Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Tomcat Users »

Re: Tomcat + Hibernate2 + Security Manager

Jean-Francois Arcand

2004-01-28

Replies:



Webmaster wrote:

>Hi !
>
>
>On Tue, 27 Jan 2004 12:14:16 -0500, Jeanfrancois Arcand <jfarcand@(protected):
>
>
>
>>De: Jeanfrancois Arcand <jfarcand@(protected)>
>>Data: Tue, 27 Jan 2004 12:14:16 -0500
>>Para: Tomcat Users List <tomcat-user@(protected)>
>>Assunto: Re: Tomcat + Hibernate2 + Security Manager
>>
>>
>>
>>Webmaster wrote:
>>
>>  
>>
>>>Hi all,
>>>
>>>I know this is a little bit out of topic, but the general concept is useful for everybody.
>>>
>>>I run tomcat with security manager for a dozen users. Recently, people started to use the hibernate 2 which requires some funky permissions.
>>>
>>>I had to put these lines in the 'global' permission to make it work:
>>>
>>>grant {
>>>
>>>...
>>>
>>> permission java.lang.RuntimePermission "accessDeclaredMembers";
>>> permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
>>> permission java.lang.RuntimePermission "defineCGLIBClassInJavaPackage";
>>>
>>>...
>>>}
>>>
>>>Note: I DID test using a codebase like:
>>>
>>>grant codeBase "file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/-" {
>>>....
>>>
>>>but the classes hibernate creates after reflection stop obeying the security manager.
>>>
>>>
>>>    
>>>
>>Do you have the exception? Which Tomcat version are you using?
>>  
>>
>
>I'm using 4.1.29. The classes that hibernate creates dinamically are the ones that don't follow the codebase anymore, it's like they have a 'null' codebase after they are created.
>
>
>
>>>Are there any security risks on a security setup with those 3 lines for all classes in the JVM ?
>>>
>>>
>>>    
>>>
>>Yes. It will now allow a Servlet to "load" tomcat internal classes and
>>"maybe" do malicious things.
>>  
>>
>
>Right now, my clients don't have permissions to read the classes in /server/lib directory ( I don't give file io permission to this directory, only to /common/lib ). Would that be enough to stop these malicious things ?
>
>
Yes. But you should only grant those permission to the Hibernate jar
files, not the entire folder.

-- Jeanfrancois

>
>
>>-- Jeanfrancois
>>
>>
>>  
>>
>>>Thanks
>>>Renato.
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
>>>For additional commands, e-mail: tomcat-user-help@(protected)
>>>
>>>
>>>
>>>
>>>    
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
>>For additional commands, e-mail: tomcat-user-help@(protected)
>>
>>
>>
>>
>>  
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
>For additional commands, e-mail: tomcat-user-help@(protected)
>
>
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)



©2008 junlu.com - Jax Systems, LLC, U.S.A.