jetty.policy file that starts up jetty successfully
git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@369 7e9141cc-0065-0410-87d8-b60c137991c4
This commit is contained in:
Jesse McConnell
parent
8fe2fe566b
commit
7a2a0ad3e4
|
|
@ -1,107 +1,248 @@
|
||||||
// basic policy file for jetty
|
//
|
||||||
|
//
|
||||||
|
// Default security policy for jetty
|
||||||
|
//
|
||||||
|
//
|
||||||
|
|
||||||
// TODO update with greg's latest property changes and set better reasonable defaults for various jetty codeBases
|
// start.jar
|
||||||
|
grant codeBase "file:${jetty.home}/start.jar" {
|
||||||
|
|
||||||
grant codeBase "file:${jetty.home}${/}-" {
|
permission java.io.FilePermission "${jetty.home}${/}-", "read";
|
||||||
permission java.io.FilePermission "${jetty.home}${/}-", "read";
|
|
||||||
|
|
||||||
permission java.io.FilePermission "${jetty.home}${/}logs${/}-", "read, write";
|
permission java.util.PropertyPermission "org.eclipse.jetty.webapp.WebAppClassLoader.extensions" "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.http.PathMap.separators" "read";
|
||||||
permission java.lang.RuntimePermission "createClassLoader";
|
|
||||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
permission java.io.FilePermission "${java.io.tmpdir}", "read, write";
|
||||||
|
permission java.io.FilePermission "${java.io.tmpdir}/*", "read, write";
|
||||||
permission java.security.SecurityPermission "getPolicy";
|
|
||||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
permission java.io.FilePermission "/private/${java.io.tmpdir}", "read, write";
|
||||||
|
permission java.io.FilePermission "/private/${java.io.tmpdir}/-", "read, write";
|
||||||
|
permission java.io.FilePermission "${java.io.tmpdir}/-" "delete";
|
||||||
|
|
||||||
|
permission java.io.FilePermission "${jetty.home}${/}logs", "read, write";
|
||||||
|
permission java.io.FilePermission "${jetty.home}${/}logs/-", "read, write";
|
||||||
|
|
||||||
|
permission java.lang.RuntimePermission "createClassLoader";
|
||||||
|
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||||
|
permission java.security.SecurityPermission "getPolicy";
|
||||||
|
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "jetty.home", "read, write";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "user.home", "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "jetty.class.path", "read, write";
|
||||||
|
permission java.util.PropertyPermission "java.class.path", "read, write";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "repository", "read, write";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "jetty.lib", "read";
|
||||||
|
permission java.util.PropertyPermission "jetty.server", "read";
|
||||||
|
permission java.util.PropertyPermission "jetty.host", "read";
|
||||||
|
permission java.util.PropertyPermission "jetty.port", "read";
|
||||||
|
permission java.util.PropertyPermission "start.class", "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "main.class", "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.URI.charset", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.FileResource.checkAliases", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.xml.XmlParser.Validating", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.io.nio.JVMBUG_THRESHHOLD", "read, write";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.TypeUtil.IntegerCacheSize", "read, write";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.TypeUtil.LongCacheSize", "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "ISO_8859_1", "read";
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.server.Request.maxFormContentSize" "read";
|
||||||
|
|
||||||
|
|
||||||
|
permission javax.security.auth.AuthPermission "modifyPrincipals";
|
||||||
|
|
||||||
|
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
|
||||||
|
permission javax.security.auth.AuthPermission "setReadOnly";
|
||||||
|
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.server.webapp.parentLoaderPriority" "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "ROLLOVERFILE_BACKUP_FORMAT" "read";
|
||||||
|
|
||||||
|
|
||||||
|
permission java.lang.RuntimePermission "getClassLoader";
|
||||||
|
|
||||||
|
|
||||||
|
// jsp support
|
||||||
|
permission java.net.SocketPermission "java.sun.com:80" "connect,resolve";
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
//
|
||||||
|
//
|
||||||
|
//
|
||||||
|
grant codeBase "file:${jetty.home}/lib/-" {
|
||||||
|
|
||||||
|
permission java.lang.RuntimePermission "getClassLoader";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.webapp.WebAppClassLoader.extensions" "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.http.PathMap.separators" "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "ROLLOVERFILE_BACKUP_FORMAT" "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.server.webapp.parentLoaderPriority" "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.server.Request.maxFormContentSize" "read";
|
||||||
|
|
||||||
|
permission javax.security.auth.AuthPermission "modifyPrincipals";
|
||||||
|
|
||||||
|
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
|
||||||
|
permission javax.security.auth.AuthPermission "setReadOnly";
|
||||||
|
|
||||||
|
permission java.io.FilePermission "${jetty.home}${/}-", "read";
|
||||||
|
permission java.io.FilePermission "${java.io.tmpdir}", "read, write";
|
||||||
|
permission java.io.FilePermission "${java.io.tmpdir}/-", "read, write";
|
||||||
|
permission java.io.FilePermission "/private/${java.io.tmpdir}", "read, write";
|
||||||
|
permission java.io.FilePermission "/private/${java.io.tmpdir}/-", "read, write";
|
||||||
|
|
||||||
|
permission java.io.FilePermission "${java.io.tmpdir}/-" "delete";
|
||||||
|
|
||||||
|
|
||||||
|
permission java.io.FilePermission "${jetty.home}${/}logs", "read, write";
|
||||||
|
permission java.io.FilePermission "${jetty.home}${/}logs/*", "read, write";
|
||||||
|
|
||||||
|
permission java.lang.RuntimePermission "createClassLoader";
|
||||||
|
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||||
|
|
||||||
|
permission java.security.SecurityPermission "getPolicy";
|
||||||
|
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||||
|
|
||||||
|
// jetty specific properties
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
||||||
|
permission java.util.PropertyPermission "START", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
||||||
|
permission java.util.PropertyPermission "STOP.PORT", "read";
|
||||||
|
permission java.util.PropertyPermission "STOP.KEY", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||||
|
permission java.util.PropertyPermission "CLASSPATH", "read";
|
||||||
|
permission java.util.PropertyPermission "OPTIONS", "read";
|
||||||
|
permission java.util.PropertyPermission "JETTY_NO_SHUTDOWN_HOOK", "read";
|
||||||
|
permission java.util.PropertyPermission "ISO_8859_1", "read";
|
||||||
|
permission java.util.PropertyPermission "jetty.home", "read, write";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "user.home", "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "jetty.class.path", "read, write";
|
||||||
|
permission java.util.PropertyPermission "java.class.path", "read, write";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "repository", "read, write";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "jetty.lib", "read";
|
||||||
|
permission java.util.PropertyPermission "jetty.server", "read";
|
||||||
|
permission java.util.PropertyPermission "jetty.host", "read";
|
||||||
|
permission java.util.PropertyPermission "jetty.port", "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.URI.charset", "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.FileResource.checkAliases", "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.xml.XmlParser.Validating", "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.io.nio.JVMBUG_THRESHHOLD", "read, write";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.TypeUtil.IntegerCacheSize", "read, write";
|
||||||
|
|
||||||
// makes everything work as a crutch to work on startup
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.TypeUtil.LongCacheSize", "read";
|
||||||
permission java.security.AllPermission;
|
|
||||||
|
// provides access to webapps
|
||||||
|
permission java.io.FilePermission "${jetty.home}${/}webapps${/}-", "read"; // Ought to go up a specific codebase
|
||||||
|
|
||||||
|
|
||||||
|
// Allows any thread to stop itself using the java.lang.Thread.stop()
|
||||||
|
// method that takes no argument.
|
||||||
|
permission java.lang.RuntimePermission "stopThread";
|
||||||
|
|
||||||
|
// jsp support
|
||||||
|
permission java.net.SocketPermission "java.sun.com:80" "connect,resolve";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
//
|
||||||
|
// the tmp directory is where webapps are unpacked by default so setup their restricted permissions
|
||||||
|
//
|
||||||
|
grant codeBase "file:${java.io.tmpdir}/-" {
|
||||||
|
permission java.io.FilePermission "${java.io.tmpdir}/-" "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
||||||
|
};
|
||||||
|
|
||||||
|
//
|
||||||
|
// some operating systems have tmp as a symbolic link to /private/tmp
|
||||||
|
//
|
||||||
|
grant codeBase "file:/private${java.io.tmpdir}/-" {
|
||||||
|
|
||||||
|
permission java.io.FilePermission "/private/${java.io.tmpdir}/-" "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
//
|
||||||
|
// The work directory can be used for unpacking war files so should have the same default
|
||||||
|
// permissions as the tmp directory
|
||||||
|
//
|
||||||
|
grant codeBase "file:${jetty.home}/work/-" {
|
||||||
|
|
||||||
|
permission java.io.FilePermission "${jetty.home}/work/-" "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
//
|
||||||
|
//
|
||||||
// default permissions granted to all domains
|
// default permissions granted to all domains
|
||||||
|
//
|
||||||
|
//
|
||||||
grant {
|
grant {
|
||||||
|
// allows anyone to listen on un-privileged ports
|
||||||
|
permission java.net.SocketPermission "localhost:1024-", "listen";
|
||||||
|
|
||||||
// Allows any thread to stop itself using the java.lang.Thread.stop()
|
// "standard" properties that can be read by anyone
|
||||||
// method that takes no argument.
|
permission java.util.PropertyPermission "java.version", "read";
|
||||||
// Note that this permission is granted by default only to remain
|
permission java.util.PropertyPermission "java.vendor", "read";
|
||||||
// backwards compatible.
|
permission java.util.PropertyPermission "java.vendor.url", "read";
|
||||||
// It is strongly recommended that you either remove this permission
|
permission java.util.PropertyPermission "java.class.version", "read";
|
||||||
// from this policy file or further restrict it to code sources
|
permission java.util.PropertyPermission "os.name", "read";
|
||||||
// that you specify, because Thread.stop() is potentially unsafe.
|
permission java.util.PropertyPermission "os.version", "read";
|
||||||
// See "http://java.sun.com/notes" for more information.
|
permission java.util.PropertyPermission "os.arch", "read";
|
||||||
permission java.lang.RuntimePermission "stopThread";
|
permission java.util.PropertyPermission "file.separator", "read";
|
||||||
|
permission java.util.PropertyPermission "path.separator", "read";
|
||||||
|
permission java.util.PropertyPermission "line.separator", "read";
|
||||||
|
permission java.util.PropertyPermission "java.io.tmpdir", "read";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "java.specification.version", "read";
|
||||||
|
permission java.util.PropertyPermission "java.specification.vendor", "read";
|
||||||
|
permission java.util.PropertyPermission "java.specification.name", "read";
|
||||||
|
|
||||||
// allows anyone to listen on un-privileged ports
|
permission java.util.PropertyPermission "java.vm.specification.version", "read";
|
||||||
permission java.net.SocketPermission "localhost:1024-", "listen";
|
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
|
||||||
|
permission java.util.PropertyPermission "java.vm.specification.name", "read";
|
||||||
// "standard" properties that can be read by anyone
|
permission java.util.PropertyPermission "java.vm.version", "read";
|
||||||
|
permission java.util.PropertyPermission "java.vm.vendor", "read";
|
||||||
permission java.util.PropertyPermission "java.version", "read";
|
permission java.util.PropertyPermission "java.vm.name", "read";
|
||||||
permission java.util.PropertyPermission "java.vendor", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vendor.url", "read";
|
|
||||||
permission java.util.PropertyPermission "java.class.version", "read";
|
|
||||||
permission java.util.PropertyPermission "os.name", "read";
|
|
||||||
permission java.util.PropertyPermission "os.version", "read";
|
|
||||||
permission java.util.PropertyPermission "os.arch", "read";
|
|
||||||
permission java.util.PropertyPermission "file.separator", "read";
|
|
||||||
permission java.util.PropertyPermission "path.separator", "read";
|
|
||||||
permission java.util.PropertyPermission "line.separator", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "java.specification.version", "read";
|
|
||||||
permission java.util.PropertyPermission "java.specification.vendor", "read";
|
|
||||||
permission java.util.PropertyPermission "java.specification.name", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "java.vm.specification.version", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vm.specification.name", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vm.version", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vm.vendor", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vm.name", "read";
|
|
||||||
|
|
||||||
// jetty specific properties
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
|
||||||
permission java.util.PropertyPermission "START", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
|
||||||
permission java.util.PropertyPermission "STOP.PORT", "read";
|
|
||||||
permission java.util.PropertyPermission "STOP.KEY", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
|
||||||
permission java.util.PropertyPermission "CLASSPATH", "read";
|
|
||||||
permission java.util.PropertyPermission "OPTIONS", "read";
|
|
||||||
permission java.util.PropertyPermission "JETTY_NO_SHUTDOWN_HOOK", "read";
|
|
||||||
permission java.util.PropertyPermission "ISO_8859_1", "read";
|
|
||||||
permission java.util.PropertyPermission "jetty.home", "read, write";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "user.home", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "jetty.class.path", "read, write";
|
|
||||||
permission java.util.PropertyPermission "java.class.path", "read, write";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "repository", "read, write";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "jetty.lib", "read";
|
|
||||||
permission java.util.PropertyPermission "jetty.server", "read";
|
|
||||||
permission java.util.PropertyPermission "jetty.host", "read";
|
|
||||||
permission java.util.PropertyPermission "jetty.port", "read";
|
|
||||||
permission java.util.PropertyPermission "start.class", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "main.class", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.URI.charset", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.FileResource.checkAliases", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.xml.XmlParser.Validating", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.io.nio.JVMBUG_THRESHHOLD", "read, write";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.TypeUtil.IntegerCacheSize", "read, write";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.TypeUtil.LongCacheSize", "read";
|
|
||||||
|
|
||||||
// provides access to webapps
|
|
||||||
permission java.io.FilePermission "${jetty.home}${/}webapps${/}-", "read"; // Ought to go up a specific codebase
|
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -44,6 +44,9 @@ public class PropertyEvaluator extends HashMap<String,String>
|
||||||
*/
|
*/
|
||||||
public String getSystemProperty(String name)
|
public String getSystemProperty(String name)
|
||||||
{
|
{
|
||||||
|
|
||||||
|
System.out.println("Prop: " + name + " " + System.getProperty(name));
|
||||||
|
|
||||||
if (containsKey(name))
|
if (containsKey(name))
|
||||||
return get(name);
|
return get(name);
|
||||||
return System.getProperty(name);
|
return System.getProperty(name);
|
||||||
|
|
@ -57,8 +60,10 @@ public class PropertyEvaluator extends HashMap<String,String>
|
||||||
/* ------------------------------------------------------------ */
|
/* ------------------------------------------------------------ */
|
||||||
public String evaluate(String s)
|
public String evaluate(String s)
|
||||||
{
|
{
|
||||||
|
|
||||||
int i1=0;
|
int i1=0;
|
||||||
int i2=0;
|
int i2=0;
|
||||||
|
/*
|
||||||
while (s!=null)
|
while (s!=null)
|
||||||
{
|
{
|
||||||
i1=s.indexOf("$(",i2);
|
i1=s.indexOf("$(",i2);
|
||||||
|
|
@ -74,6 +79,7 @@ public class PropertyEvaluator extends HashMap<String,String>
|
||||||
|
|
||||||
i1=0;
|
i1=0;
|
||||||
i2=0;
|
i2=0;
|
||||||
|
*/
|
||||||
while (s!=null)
|
while (s!=null)
|
||||||
{
|
{
|
||||||
i1=s.indexOf("${",i2);
|
i1=s.indexOf("${",i2);
|
||||||
|
|
@ -83,7 +89,7 @@ public class PropertyEvaluator extends HashMap<String,String>
|
||||||
if (i2<0)
|
if (i2<0)
|
||||||
break;
|
break;
|
||||||
String name=s.substring(i1+2,i2);
|
String name=s.substring(i1+2,i2);
|
||||||
String property=getProperty(name);
|
String property=getSystemProperty(name);
|
||||||
s=s.substring(0,i1)+property+s.substring(i2+1);
|
s=s.substring(0,i1)+property+s.substring(i2+1);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -129,6 +129,7 @@ public class DefaultPolicyLoader
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
URL url = new URL( evaluator.evaluate(codeBase) );
|
URL url = new URL( evaluator.evaluate(codeBase) );
|
||||||
|
System.out.println("\n\nCodebase: " + url.toExternalForm() + "\n\n");
|
||||||
Certificate[] cert = null;
|
Certificate[] cert = null;
|
||||||
return new CodeSource( url, cert); //TODO support certificates
|
return new CodeSource( url, cert); //TODO support certificates
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue