch (Exception e)
{
e.printStackTrace();
}
}
/**
* called by the abstract lifecycle to start the monitor
*/
@Override
protected void doStart() throws Exception
{
super.doStart();
_scanner = new Scanner();
List<File> scanDirs = new ArrayList<File>();
scanDirs.add(new File( _policyDirectory ) );
//System.out.println("Scanning: " + _policyDirectory );
_scanner.addListener(new Scanner.DiscreteListener()
{
public void fileRemoved(String filename) throws Exception
{
}
/* will trigger when files are changed, not on load time, just when changed */
public void fileChanged(String filename) throws Exception
{
if (_reload && filename.endsWith("policy"))
{
// System.out.println("PolicyMonitor: policy file");
processPolicyFile(filename);
}
}
public void fileAdded(String filename) throws Exception
{
if (filename.endsWith("policy"))
{
// System.out.println("PolicyMonitor: added policy file");
processPolicyFile(filename);
}
}
});
_scanningListener = new LatchScannerListener();
_scanner.addListener(_scanningListener);
_scanner.setScanDirs(scanDirs);
_scanner.setReportExistingFilesOnStartup(true);
_scanner.start();
_scanner.setScanInterval(_scanInterval);
}
/**
* called by the abstract life cycle to turn off the monitor
*/
@Override
protected void doStop() throws Exception
{
super.doStop();
_scanner.stop();
}
/**
* latch listener that can taken in a countdownlatch and notify other
* blocking threads that the scan has been completed
*
*/
private class LatchScannerListener implements Scanner.ScanCycleListener
{
CountDownLatch _latch;
public void scanStarted(int cycle) throws Exception
{
}
public void scanEnded(int cycle) throws Exception
{
_initialized = true; // just really needed the first time
_scanCount.incrementAndGet();
if ( _latch != null )
{
_latch.countDown();
}
}
public void setScanningLatch( CountDownLatch latch )
{
_latch = latch;
}
}
/**
* implemented by the user of the policy monitor to handle custom logic
* related to the usage of the policy grant instance/s.
*
* @param grant
*/
public abstract void onPolicyChange(PolicyBlock grant);
}

52
jetty-policy/src/main/java/org/eclipse/jetty/policy/entry/AbstractEntry.java
View File

@ -1,52 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy.entry;
import org.eclipse.jetty.policy.PolicyContext;
import org.eclipse.jetty.policy.PolicyException;
public abstract class AbstractEntry
{
private boolean isDirty = false;
private boolean isExpanded = false;
public abstract void expand( PolicyContext context ) throws PolicyException;
public boolean isDirty()
{
return isDirty;
}
public void setDirty( boolean isDirty )
{
this.isDirty = isDirty;
}
public boolean isExpanded()
{
return isExpanded;
}
public void setExpanded( boolean isExpanded )
{
this.isExpanded = isExpanded;
}
}

209
jetty-policy/src/main/java/org/eclipse/jetty/policy/entry/GrantEntry.java
View File

@ -1,209 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy.entry;
import java.net.URI;
import java.net.URL;
import java.security.CodeSource;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.Principal;
import java.security.cert.Certificate;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.StringTokenizer;
import org.eclipse.jetty.policy.PolicyContext;
import org.eclipse.jetty.policy.PolicyException;
public class GrantEntry extends AbstractEntry
{
/**
* The signers part of grant clause. This is a comma-separated list of certificate aliases.
*/
private String signers;
/**
* The codebase part of grant clause. This is an URL from which code originates.
*/
private String codebase;
/**
* Collection of PrincipalEntries of grant clause.
*/
private Collection<PrincipalEntry> principalNodes;
/**
* Collection of PermissionEntries of grant clause.
*/
private Collection<PermissionEntry> permissionNodes;
// cached permissions
private PermissionCollection permissions;
private Certificate[] signerArray;
private CodeSource codesource;
private Principal[] principals;
/**
* Adds specified element to the <code>principals</code> collection. If collection does not exist yet, creates a
* new one.
*/
public void addPrincipal( PrincipalEntry pe )
{
if ( principalNodes == null )
{
principalNodes = new HashSet<PrincipalEntry>();
}
principalNodes.add( pe );
}
public void expand( PolicyContext context ) throws PolicyException
{
if ( signers != null )
{
signerArray = resolveToCertificates( context.getKeystore(), signers ); // TODO alter to support self:: etc
}
codebase = context.evaluate( codebase );
if ( principalNodes != null )
{
Set<Principal> principalSet = new HashSet<Principal>();
for ( Iterator<PrincipalEntry> i = principalNodes.iterator(); i.hasNext(); )
{
PrincipalEntry node = i.next();
node.expand( context );
principalSet.add( node.toPrincipal( context ) );
}
principals = principalSet.toArray( new Principal[principalSet.size()] );
}
context.setPrincipals( principals );
permissions = new Permissions();
for ( Iterator<PermissionEntry> i = permissionNodes.iterator(); i.hasNext(); )
{
PermissionEntry node = i.next();
node.expand( context );
permissions.add( node.toPermission() );
}
context.setPrincipals( null );
setExpanded( true );
}
public PermissionCollection getPermissions() throws PolicyException
{
return permissions;
}
public Principal[] getPrincipals() throws PolicyException
{
return principals;
}
public CodeSource getCodeSource() throws PolicyException
{
if ( !isExpanded() )
{
throw new PolicyException("GrantNode needs to be expanded.");
}
try
{
if ( codesource == null && codebase != null )
{
URL url = new URI( codebase ).toURL();
codesource = new CodeSource( url, signerArray );
}
return codesource;
}
catch ( Exception e )
{
throw new PolicyException( e );
}
}
/**
* resolve signers into an array of certificates using a given keystore
*
* @param keyStore
* @param signers
* @return
* @throws Exception
*/
private Certificate[] resolveToCertificates( KeyStore keyStore, String signers ) throws PolicyException
{
if ( keyStore == null )
{
Certificate[] certs = null;
return certs;
}
Set<Certificate> certificateSet = new HashSet<Certificate>();
StringTokenizer strTok = new StringTokenizer( signers, ",");
for ( int i = 0; strTok.hasMoreTokens(); ++i )
{
try
{
Certificate certificate = keyStore.getCertificate( strTok.nextToken().trim() );
if ( certificate != null )
{
certificateSet.add( certificate );
}
}
catch ( KeyStoreException kse )
{
throw new PolicyException( kse );
}
}
return certificateSet.toArray( new Certificate[certificateSet.size()] );
}
public void setSigners( String signers )
{
this.signers = signers;
}
public void setCodebase( String codebase )
{
this.codebase = codebase;
}
public void setPrincipals( Collection<PrincipalEntry> principals )
{
this.principalNodes = principals;
}
public void setPermissions( Collection<PermissionEntry> permissions )
{
this.permissionNodes = permissions;
}
}

98
jetty-policy/src/main/java/org/eclipse/jetty/policy/entry/KeystoreEntry.java
View File

@ -1,98 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy.entry;
import java.io.InputStream;
import java.net.URL;
import java.security.KeyStore;
import org.eclipse.jetty.policy.PolicyContext;
import org.eclipse.jetty.policy.PolicyException;
import org.eclipse.jetty.util.resource.Resource;
public class KeystoreEntry extends AbstractEntry
{
/**
* The URL part of keystore clause.
*/
private String url;
/**
* The typename part of keystore clause.
*/
private String type;
// cached value
private KeyStore keystore;
public KeyStore toKeyStore() throws PolicyException
{
if ( keystore != null && !isDirty() )
{
return keystore;
}
try
{
keystore = KeyStore.getInstance( type );
URL keyStoreLocation = new URL ( url );
Resource r = Resource.newResource(keyStoreLocation);
InputStream istream = r.getInputStream();
keystore.load( istream, null );
}
catch ( Exception e )
{
throw new PolicyException( e );
}
return keystore;
}
@Override
public void expand( PolicyContext context ) throws PolicyException
{
url = context.evaluate( url );
setExpanded( true );
}
public String getUrl()
{
return url;
}
public void setUrl( String url )
{
this.url = url;
}
public String getType()
{
return type;
}
public void setType( String type )
{
this.type = type;
}
}

226
jetty-policy/src/main/java/org/eclipse/jetty/policy/entry/PermissionEntry.java
View File

@ -1,226 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy.entry;
import java.lang.reflect.Constructor;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Permission;
import java.security.cert.Certificate;
import java.util.HashSet;
import java.util.Set;
import java.util.StringTokenizer;
import org.eclipse.jetty.policy.PolicyContext;
import org.eclipse.jetty.policy.PolicyException;
public class PermissionEntry extends AbstractEntry
{
/**
* The classname part of permission clause.
*/
private String klass;
/**
* The name part of permission clause.
*/
private String name;
/**
* The actions part of permission clause.
*/
private String actions;
/**
* The signers part of permission clause. This is a comma-separated list of certificate aliases.
*/
private String signers;
private Certificate[] signerArray;
public Permission toPermission() throws PolicyException
{
try
{
Class<?> clazz = Class.forName(klass);
if ( signerArray != null && !validate( signerArray, (Certificate[])clazz.getSigners() ) )
{
throw new PolicyException( "Unvalidated Permissions: " + klass + "/" + name );
}
Permission permission = null;
if ( name == null && actions == null )
{
permission = (Permission) clazz.newInstance();
}
else if ( name != null && actions == null )
{
Constructor<?> c = clazz.getConstructor(new Class[]
{ String.class });
permission = (Permission) c.newInstance( name );
}
else if ( name != null && actions != null )
{
Constructor<?> c = clazz.getConstructor(new Class[]
{ String.class, String.class });
permission = (Permission) c.newInstance( name, actions );
}
return permission;
}
catch ( Exception e )
{
throw new PolicyException( e );
}
}
@Override
public void expand( PolicyContext context ) throws PolicyException
{
if ( name != null )
{
name = context.evaluate( name ).trim();
}
if ( actions != null )
{
actions = context.evaluate( actions ).trim();
}
if ( signers != null )
{
signerArray = resolveCertificates( context.getKeystore(), signers );
}
setExpanded( true );
}
/**
* validate that all permission certs are present in the class certs
*
* @param permCerts
* @param classCerts
* @return true if the permissions match up
*/
private static boolean validate( Certificate[] permCerts, Certificate[] classCerts )
{
if ( classCerts == null )
{
return false;
}
for ( int i = 0; i < permCerts.length; ++i )
{
boolean found = false;
for ( int j = 0; j < classCerts.length; ++j )
{
if ( permCerts[i].equals( classCerts[j] ) )
{
found = true;
break;
}
}
// if we didn't find the permCert in the classCerts then we don't match up
if ( found == false )
{
return false;
}
}
// we found all the permCerts in classCerts so return true
return true;
}
private static Certificate[] resolveCertificates( KeyStore keyStore, String signers ) throws PolicyException
{
if ( keyStore == null )
{
Certificate[] certs = null;
return certs;
}
Set<Certificate> certificateSet = new HashSet<Certificate>();
StringTokenizer strTok = new StringTokenizer( signers, ",");
for ( int i = 0; strTok.hasMoreTokens(); ++i )
{
try
{
Certificate certificate = keyStore.getCertificate( strTok.nextToken().trim() );
if ( certificate != null )
{
certificateSet.add( certificate );
}
}
catch ( KeyStoreException kse )
{
throw new PolicyException( kse );
}
}
return certificateSet.toArray( new Certificate[certificateSet.size()]);
}
public String getKlass()
{
return klass;
}
public void setKlass( String klass )
{
this.klass = klass;
}
public String getName()
{
return name;
}
public void setName( String name )
{
this.name = name;
}
public String getActions()
{
return actions;
}
public void setActions( String actions )
{
this.actions = actions;
}
public String getSigners()
{
return signers;
}
public void setSigners( String signers )
{
this.signers = signers;
}
}

115
jetty-policy/src/main/java/org/eclipse/jetty/policy/entry/PrincipalEntry.java
View File

@ -1,115 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy.entry;
import java.security.KeyStoreException;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import org.eclipse.jetty.policy.PolicyContext;
import org.eclipse.jetty.policy.PolicyException;
public class PrincipalEntry extends AbstractEntry
{
/**
* Wildcard value denotes any class and/or any name. Must be asterisk, for proper general expansion and
* PrivateCredentialsPermission wildcarding
*/
public static final String WILDCARD = "*"; //$NON-NLS-1$
/**
* The classname part of principal clause.
*/
private String klass;
/**
* The name part of principal clause.
*/
private String name;
/**
* cached principal if already computed
*/
private Principal principal;
public Principal toPrincipal( PolicyContext context ) throws PolicyException
{
if ( principal != null && !isDirty() )
{
return principal;
}
// if there is no keystore, there is no way to obtain a principal object
// TODO validate we need this check
if ( context.getKeystore() == null )
{
return null;
}
try
{
Certificate certificate = context.getKeystore().getCertificate( name );
if ( certificate instanceof X509Certificate )
{
principal = ( (X509Certificate) certificate ).getSubjectX500Principal();
return principal;
}
else
{
throw new PolicyException( "Unknown Certificate, unable to obtain Principal: " + certificate.getType() );
}
}
catch ( KeyStoreException kse )
{
throw new PolicyException( kse );
}
}
public void expand( PolicyContext context )
throws PolicyException
{
name = context.evaluate( name );
setExpanded(true);
}
public String getKlass()
{
return klass;
}
public void setKlass( String klass )
{
this.klass = klass;
}
public String getName()
{
return name;
}
public void setName( String name )
{
this.name = name;
}
}

102
jetty-policy/src/main/java/org/eclipse/jetty/policy/loader/DefaultPolicyLoader.java
View File

@ -1,102 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
// Portions of this file adapted for use from Apache Harmony code by written
// and contributed to that project by Alexey V. Varlamov under the ASL
// ========================================================================
//
package org.eclipse.jetty.policy.loader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.eclipse.jetty.policy.PolicyBlock;
import org.eclipse.jetty.policy.PolicyContext;
import org.eclipse.jetty.policy.PolicyException;
import org.eclipse.jetty.policy.entry.GrantEntry;
import org.eclipse.jetty.policy.entry.KeystoreEntry;
/**
* Load the policies within the stream and resolve into protection domains and permission collections
*
*/
public class DefaultPolicyLoader
{
public static Set<PolicyBlock> load( InputStream policyStream, PolicyContext context ) throws PolicyException
{
Set<PolicyBlock> policies = new HashSet<PolicyBlock>();
KeyStore keystore = null;
try
{
PolicyFileScanner loader = new PolicyFileScanner();
Collection<GrantEntry> grantEntries = new ArrayList<GrantEntry>();
List<KeystoreEntry> keystoreEntries = new ArrayList<KeystoreEntry>();
loader.scanStream( new InputStreamReader(policyStream), grantEntries, keystoreEntries );
for ( Iterator<KeystoreEntry> i = keystoreEntries.iterator(); i.hasNext();)
{
KeystoreEntry node = i.next();
node.expand( context );
keystore = node.toKeyStore();
if ( keystore != null )
{
// we only process the first valid keystore
context.setKeystore( keystore );
break;
}
}
for ( Iterator<GrantEntry> i = grantEntries.iterator(); i.hasNext(); )
{
GrantEntry grant = i.next();
grant.expand( context );
PolicyBlock policy = new PolicyBlock();
policy.setCodeSource( grant.getCodeSource() );
policy.setPrincipals( grant.getPrincipals() );
policy.setPermissions( grant.getPermissions() );
policies.add(policy);
}
return policies;
}
catch ( Exception e )
{
throw new PolicyException( e );
}
}
}

459
jetty-policy/src/main/java/org/eclipse/jetty/policy/loader/PolicyFileScanner.java
View File

@ -1,459 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
// This file adapted for use from Apache Harmony code by written and contributed
// to that project by Alexey V. Varlamov under the ASL-2.0
// See CQ3380
// ========================================================================
package org.eclipse.jetty.policy.loader;
import java.io.IOException;
import java.io.Reader;
import java.io.StreamTokenizer;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import org.eclipse.jetty.policy.entry.GrantEntry;
import org.eclipse.jetty.policy.entry.KeystoreEntry;
import org.eclipse.jetty.policy.entry.PermissionEntry;
import org.eclipse.jetty.policy.entry.PrincipalEntry;
/**
* This is a basic high-level tokenizer of policy files. It takes in a stream, analyzes data read from it and returns a
* set of structured tokens. <br>
* This implementation recognizes text files, consisting of clauses with the following syntax:
*
* <pre>
*
* keystore &quot;some_keystore_url&quot;, &quot;keystore_type&quot;;
*
* </pre>
*
* <pre>
*
* grant [SignedBy &quot;signer_names&quot;] [, CodeBase &quot;URL&quot;]
* [, Principal [principal_class_name] &quot;principal_name&quot;]
* [, Principal [principal_class_name] &quot;principal_name&quot;] ... {
* permission permission_class_name [ &quot;target_name&quot; ] [, &quot;action&quot;]
* [, SignedBy &quot;signer_names&quot;];
* permission ...
* };
*
* </pre>
*
* For semantical details of this format, see org.apache.harmony.security.DefaultPolicy javadoc. <br>
*
* Keywords are case-insensitive in contrast to quoted string literals. Comma-separation rule is quite forgiving, most
* commas may be just omitted. Whitespaces, line- and block comments are ignored. Symbol-level tokenization is delegated
* to java.io.StreamTokenizer. <br>
* <br>
* This implementation is effectively thread-safe, as it has no field references to data being processed (that is,
* passes all the data as method parameters).
*
* This implementation is a bit more strict in enforcing format then the default policy scanner as implemented in the sun jdk.
*/
public class PolicyFileScanner
{
/**
* Specific exception class to signal policy file syntax error.
*/
public static class InvalidFormatException
extends Exception
{
/**
* @serial
*/
private static final long serialVersionUID = 5789786270390222184L;
/**
* Constructor with detailed message parameter.
*/
public InvalidFormatException( String arg0 )
{
super( arg0 );
}
}
/**
* Configures passed tokenizer accordingly to supported syntax.
*/
protected StreamTokenizer configure( StreamTokenizer st )
{
st.slashSlashComments( true );
st.slashStarComments( true );
st.wordChars( '_', '_' );
st.wordChars( '$', '$' );
return st;
}
/**
* Performs the main parsing loop. Starts with creating and configuring a StreamTokenizer instance; then tries to
* recognize <i>keystore </i> or <i>grant </i> keyword. When found, invokes read method corresponding to the clause
* and collects result to the passed collection.
*
* @param r policy stream reader
* @param grantEntries a collection to accumulate parsed GrantEntries
* @param keystoreEntries a collection to accumulate parsed KeystoreEntries
* @throws IOException if stream reading failed
* @throws InvalidFormatException if unexpected or unknown token encountered
*/
public void scanStream( Reader r, Collection<GrantEntry> grantEntries, List<KeystoreEntry> keystoreEntries )
throws IOException, InvalidFormatException
{
StreamTokenizer st = configure( new StreamTokenizer( r ) );
// main parsing loop
parsing: while ( true )
{
switch ( st.nextToken() )
{
case StreamTokenizer.TT_EOF: // we've done the job
break parsing;
case StreamTokenizer.TT_WORD:
if ( Util.equalsIgnoreCase( "keystore", st.sval ) ) { //$NON-NLS-1$
keystoreEntries.add( readKeystoreNode( st ) );
}
else if ( Util.equalsIgnoreCase( "grant", st.sval ) ) { //$NON-NLS-1$
grantEntries.add( readGrantNode( st ) );
}
else
{
handleUnexpectedToken( st, "Expected entries are : \"grant\" or \"keystore\"" ); //$NON-NLS-1$
}
break;
case ';': // just delimiter of entries
break;
default:
handleUnexpectedToken( st );
break;
}
}
}
/**
* Tries to read <i>keystore </i> clause fields. The expected syntax is
*
* <pre>
*
* &quot;some_keystore_url&quot;[, &quot;keystore_type&quot;];
*
* </pre>
*
* @return successfully parsed KeystoreNode
* @throws IOException if stream reading failed
* @throws InvalidFormatException if unexpected or unknown token encountered
*/
protected KeystoreEntry readKeystoreNode( StreamTokenizer st )
throws IOException, InvalidFormatException
{
KeystoreEntry ke = new KeystoreEntry();
if ( st.nextToken() == '"' )
{
ke.setUrl( st.sval );
if ( ( st.nextToken() == '"' ) || ( ( st.ttype == ',' ) && ( st.nextToken() == '"' ) ) )
{
ke.setType( st.sval );
}
else
{ // handle token in the main loop
st.pushBack();
}
}
else
{
handleUnexpectedToken( st, "Expected syntax is : keystore \"url\"[, \"type\"]" ); //$NON-NLS-1$
}
return ke;
}
/**
* Tries to read <i>grant </i> clause. <br>
* First, it reads <i>codebase </i>, <i>signedby </i>, <i>principal </i> entries till the '{' (opening curly brace)
* symbol. Then it calls readPermissionEntries() method to read the permissions of this clause. <br>
* Principal entries (if any) are read by invoking readPrincipalNode() method, obtained PrincipalEntries are
* accumulated. <br>
* The expected syntax is
*
* <pre>
*
* [ [codebase &quot;url&quot;] | [signedby &quot;name1,...,nameN&quot;] |
* principal ...] ]* { ... }
*
* </pre>
*
* @return successfully parsed GrantNode
* @throws IOException if stream reading failed
* @throws InvalidFormatException if unexpected or unknown token encountered
*/
protected GrantEntry readGrantNode( StreamTokenizer st )
throws IOException, InvalidFormatException
{
GrantEntry ge = new GrantEntry();
parsing: while ( true )
{
switch ( st.nextToken() )
{
case StreamTokenizer.TT_WORD:
if ( Util.equalsIgnoreCase( "signedby", st.sval ) ) { //$NON-NLS-1$
if ( st.nextToken() == '"' )
{
ge.setSigners( st.sval );
}
else
{
handleUnexpectedToken( st, "Expected syntax is : signedby \"name1,...,nameN\"" ); //$NON-NLS-1$
}
}
else if ( Util.equalsIgnoreCase( "codebase", st.sval ) ) { //$NON-NLS-1$
if ( st.nextToken() == '"' )
{
ge.setCodebase( st.sval );
}
else
{
handleUnexpectedToken( st, "Expected syntax is : codebase \"url\"" ); //$NON-NLS-1$
}
}
else if ( Util.equalsIgnoreCase( "principal", st.sval ) ) { //$NON-NLS-1$
ge.addPrincipal( readPrincipalNode( st ) );
}
else
{
handleUnexpectedToken( st );
}
break;
case ',': // just delimiter of entries
break;
case '{':
ge.setPermissions( readPermissionEntries( st ) );
break parsing;
default: // handle token in the main loop
st.pushBack();
break parsing;
}
}
return ge;
}
/**
* Tries to read <i>Principal </i> Node fields. The expected syntax is
*
* <pre>
*
* [ principal_class_name ] &quot;principal_name&quot;
*
* </pre>
*
* Both class and name may be wildcards, wildcard names should not surrounded by quotes.
*
* @return successfully parsed PrincipalNode
* @throws IOException if stream reading failed
* @throws InvalidFormatException if unexpected or unknown token encountered
*/
protected PrincipalEntry readPrincipalNode( StreamTokenizer st )
throws IOException, InvalidFormatException
{
PrincipalEntry pe = new PrincipalEntry();
if ( st.nextToken() == StreamTokenizer.TT_WORD )
{
pe.setKlass( st.sval );
st.nextToken();
}
else if ( st.ttype == '*' )
{
pe.setKlass( PrincipalEntry.WILDCARD );
st.nextToken();
}
if ( st.ttype == '"' )
{
pe.setName( st.sval );
}
else if ( st.ttype == '*' )
{
pe.setName( PrincipalEntry.WILDCARD );
}
else
{
handleUnexpectedToken( st, "Expected syntax is : principal [class_name] \"principal_name\"" ); //$NON-NLS-1$
}
return pe;
}
/**
* Tries to read a list of <i>permission </i> entries. The expected syntax is
*
* <pre>
*
* permission permission_class_name
* [ &quot;target_name&quot; ] [, &quot;action_list&quot;]
* [, signedby &quot;name1,name2,...&quot;];
*
* </pre>
*
* List is terminated by '}' (closing curly brace) symbol.
*
* @return collection of successfully parsed PermissionEntries
* @throws IOException if stream reading failed
* @throws InvalidFormatException if unexpected or unknown token encountered
*/
protected Collection<PermissionEntry> readPermissionEntries( StreamTokenizer st )
throws IOException, InvalidFormatException
{
Collection<PermissionEntry> permissions = new HashSet<PermissionEntry>();
parsing: while ( true )
{
switch ( st.nextToken() )
{
case StreamTokenizer.TT_WORD:
if ( Util.equalsIgnoreCase( "permission", st.sval ) ) { //$NON-NLS-1$
PermissionEntry pe = new PermissionEntry();
if ( st.nextToken() == StreamTokenizer.TT_WORD )
{
pe.setKlass( st.sval );
if ( st.nextToken() == '"' )
{
pe.setName( st.sval );
st.nextToken();
}
if ( st.ttype == ',' )
{
st.nextToken();
}
if ( st.ttype == '"' )
{
pe.setActions( st.sval );
if ( st.nextToken() == ',' )
{
st.nextToken();
}
}
if ( st.ttype == StreamTokenizer.TT_WORD && Util.equalsIgnoreCase( "signedby", st.sval ) ) { //$NON-NLS-1$
if ( st.nextToken() == '"' )
{
pe.setSigners( st.sval );
}
else
{
handleUnexpectedToken( st );
}
}
else
{ // handle token in the next iteration
st.pushBack();
}
permissions.add( pe );
continue parsing;
}
}
handleUnexpectedToken(
st,
"Expected syntax is : permission permission_class_name [\"target_name\"] [, \"action_list\"] [, signedby \"name1,...,nameN\"]" ); //$NON-NLS-1$
break;
case ';': // just delimiter of entries
break;
case '}': // end of list
break parsing;
default: // invalid token
handleUnexpectedToken( st );
break;
}
}
return permissions;
}
/**
* Formats a detailed description of tokenizer status: current token, current line number, etc.
*/
protected String composeStatus( StreamTokenizer st )
{
return st.toString();
}
/**
* Throws InvalidFormatException with detailed diagnostics.
*
* @param st a tokenizer holding the erroneous token
* @param message a user-friendly comment, probably explaining expected syntax. Should not be <code>null</code>- use
* the overloaded single-parameter method instead.
*/
protected final void handleUnexpectedToken( StreamTokenizer st, String message )
throws InvalidFormatException
{
throw new InvalidFormatException( "Unexpected token encountered: " + composeStatus( st ) + ". " + message );
}
/**
* Throws InvalidFormatException with error status: which token is unexpected on which line.
*
* @param st a tokenizer holding the erroneous token
*/
protected final void handleUnexpectedToken( StreamTokenizer st )
throws InvalidFormatException
{
throw new InvalidFormatException( "Unexpected token encountered: " + composeStatus( st ) );
}
private static class Util
{
public static String toUpperCase( String s )
{
int len = s.length();
StringBuilder buffer = new StringBuilder( len );
for ( int i = 0; i < len; i++ )
{
char c = s.charAt( i );
if ( 'a' <= c && c <= 'z' )
{
buffer.append( (char) ( c - ( 'a' - 'A' ) ) );
}
else
{
buffer.append( c );
}
}
return buffer.toString();
}
public static boolean equalsIgnoreCase( String s1, String s2 )
{
s1 = toUpperCase( s1 );
s2 = toUpperCase( s2 );
return s1.equals( s2 );
}
}
}

265
jetty-policy/src/test/java/org/eclipse/jetty/policy/JettyPolicyRuntimeTest.java
View File

@ -1,265 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import java.io.File;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.URL;
import java.net.URLClassLoader;
import java.security.AccessControlException;
import java.security.Policy;
import java.util.Collections;
import java.util.HashMap;
import java.util.Set;
import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
import org.eclipse.jetty.toolchain.test.OS;
import org.eclipse.jetty.util.IO;
import org.junit.After;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Test;
public class JettyPolicyRuntimeTest
{
private HashMap<String, String> evaluator = new HashMap<String, String>();
@Before
public void init() throws Exception
{
System.setSecurityManager(null);
Policy.setPolicy(null);
evaluator.put("jetty.home",MavenTestingUtils.getBaseURI().toASCIIString());
evaluator.put("basedir",MavenTestingUtils.getBaseURI().toASCIIString());
}
@After
public void destroy() throws Exception
{
System.setSecurityManager(null);
Policy.setPolicy(null);
IO.delete(new File ("/tmp", "foo"));
}
@Test
public void testSimplePolicyReplacement() throws Exception
{
Assume.assumeTrue(!OS.IS_WINDOWS); // Ignore test if running under windows.
JettyPolicy ap = new JettyPolicy(MavenTestingUtils.getTestResourceDir("runtime-test-1").getAbsolutePath(), evaluator);
ap.refresh();
Policy.setPolicy( ap );
System.setSecurityManager( new SecurityManager() );
File test = new File( "/tmp" );
assertTrue( test.canRead() );
}
@Test
public void testRepeatedPolicyReplacement() throws Exception
{
Assume.assumeTrue(!OS.IS_WINDOWS); // Ignore test if running under windows.
JettyPolicy ap = new JettyPolicy(MavenTestingUtils.getTestResourceDir("runtime-test-2/a").getAbsolutePath(),evaluator);
ap.refresh();
Policy.setPolicy( ap );
System.setSecurityManager( new SecurityManager() );
// Test that the all permission policy allows us to do this
try
{
File test3 = new File( "/tmp/foo/bar/do" );
test3.mkdirs();
test3.delete();
}
catch ( AccessControlException ace )
{
ace.printStackTrace(System.err);
fail("Should NOT have thrown an AccessControlException");
}
JettyPolicy ap2 = new JettyPolicy(MavenTestingUtils.getTestResourceDir("runtime-test-2/b").getAbsolutePath(),evaluator);
ap2.refresh();
Policy.setPolicy( ap2 );
// Test that the new policy does replace the old one and we are now not allowed
try
{
File test3 = new File( "/tmp/foo/bar/do" );
test3.mkdirs();
fail("Should have thrown an AccessControlException");
}
catch ( AccessControlException ace )
{
// Expected Path
}
}
@Test
public void testPolicyRestrictive() throws Exception
{
// TODO - temporary, create alternate file to load for windows
Assume.assumeTrue(!OS.IS_WINDOWS); // Ignore test if running under windows.
JettyPolicy ap = new JettyPolicy(MavenTestingUtils.getTestResourceDir("runtime-test-3").getAbsolutePath(),evaluator);
ap.refresh();
Policy.setPolicy( ap );
System.setSecurityManager( new SecurityManager() );
File test = new File( "/tmp" );
assertTrue ( test.canRead() );
File test2 = new File( "/tmp/foo" );
test2.mkdirs();
assertTrue ( test2.canRead() );
try
{
File test3 = new File("/tmp/foo/bar/do");
test3.mkdirs();
fail("Should have thrown an AccessControlException");
}
catch (AccessControlException ace)
{
// Expected Path
}
}
@Test
public void testCertificateLoader() throws Exception
{
// TODO - temporary, create alternate file to load for windows
Assume.assumeTrue(!OS.IS_WINDOWS); // Ignore test if running under windows.
JettyPolicy ap = new JettyPolicy(MavenTestingUtils.getTestResourceDir("runtime-test-4").getAbsolutePath(),evaluator);
ap.refresh();
URL url = MavenTestingUtils.getTargetURL("test-policy/jetty-test-policy.jar");
//System.out.println(url.toURI().toASCIIString());
//System.out.println(MavenTestingUtils.getBaseURI().toASCIIString());
URLClassLoader loader ;
if (Thread.currentThread().getContextClassLoader() != null )
{
loader = new URLClassLoader( new URL[]{ url }, Thread.currentThread().getContextClassLoader() );
}
else
{
loader = new URLClassLoader( new URL[]{ url }, ClassLoader.getSystemClassLoader() );
}
Thread.currentThread().setContextClassLoader(loader);
Policy.setPolicy( ap );
System.setSecurityManager( new SecurityManager() );
ap.refresh();
ap.dump(System.out);
Class<?> clazz = loader.loadClass("org.eclipse.jetty.toolchain.test.policy.Tester");
Method m = clazz.getMethod("testEcho",new Class[]
{ String.class });
String foo = (String)m.invoke(clazz.newInstance(), "foo");
assertEquals("foo",foo);
Method m2 = clazz.getMethod("testReadSystemProperty",new Class[]
{ String.class });
m2.invoke(clazz.newInstance(), "foo");
assertTrue("system property access was granted",true);
// ap.dump(System.out);
}
@Test
public void testBadCertificateLoader() throws Exception
{
// TODO - temporary, create alternate file to load for windows
Assume.assumeTrue(!OS.IS_WINDOWS); // Ignore test if running under windows.
JettyPolicy ap = new JettyPolicy(MavenTestingUtils.getTestResourceDir("runtime-test-5").getAbsolutePath(),evaluator);
ap.refresh();
Policy.setPolicy( ap );
System.setSecurityManager( new SecurityManager() );
URL url = MavenTestingUtils.getTargetURL("test-policy/jetty-test-policy.jar");
URLClassLoader loader ;
if (Thread.currentThread().getContextClassLoader() != null )
{
loader = new URLClassLoader( new URL[]{ url }, Thread.currentThread().getContextClassLoader() );
}
else
{
loader = new URLClassLoader( new URL[]{ url }, ClassLoader.getSystemClassLoader() );
}
Thread.currentThread().setContextClassLoader(loader);
ap.refresh();
try
{
Class<?> clazz = loader.loadClass("org.eclipse.jetty.toolchain.test.policy.Tester");
Method m = clazz.getMethod( "testEcho", new Class[] {String.class} );
String foo = (String)m.invoke( clazz.newInstance(), "foo");
assertEquals("foo", foo );
Method m2 = clazz.getMethod( "testReadSystemProperty", new Class[] {String.class} );
m2.invoke(clazz.newInstance(), "foobar");
fail("Should have thrown an InvocationTargetException");
}
catch ( InvocationTargetException e )
{
assertTrue(e.getCause().getMessage().contains( "access denied" ));
}
}
private Set<String> getSinglePolicy(String name)
{
return Collections.singleton(MavenTestingUtils.getTestResourceFile(name).getAbsolutePath());
}
}

424
jetty-policy/src/test/java/org/eclipse/jetty/policy/JettyPolicyTest.java
View File

@ -1,424 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
import java.io.FilePermission;
import java.net.URL;
import java.security.CodeSource;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;
import java.util.HashMap;
import java.util.PropertyPermission;
import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
import org.junit.Before;
import org.junit.Test;
public class JettyPolicyTest
{
private HashMap<String, String> evaluator = new HashMap<String, String>();
@Before
public void setUp() throws Exception
{
evaluator.put("jetty.home",MavenTestingUtils.getBaseURI().toASCIIString());
evaluator.put("basedir",MavenTestingUtils.getBaseURI().toASCIIString());
}
/**
* Simple test for loading a policy file and validating that the AllPermission
* was granted successfully.
*/
@Test
public void testGlobalAllPermissionLoader() throws Exception
{
JettyPolicy ap = new JettyPolicy( MavenTestingUtils.getTestResourceDir("policy-test-1").getAbsolutePath(), evaluator );
ap.refresh();
PermissionCollection pc = ap.getPermissions(new ProtectionDomain(null,null));
assertNotNull(pc);
Permission testPerm = new FilePermission("/tmp","read");
assertTrue(pc.implies(testPerm));
}
/**
* Simple test of loading a policy file with a single codebase defined that grants specific
* FilePermission. Then test that read and write were granted but delete was not.
*/
@Test
public void testSingleCodebaseFilePermissionLoader() throws Exception
{
JettyPolicy ap = new JettyPolicy( MavenTestingUtils.getTestResourceDir("policy-test-2").getAbsolutePath(), evaluator );
ap.refresh();
URL url = new URL("file:///foo.jar");
CodeSource cs = new CodeSource(url,new Certificate[0]);
PermissionCollection pc = ap.getPermissions(cs);
assertNotNull(pc);
Permission testReadPerm = new FilePermission( "/tmp/*", "read" );
Permission testWritePerm = new FilePermission( "/tmp/*", "write" );
Permission testDeletePerm = new FilePermission( "/tmp/*", "delete" );
assertTrue( pc.implies( testReadPerm ) );
assertTrue( pc.implies( testWritePerm ) );
assertFalse(pc.implies( testDeletePerm ) );
}
/**
* Tests multiple codebases in a single policy file are loaded correctly and that the various
* grants do indeed work accordingly
*
* @throws Exception
*/
@Test
public void testMultipleCodebaseFilePermissionLoader() throws Exception
{
JettyPolicy ap = new JettyPolicy( MavenTestingUtils.getTestResourceDir("policy-test-3").getAbsolutePath(), evaluator );
ap.refresh();
// test the bar.jar codebase grant
URL url = new URL("file:///bar.jar");
CodeSource cs = new CodeSource(url,new Certificate[0]);
PermissionCollection barPermissionCollection = ap.getPermissions(cs);
assertNotNull( barPermissionCollection );
Permission testBarPerm = new FilePermission("/tmp/*","read,write");
Permission testBarPerm2 = new FilePermission("/usr/*","read"); // only read was granted
Permission testBarPerm3 = new FilePermission("/usr/*","write"); // only read was granted
assertTrue( barPermissionCollection.implies( testBarPerm ) );
assertTrue( barPermissionCollection.implies( testBarPerm2 ) );
assertFalse( barPermissionCollection.implies( testBarPerm3 ) );
// test the global permission grant
PermissionCollection globalPermissionCollection = ap.getPermissions( new ProtectionDomain( null, null ) );
assertNotNull( globalPermissionCollection );
Permission testPropertyPermission = new PropertyPermission("main.class","read");
assertTrue( globalPermissionCollection.implies(testPropertyPermission));
// its global so it ought to be global, double check that
assertTrue( barPermissionCollection.implies(testPropertyPermission));
// test the foo.jar codebase grant
URL fooUrl = new URL( "file:///foo.jar" );
CodeSource fooCodeSource = new CodeSource( fooUrl, new Certificate[0]);
PermissionCollection fooPermissionCollection = ap.getPermissions( fooCodeSource );
assertNotNull( fooPermissionCollection );
Permission testFooPerm = new FilePermission( "/tmp/*", "read,write" );
Permission testFooPerm2 = new FilePermission( "/tmp/*", "read,write,delete" );
assertTrue( fooPermissionCollection.implies(testFooPerm) );
assertFalse( fooPermissionCollection.implies(testFooPerm2) );
// make sure that the foo codebase isn't getting bar permissions
assertFalse( fooPermissionCollection.implies(testBarPerm2) );
// but make sure that foo codebase is getting global
assertTrue( fooPermissionCollection.implies(testPropertyPermission));
}
@Test
public void testMultipleCodebaseMixedPermissionLoader() throws Exception
{
JettyPolicy ap = new JettyPolicy( MavenTestingUtils.getTestResourceDir("policy-test-4").getAbsolutePath(), evaluator );
ap.refresh();
// test the bar.jar codebase grant
URL url = new URL( "file:///bar.jar" );
CodeSource cs = new CodeSource( url, new Certificate[0]);
PermissionCollection barPermissionCollection = ap.getPermissions( cs );
assertNotNull( barPermissionCollection );
Permission testBarPerm = new FilePermission( "/tmp/*", "read,write" );
Permission testBarPerm2 = new FilePermission( "/usr/*", "read" );
assertTrue( barPermissionCollection.implies( testBarPerm ) );
assertTrue( barPermissionCollection.implies( testBarPerm2 ) );
// test the global permission grant
PermissionCollection globalPermissionCollection = ap.getPermissions( new ProtectionDomain( null, null ) );
assertNotNull( globalPermissionCollection );
Permission testPropertyPermission = new PropertyPermission("main.class","read");
assertTrue( globalPermissionCollection.implies(testPropertyPermission));
// its global so it ought to be global, double check that
assertTrue( barPermissionCollection.implies(testPropertyPermission));
// test the foo.jar codebase grant
URL fooUrl = new URL( "file:///foo.jar" );
CodeSource fooCodeSource = new CodeSource( fooUrl, new Certificate[0]);
PermissionCollection fooPermissionCollection = ap.getPermissions( fooCodeSource );
assertNotNull( fooPermissionCollection );
Permission testFooPerm = new FilePermission( "/tmp/*", "read,write" );
Permission testFooPerm2 = new FilePermission( "/tmp/*", "read,write,delete" );
assertTrue( fooPermissionCollection.implies(testFooPerm) );
assertFalse( fooPermissionCollection.implies(testFooPerm2) );
// make sure that the foo codebase isn't getting bar permissions
assertFalse( fooPermissionCollection.implies(testBarPerm2) );
// but make sure that foo codebase is getting global
assertTrue( fooPermissionCollection.implies(testPropertyPermission));
}
/**
* Sanity check that jetty policy file parses
*
* TODO insert typical jetty requirements in here to test
*
* @throws Exception
*/
@Test
public void testSCLoader() throws Exception
{
JettyPolicy ap = new JettyPolicy(MavenTestingUtils.getProjectDir("src/main/config/lib/policy").getAbsolutePath(),evaluator);
ap.refresh();
}
/**
* Test the simple loading of multiple files with no overlapping of security permission code sources
* @throws Exception
*/
@Test
public void testMultipleFilePermissionLoader() throws Exception
{
JettyPolicy ap = new JettyPolicy( MavenTestingUtils.getTestResourceDir("policy-test-5").getAbsolutePath(), evaluator );
ap.refresh();
URL url = new URL("file:///bar.jar");
CodeSource cs = new CodeSource(url,new Certificate[0]);
PermissionCollection pc = ap.getPermissions(cs);
assertNotNull(pc);
Permission testPerm = new FilePermission("/tmp/*","read");
Permission testPerm2 = new FilePermission("/usr/*","write"); //
assertTrue(pc.implies(testPerm));
assertFalse(pc.implies(testPerm2));
}
/**
* Tests the aggregation of multiple policy files into the same protection
* domain of a granted codesource
*
* @throws Exception
*/
@Test
public void testAggregateMultipleFilePermissionLoader() throws Exception
{
JettyPolicy ap = new JettyPolicy( MavenTestingUtils.getTestResourceDir("policy-test-6").getAbsolutePath(), evaluator );
ap.refresh();
URL url = new URL( "file:///bar.jar" );
CodeSource cs = new CodeSource( url, new Certificate[0]);
PermissionCollection pc = ap.getPermissions( cs );
assertNotNull( pc );
Permission testPerm = new FilePermission( "/tmp/*", "read, write" );
Permission testPerm2 = new FilePermission( "/usr/*", "write" );
// this tests that two policy files granting to the same codebase aggregate
// together their permissions, /tmp/* should be read, write after loading policy 2 and 3
assertTrue( pc.implies( testPerm ) );
assertFalse( pc.implies( testPerm2 ) );
}
/**
* test the resolution of the loading of the policy files
*
* @throws Exception
*/
// @Test
// public void testPolicyDirectories() throws Exception
// {
// Set<String> files = new HashSet<String>();
//
// files.add( MavenTestingUtils.getTestResourceFile("single-codebase-file-permission.policy").getAbsolutePath() );
// files.add( MavenTestingUtils.getTestResourceDir("context").getAbsolutePath() );
//
// JettyPolicy ap = new JettyPolicy( files, evaluator );
//
// Assert.assertEquals(3, ap.getKnownPolicyFiles().size());
//
// }
// /**
// * test the discovery and loading of template files
// *
// * @throws Exception
// */
// @Test
// public void testTemplateDirectories() throws Exception
// {
// Set<String> policyFiles = new HashSet<String>();
// Set<String> templateFiles = new HashSet<String>();
//
// policyFiles.add(MavenTestingUtils.getTestResourceFile("single-codebase-file-permission.policy").getAbsolutePath());
// policyFiles.add(MavenTestingUtils.getTestResourceDir("context").getAbsolutePath());
//
// templateFiles.add(MavenTestingUtils.getTestResourceDir("template").getAbsolutePath());
//
// JettyPolicy ap = new JettyPolicy(policyFiles,templateFiles,evaluator);
//
// Assert.assertEquals(3,ap.getKnownPolicyFiles().size());
//
// Assert.assertEquals(2,ap.getKnownTemplateFiles().size());
//
// }
//
// /**
// * tests the assigning of a template to a codesource
// *
// * @throws Exception
// */
// @Test
// public void testTemplateAssign() throws Exception
// {
// Set<String> policyFiles = new HashSet<String>();
// Set<String> templateFiles = new HashSet<String>();
//
// policyFiles.add(MavenTestingUtils.getTestResourceFile("single-codebase-file-permission.policy").getAbsolutePath());
// policyFiles.add(MavenTestingUtils.getTestResourceDir("context").getAbsolutePath());
//
// templateFiles.add(MavenTestingUtils.getTestResourceDir("template").getAbsolutePath());
//
// JettyPolicy ap = new JettyPolicy(policyFiles,templateFiles,evaluator);
//
// ap.assignTemplate("file:///template.jar",new String[]
// { "template1", "template2" });
//
// Assert.assertEquals(2,ap.getAssignedTemplates("file:///template.jar").length);
//
// }
//
// /**
// * tests the assigning of a template to a codesource
// *
// * @throws Exception
// */
// @Test
// public void testTemplateRemove() throws Exception
// {
// Set<String> policyFiles = new HashSet<String>();
// Set<String> templateFiles = new HashSet<String>();
//
// policyFiles.add(MavenTestingUtils.getTestResourceFile("single-codebase-file-permission.policy").getAbsolutePath());
// policyFiles.add(MavenTestingUtils.getTestResourceDir("context").getAbsolutePath());
//
// templateFiles.add(MavenTestingUtils.getTestResourceDir("template").getAbsolutePath());
//
// JettyPolicy ap = new JettyPolicy(policyFiles,templateFiles,evaluator);
//
// ap.assignTemplate("file:///template.jar",new String[]
// { "template1", "template2" });
//
// Assert.assertEquals(2,ap.getAssignedTemplates("file:///template.jar").length);
//
// ap.unassignTemplates("file:///template.jar");
//
// Assert.assertEquals(0,ap.getAssignedTemplates("file:///template.jar").length);
//
// }
//
// @Test
// public void testTemplatePermissions() throws Exception
// {
// Set<String> policyFiles = new HashSet<String>();
// Set<String> templateFiles = new HashSet<String>();
//
// policyFiles.add(MavenTestingUtils.getTestResourceFile("single-codebase-file-permission.policy").getAbsolutePath());
// policyFiles.add(MavenTestingUtils.getTestResourceDir("context").getAbsolutePath());
//
// templateFiles.add(MavenTestingUtils.getTestResourceDir("template").getAbsolutePath());
//
// JettyPolicy ap = new JettyPolicy(policyFiles,templateFiles,evaluator);
//
// URL url = new URL("file:///template.jar");
// CodeSource cs = new CodeSource(url,new Certificate[0]);
//
// PermissionCollection pc = ap.getPermissions(cs);
//
// assertNotNull(pc);
//
// Permission testPerm = new FilePermission("/tmp/*","read");
// Permission testPerm2 = new FilePermission("/tmp/*","write");
//
// // no templates have been assigned
// assertFalse(pc.implies(testPerm));
//
// ap.assignTemplate("file:///template.jar",new String[] {"template1"});
//
// PermissionCollection pc2 = ap.getPermissions(cs);
//
// assertNotNull(pc2);
//
// assertTrue(pc2.implies(testPerm));
// assertFalse(pc2.implies(testPerm2));
//
//
// ap.assignTemplate("file:///template.jar",new String[] {"template1", "template2"});
//
// PermissionCollection pc3 = ap.getPermissions(cs);
//
// assertNotNull(pc3);
//
// assertTrue(pc3.implies(testPerm));
// assertTrue(pc3.implies(testPerm2));
// }
}

120
jetty-policy/src/test/java/org/eclipse/jetty/policy/PolicyContextTest.java
View File

@ -1,120 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy;
import static org.junit.Assert.assertEquals;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.security.Permission;
import java.util.ArrayList;
import java.util.List;
import org.eclipse.jetty.policy.entry.GrantEntry;
import org.eclipse.jetty.policy.entry.KeystoreEntry;
import org.eclipse.jetty.policy.loader.PolicyFileScanner;
import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
import org.eclipse.jetty.toolchain.test.OS;
import org.junit.Before;
import org.junit.Test;
public class PolicyContextTest
{
public static final String __PRINCIPAL = "javax.security.auth.x500.X500Principal \"CN=Jetty Policy,OU=Artifact,O=Jetty Project,L=Earth,ST=Internet,C=US\"";
@Before
public void init() throws Exception
{
System.setProperty( "basedir", MavenTestingUtils.getBaseURI().toASCIIString() );
}
@Test
public void testSelfPropertyExpansion() throws Exception
{
PolicyContext context = new PolicyContext();
PolicyFileScanner loader = new PolicyFileScanner();
List<GrantEntry> grantEntries = new ArrayList<GrantEntry>();
List<KeystoreEntry> keystoreEntries = new ArrayList<KeystoreEntry>();
File policyFile = MavenTestingUtils.getTestResourceFile("context/jetty-certificate.policy");
loader.scanStream( new InputStreamReader( new FileInputStream( policyFile ) ), grantEntries, keystoreEntries );
if ( !OS.IS_WINDOWS ) //temporary, create alternate file to load for windows
{
for (KeystoreEntry node : keystoreEntries)
{
node.expand(context);
context.setKeystore(node.toKeyStore());
}
GrantEntry grant = grantEntries.get( 0 );
grant.expand( context );
Permission perm = grant.getPermissions().elements().nextElement();
assertEquals( __PRINCIPAL, perm.getName() );
}
}
@Test
public void testAliasPropertyExpansion() throws Exception
{
PolicyContext context = new PolicyContext();
PolicyFileScanner loader = new PolicyFileScanner();
List<GrantEntry> grantEntries = new ArrayList<GrantEntry>();
List<KeystoreEntry> keystoreEntries = new ArrayList<KeystoreEntry>();
File policyFile = MavenTestingUtils.getTestResourceFile("context/jetty-certificate-alias.policy");
loader.scanStream( new InputStreamReader( new FileInputStream( policyFile ) ), grantEntries, keystoreEntries );
if ( !OS.IS_WINDOWS ) //temporary, create alternate file to load for windows
{
for (KeystoreEntry node : keystoreEntries)
{
node.expand(context);
context.setKeystore(node.toKeyStore());
}
GrantEntry grant = grantEntries.get( 0 );
grant.expand( context );
Permission perm = grant.getPermissions().elements().nextElement();
assertEquals( __PRINCIPAL, perm.getName() );
}
}
@Test
public void testFileSeparatorExpansion() throws Exception
{
PolicyContext context = new PolicyContext();
context.addProperty( "foo", "bar" );
assertEquals(File.separator, context.evaluate( "${/}" ) );
assertEquals(File.separator + "bar" + File.separator, context.evaluate( "${/}${foo}${/}" ) );
assertEquals(File.separator + File.separator, context.evaluate( "${/}${/}" ) );
}
}

138
jetty-policy/src/test/java/org/eclipse/jetty/policy/PolicyMonitorTest.java
View File

@ -1,138 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2012 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.policy;
import java.io.File;
import java.util.HashMap;
import java.util.concurrent.atomic.AtomicInteger;
import junit.framework.Assert;
import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
import org.eclipse.jetty.toolchain.test.OS;
import org.junit.Before;
import org.junit.Test;
public class PolicyMonitorTest
{
private HashMap<String, String> evaluator = new HashMap<String, String>();
@Before
public void init() throws Exception
{
System.setProperty( "basedir", MavenTestingUtils.getBaseURI().toASCIIString() );
}
@Test
public void testSimpleLoading() throws Exception
{
final AtomicInteger count = new AtomicInteger(0);
PolicyMonitor monitor = new PolicyMonitor(new File(MavenTestingUtils.getTargetDir(),
"test-classes/monitor-test-1").getAbsolutePath())
{
@Override
public void onPolicyChange(PolicyBlock grant)
{
count.incrementAndGet();
}
};
monitor.setScanInterval(1);
monitor.start();
while (!monitor.isInitialized() )
{
Thread.sleep(100);
}
Assert.assertEquals(1,count.get());
monitor.stop();
}
@Test
public void testSimpleReloading() throws Exception
{
if (OS.IS_WINDOWS)
{
return;
}
final AtomicInteger count = new AtomicInteger(0);
PolicyMonitor monitor = new PolicyMonitor(new File(MavenTestingUtils.getTargetDir(),
"test-classes/monitor-test-2").getAbsolutePath())
{
@Override
public void onPolicyChange(PolicyBlock grant)
{
count.incrementAndGet();
}
};
monitor.setScanInterval(1);
monitor.start();
monitor.waitForScan();
monitor.waitForScan();
File permFile =new File(MavenTestingUtils.getTargetDir(),
"test-classes/monitor-test-2/global-all-permission.policy");
// Wait so that time is definitely different
monitor.waitForScan();
permFile.setLastModified(System.currentTimeMillis());
monitor.waitForScan();
monitor.waitForScan();
Assert.assertEquals(2,count.get());
monitor.stop();
}
@Test
public void testLoading() throws Exception
{
final AtomicInteger count = new AtomicInteger(0);
PolicyMonitor monitor = new PolicyMonitor(new File(MavenTestingUtils.getTargetDir(),
"test-classes/monitor-test-3").getAbsolutePath())
{
@Override
public void onPolicyChange(PolicyBlock grant)
{
count.incrementAndGet();
}
};
monitor.setScanInterval(1);
monitor.start();
while (! monitor.isInitialized() )
{
Thread.sleep(100);
}
Assert.assertEquals(16,count.get());
monitor.stop();
}
}

6
jetty-policy/src/test/resources/context/jetty-certificate-alias.policy
View File

@ -1,6 +0,0 @@
keystore "${basedir}/target/test-policy/jetty-policy.keystore", "jks";
grant signedBy "jetty-policy-bad", codeBase "${basedir}/target/test-policy/jetty-test-policy-1.0-SNAPSHOT.jar"
{
permission java.util.PropertyPermission "${{alias:jetty-policy}}", "read";
};

6
jetty-policy/src/test/resources/context/jetty-certificate.policy
View File

@ -1,6 +0,0 @@
keystore "${basedir}/target/test-policy/jetty-policy.keystore", "jks";
grant principal "jetty-policy"
{
permission java.util.PropertyPermission "${{self}}", "read";
};

3
jetty-policy/src/test/resources/monitor-test-1/global-all-permission.policy
View File

@ -1,3 +0,0 @@
grant {
permission java.security.AllPermission;
}

3
jetty-policy/src/test/resources/monitor-test-2/global-all-permission.policy
View File

@ -1,3 +0,0 @@
grant {
permission java.security.AllPermission;
}

3
jetty-policy/src/test/resources/monitor-test-2/template1.template
View File

@ -1,3 +0,0 @@
grant codeBase "TEMPLATE" {
permission java.io.FilePermission "/tmp/*", "read";
}

3
jetty-policy/src/test/resources/monitor-test-3/global-all-permission.policy
View File

@ -1,3 +0,0 @@
grant {
permission java.security.AllPermission;
}

10
jetty-policy/src/test/resources/monitor-test-3/global-file-read-only-tmp-permission.policy
View File

@ -1,10 +0,0 @@
grant {
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setIO";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getPolicy";
permission java.io.FilePermission "/tmp", "read,write";
permission java.io.FilePermission "/tmp/*", "read,write";
permission java.io.FilePermission "/tmp/foo/bar/*", "read";
}

25
jetty-policy/src/test/resources/monitor-test-3/jetty-bad-certificate.policy
View File

@ -1,25 +0,0 @@
keystore "${basedir}target/test-policy/jetty-policy-nobody.keystore", "jks";
grant signedBy "jetty-policy-bad", codeBase "${basedir}target/test-policy/jetty-test-policy.jar"
{
permission java.util.PropertyPermission "foo", "read";
}
grant {
permission java.io.FilePermission "/-", "read, write";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getPolicy";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setIO";
permission java.util.PropertyPermission "java.class.path", "read,write";
permission java.util.PropertyPermission "basedir", "read";
}

31
jetty-policy/src/test/resources/monitor-test-3/jetty-certificate.policy
View File

@ -1,31 +0,0 @@
keystore "${basedir}target/test-policy/jetty-policy.keystore", "jks";
grant signedBy "jetty-policy", codeBase "${basedir}target/test-policy/jetty-test-policy.jar"
{
permission java.util.PropertyPermission "foo", "read";
};
grant {
permission java.io.FilePermission "/-", "read, write";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getPolicy";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setIO";
permission java.util.PropertyPermission "java.class.path", "read,write";
permission java.util.PropertyPermission "org.eclipse.jetty.policy.DEBUG", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.SOURCE", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.SOURCE", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
permission java.util.PropertyPermission "basedir", "read";
};

13
jetty-policy/src/test/resources/monitor-test-3/multiple-codebase-file-permission.policy
View File

@ -1,13 +0,0 @@
grant codeBase "file:///foo.jar" {
permission java.io.FilePermission "/tmp/*", "read,write";
}
grant codeBase "file:///bar.jar" {
permission java.io.FilePermission "/tmp/*", "read,write";
permission java.io.FilePermission "/usr/*", "read";
}
grant {
permission java.util.PropertyPermission "main.class", "read";
}

16
jetty-policy/src/test/resources/monitor-test-3/multiple-codebase-mixed-permission.policy
View File

@ -1,16 +0,0 @@
grant codeBase "file:///foo.jar" {
permission java.io.FilePermission "/tmp/*", "read,write";
}
grant codeBase "file:///bar.jar" {
permission java.security.AllPermission;
}
grant codeBase "file:///snap.jar" {
permission java.io.FilePermission "/tmp/*", "read,write";
permission java.io.FilePermission "/usr/*", "read,write";
}
grant {
permission java.util.PropertyPermission "main.class", "read";
}

3
jetty-policy/src/test/resources/monitor-test-3/single-codebase-file-permission-2.policy
View File

@ -1,3 +0,0 @@
grant codeBase "file:///bar.jar" {
permission java.io.FilePermission "/tmp/*", "read";
}

3
jetty-policy/src/test/resources/monitor-test-3/single-codebase-file-permission-3.policy
View File

@ -1,3 +0,0 @@
grant codeBase "file:///bar.jar" {
permission java.io.FilePermission "/tmp/*", "write";
}

3
jetty-policy/src/test/resources/monitor-test-3/single-codebase-file-permission.policy
View File

@ -1,3 +0,0 @@
grant codeBase "file:///foo.jar" {
permission java.io.FilePermission "/tmp/*", "read,write";
}

3
jetty-policy/src/test/resources/monitor-test-3/template1.template
View File

@ -1,3 +0,0 @@
grant codeBase "TEMPLATE" {
permission java.io.FilePermission "/tmp/*", "read";
}

3
jetty-policy/src/test/resources/policy-test-1/global-all-permission.policy
View File

@ -1,3 +0,0 @@
grant {
permission java.security.AllPermission;
}

3
jetty-policy/src/test/resources/policy-test-2/single-codebase-file-permission.policy
View File

@ -1,3 +0,0 @@
grant codeBase "file:///foo.jar" {
permission java.io.FilePermission "/tmp/*", "read,write";
}

13
jetty-policy/src/test/resources/policy-test-3/multiple-codebase-file-permission.policy
View File

@ -1,13 +0,0 @@
grant codeBase "file:///foo.jar" {
permission java.io.FilePermission "/tmp/*", "read,write";
}
grant codeBase "file:///bar.jar" {
permission java.io.FilePermission "/tmp/*", "read,write";
permission java.io.FilePermission "/usr/*", "read";
}
grant {
permission java.util.PropertyPermission "main.class", "read";
}

16
jetty-policy/src/test/resources/policy-test-4/multiple-codebase-mixed-permission.policy
View File

@ -1,16 +0,0 @@
grant codeBase "file:///foo.jar" {
permission java.io.FilePermission "/tmp/*", "read,write";
}
grant codeBase "file:///bar.jar" {
permission java.security.AllPermission;
}
grant codeBase "file:///snap.jar" {
permission java.io.FilePermission "/tmp/*", "read,write";
permission java.io.FilePermission "/usr/*", "read,write";
}
grant {
permission java.util.PropertyPermission "main.class", "read";
}

3
jetty-policy/src/test/resources/policy-test-5/single-codebase-file-permission-2.policy
View File

@ -1,3 +0,0 @@
grant codeBase "file:///bar.jar" {
permission java.io.FilePermission "/tmp/*", "read";
}

3
jetty-policy/src/test/resources/policy-test-5/single-codebase-file-permission.policy
View File

@ -1,3 +0,0 @@
grant codeBase "file:///foo.jar" {
permission java.io.FilePermission "/tmp/*", "read,write";
}

3
jetty-policy/src/test/resources/policy-test-6/single-codebase-file-permission-2.policy
View File

@ -1,3 +0,0 @@
grant codeBase "file:///bar.jar" {
permission java.io.FilePermission "/tmp/*", "read";
}

3
jetty-policy/src/test/resources/policy-test-6/single-codebase-file-permission-3.policy
View File

@ -1,3 +0,0 @@
grant codeBase "file:///bar.jar" {
permission java.io.FilePermission "/tmp/*", "write";
}

3
jetty-policy/src/test/resources/policy-test-6/single-codebase-file-permission.policy
View File

@ -1,3 +0,0 @@
grant codeBase "file:///foo.jar" {
permission java.io.FilePermission "/tmp/*", "read,write";
}

3
jetty-policy/src/test/resources/runtime-test-1/global-all-permission.policy
View File

@ -1,3 +0,0 @@
grant {
permission java.security.AllPermission;
}

3
jetty-policy/src/test/resources/runtime-test-2/a/global-all-permission.policy
View File

@ -1,3 +0,0 @@
grant {
permission java.security.AllPermission;
}

10
jetty-policy/src/test/resources/runtime-test-2/b/global-file-read-only-tmp-permission.policy
View File

@ -1,10 +0,0 @@
grant {
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setIO";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getPolicy";
permission java.io.FilePermission "/tmp", "read,write";
permission java.io.FilePermission "/tmp/*", "read,write";
permission java.io.FilePermission "/tmp/foo/bar/*", "read";
}

10
jetty-policy/src/test/resources/runtime-test-3/global-file-read-only-tmp-permission.policy
View File

@ -1,10 +0,0 @@
grant {
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setIO";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getPolicy";
permission java.io.FilePermission "/tmp", "read,write";
permission java.io.FilePermission "/tmp/*", "read,write";
permission java.io.FilePermission "/tmp/foo/bar/*", "read";
}

31
jetty-policy/src/test/resources/runtime-test-4/jetty-certificate.policy
View File

@ -1,31 +0,0 @@
keystore "${basedir}target/test-policy/jetty-policy.keystore", "jks";
grant signedBy "jetty-policy", codeBase "${basedir}target/test-policy/jetty-test-policy.jar"
{
permission java.util.PropertyPermission "foo", "read";
};
grant {
permission java.io.FilePermission "/-", "read, write";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getPolicy";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setIO";
permission java.util.PropertyPermission "java.class.path", "read,write";
permission java.util.PropertyPermission "org.eclipse.jetty.policy.DEBUG", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.SOURCE", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.SOURCE", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
permission java.util.PropertyPermission "basedir", "read";
};

25
jetty-policy/src/test/resources/runtime-test-5/jetty-bad-certificate.policy
View File

@ -1,25 +0,0 @@
keystore "${basedir}target/test-policy/jetty-policy-nobody.keystore", "jks";
grant signedBy "jetty-policy-bad", codeBase "${basedir}target/test-policy/jetty-test-policy.jar"
{
permission java.util.PropertyPermission "foo", "read";
}
grant {
permission java.io.FilePermission "/-", "read, write";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getPolicy";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setIO";
permission java.util.PropertyPermission "java.class.path", "read,write";
permission java.util.PropertyPermission "basedir", "read";
}

258
LICENSE-ECLIPSE-1.0.html → license-eplv10-aslv20.html
View File

@ -6,7 +6,7 @@
<meta name="Generator" content="Microsoft Word 9">
<meta name="Originator" content="Microsoft Word 9">
<link rel="File-List" href="http://www.eclipse.org/legal/Eclipse%20EPL%202003_11_10%20Final_files/filelist.xml">
<title>Eclipse Public License - Version 1.0</title>
<title>Eclipse Public License - Version 1.0 / Apache License - Version 2.0</title>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>2</o:Revision>
@ -317,4 +317,260 @@ its rights to a jury trial in any resulting litigation.</span> </p>
</div>
<div class="Section2">
<p style="text-align: center;" align="center"><b>Apache License</b></br>
Version 2.0, January 2004<br/>
http://www.apache.org/licenses/<br/>
</p>
<p><span style="font-size: 10pt;">TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION</spam></p>
<p><b><span style="font-size: 10pt;">1. Definitions.</span></b> </p>
<p><span style="font-size: 10pt;">
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.</span></p>
<p><span style="font-size: 10pt;">
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.</span></p>
<p><span style="font-size: 10pt;">
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.</span></p>
<p><span style="font-size: 10pt;">
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.</span></p>
<p><span style="font-size: 10pt;">
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.</span></p>
<p><span style="font-size: 10pt;">
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.</span></p>
<p><span style="font-size: 10pt;">
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).</span></p>
<p><span style="font-size: 10pt;">
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.</span></p>
<p><span style="font-size: 10pt;">
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."</span></p>
<p><span style="font-size: 10pt;">
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.</span></p>
<p><b><span style="font-size: 10pt;">2. Grant of Copyright License.</span></b> </p>
<p><span style="font-size: 10pt;">
Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.</span></p>
<p><b><span style="font-size: 10pt;">3. Grant of Patent License.</span></b><p>
<p><span style="font-size: 10pt;">
Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
</span></p>
<p><b><span style="font-size: 10pt;">
4. Redistribution.
</span></b></p>
<p><span style="font-size: 10pt;">You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:</span><p>
<ul>
<li><span style="font-size: 10pt;">
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and</span><p>
</li>
<li><span style="font-size: 10pt;">
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and</span><p>
</li>
</li><span style="font-size: 10pt;">
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and</span><p>
</li>
<li><span style="font-size: 10pt;">
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.</span><p>
</li>
</ul>
</span></p>
<p><span style="font-size: 10pt;">
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
</span></p>
<p><b><span style="font-size: 10pt;">
5. Submission of Contributions.
</span></b></p>
<p><span style="font-size: 10pt;">Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
</span></p>
<p><b><span style="font-size: 10pt;">
6. Trademarks.
</span></b></p>
<p><span style="font-size: 10pt;">This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
</span></p>
<p><b><span style="font-size: 10pt;">
7. Disclaimer of Warranty.
</span></b></p>
<p><span style="font-size: 10pt;">Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
</span></p>
<p><b><span style="font-size: 10pt;">
8. Limitation of Liability.
</span></b></p>
<p><span style="font-size: 10pt;">In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
</span></p>
<p><b><span style="font-size: 10pt;">
9. Accepting Warranty or Additional Liability.
</span></b></p>
<p><span style="font-size: 10pt;">While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
</span></p>
<p><span style="font-size: 10pt;">
END OF TERMS AND CONDITIONS
</span></p>
<p><span style="font-size: 10pt;">
APPENDIX: How to apply the Apache License to your work.
</span></p>
<p><span style="font-size: 10pt;">
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
</span></p>
<p><span style="font-size: 10pt;">
Copyright [yyyy] [name of copyright owner]
</span></p>
<p><span style="font-size: 10pt;">
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
</span></p>
<p><span style="font-size: 10pt;">
http://www.apache.org/licenses/LICENSE-2.0
</span></p>
<p><span style="font-size: 10pt;">
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
</span></p>
</div>
</body></html>

1
pom.xml
View File

@ -419,7 +419,6 @@
<module>jetty-jaspi</module>
<module>jetty-client</module>
<module>jetty-proxy</module>
<module>jetty-policy</module>
<module>jetty-monitor</module>
<module>jetty-nested</module>
<module>jetty-overlay-deployer</module>