One of such unexpected interactions is caused by modifying shared classes and objects, for instance, changing system properties, changing system classes' behavior.
Tomcat 5.5's class loaders are organised as:
BootstrapTomcat 6.0's class loaders are organised as:
|
System
|
Common
/ \
Catalina Shared
/ \
Webapp1 Webapp2 ...
Bootstrap
|
System
|
Common
/ \
Webapp1 Webapp2 ...
In both cases, web applications and Tomcat share the classes managed by class loaders Bootstrap, System and Common.
Let's say one web application use the following code to tell Java runtime to use the XSLT implementation shipped with JDK.
System.setProperty("javax.xml.transform.TransformerFactory", "com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Other web applications may choose to use other XSLT implementations in a similar way. If a certain web application's correct behavior is depending on a particular XLST implementation, then we may get a problem, because System.setProperty("javax.xml.transform.TransformerFactory", ...) will change the JVM-wide XSLT implementation.
Therefore it is advisable to use Java security manager to control the permissions granted to web application code.
Note $CATALINA_HOME/bin/startup.sh does not start up a Tomcat with the security manager. To enable the security manager, use $CATALINA_HOME/bin/startup.sh -security. It will append "-Djava.security.manager -Djava.security.policy=..." to the JVM arguments.
A simple Java program testing security manager and policy file
public class SecurityManagerTest {
public static void main(String[] args) throws Exception {
System.setProperty("greeting", "hello world!");
System.out.println(System.getProperty("greeting"));
}
}
Run this program, you will see "hello world!" printed out.
Prepare a policy file called lab.policy:
grant {
permission java.util.PropertyPermission "*", "read";
};
It says any code can only read system properties, but not write.
By the way, the policy file can be created using policytool.
Then run the program like this:
java -Djava.security.manager -Djava.security.policy=lab.policy SecurityManagerTest
You will see an excpetion pop up:
Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission greeting write)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.System.setProperty(System.java:727)
at SecurityManagerTest.main(SecurityManagerTest.java:11)
See the security manager is working. It is important to give the right location for the policy file. Because when the security manager is enabled, by default no permission is granted. So any permission will be denied except those defined in the policy file. In case the policy file cannot be found, then the code is given no permission at all.
2 comments:
Lets have a look at a recent news item that is quite
entertainmentbee.com
themoviesbio.com
petrefine.com
Jean Muggli :- Jean Muggli came to popularity as the former wife of Michael Strahan, a retired professional American football player
Courtney Thorne-Smith :- Courtney Thorne-Smith is an American actress known for her multiple roles in some of the popular television series of all time.
Brooke Daniells :- Brooke Daniells is a popular and professional photographer from the United States of America
Simeon Panda :- Simeon Panda is a true role model for anyone who wishes to achieve success in the field of bodybuilding.
Faye Chrisley :- Faye Chrisley is an American reality TV star. She is well-known for playing Nanny in the American TV series Chrisley Knows Best.
Christi Pirro :- Christi Pirro is a lawyer and a law clerk. She is well-known as Jeanine Pirro’s daughter. Jeannie, her mother, is a TV broadcaster and writer.
Pokimane :- Pokimane is a famous Canadian twitch streamer and YouTuber. However, she is famous for her streaming on games. So, she mostly played two games
Post a Comment