Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Tomcat Users »

Re: Tomcat + Hibernate2 + Security Manager

webmaster

2004-01-28

Replies:

Hi !


On Tue, 27 Jan 2004 12:14:16 -0500, Jeanfrancois Arcand <jfarcand@(protected):

> De: Jeanfrancois Arcand <jfarcand@(protected)>
> Data: Tue, 27 Jan 2004 12:14:16 -0500
> Para: Tomcat Users List <tomcat-user@(protected)>
> Assunto: Re: Tomcat + Hibernate2 + Security Manager
>
>
>
> Webmaster wrote:
>
> >Hi all,
> >
> >I know this is a little bit out of topic, but the general concept is useful for everybody.
> >
> >I run tomcat with security manager for a dozen users. Recently, people started to use the hibernate 2 which requires some funky permissions.
> >
> >I had to put these lines in the 'global' permission to make it work:
> >
> >grant {
> >
> >...
> >
> > permission java.lang.RuntimePermission "accessDeclaredMembers";
> > permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
> > permission java.lang.RuntimePermission "defineCGLIBClassInJavaPackage";
> >
> >...
> >}
> >
> >Note: I DID test using a codebase like:
> >
> >grant codeBase "file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/-" {
> >....
> >
> >but the classes hibernate creates after reflection stop obeying the security manager.
> >
> >
> Do you have the exception? Which Tomcat version are you using?

I'm using 4.1.29. The classes that hibernate creates dinamically are the ones that don't follow the codebase anymore, it's like they have a 'null' codebase after they are created.

> >Are there any security risks on a security setup with those 3 lines for all classes in the JVM ?
> >
> >
>
> Yes. It will now allow a Servlet to "load" tomcat internal classes and
> "maybe" do malicious things.

Right now, my clients don't have permissions to read the classes in /server/lib directory ( I don't give file io permission to this directory, only to /common/lib ). Would that be enough to stop these malicious things ?

> -- Jeanfrancois
>
>
> >Thanks
> >Renato.
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> >For additional commands, e-mail: tomcat-user-help@(protected)
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
> For additional commands, e-mail: tomcat-user-help@(protected)
>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)



©2008 junlu.com - Jax Systems, LLC, U.S.A.