X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=nokia%2Fvnfmdriver%2Fvfcadaptorservice%2Fdeployment%2Fsrc%2Fmain%2Frelease%2Fconf%2Fcatalina.policy;h=a48a027fe789e5f102ac9b96843adf76b9668c42;hb=01ec074ef078dad0c8adf79d0910a1242fd48bad;hp=9f9910477e8516887ab5e2d2a8450eb015849fbc;hpb=89f35dc554bfa90350666d855220ad949f59b405;p=vfc%2Fnfvo%2Fdriver%2Fvnfm%2Fsvnfm.git diff --git a/nokia/vnfmdriver/vfcadaptorservice/deployment/src/main/release/conf/catalina.policy b/nokia/vnfmdriver/vfcadaptorservice/deployment/src/main/release/conf/catalina.policy index 9f991047..a48a027f 100644 --- a/nokia/vnfmdriver/vfcadaptorservice/deployment/src/main/release/conf/catalina.policy +++ b/nokia/vnfmdriver/vfcadaptorservice/deployment/src/main/release/conf/catalina.policy @@ -14,7 +14,7 @@ // limitations under the License. // ============================================================================ -// catalina.policy - Security Policy Permissions for Tomcat 7 +// catalina.policy - Security Policy Permissions for Tomcat // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the "-security" option. In addition @@ -59,7 +59,10 @@ grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { permission java.security.AllPermission; }; - +// These permissions apply to the logging API +// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home}, +// update this section accordingly. +// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..} grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; @@ -75,14 +78,26 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; + permission java.lang.management.ManagementPermission "monitor"; + permission java.util.logging.LoggingPermission "control"; permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.util.PropertyPermission "org.apache.juli.AsyncLoggerPollInterval", "read"; + permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read"; + permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read"; permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read"; permission java.util.PropertyPermission "catalina.base", "read"; - + // Note: To enable per context logging configuration, permit read access to + // the appropriate file. Be sure that the logging configuration is + // secure before enabling such access. + // E.g. for the examples web application (uncomment and unwrap + // the following to be on a single line): + // permission java.io.FilePermission "${catalina.base}${file.separator} + // webapps${file.separator}examples${file.separator}WEB-INF + // ${file.separator}classes${file.separator}logging.properties", "read"; }; // These permissions apply to the server startup code @@ -98,13 +113,19 @@ grant codeBase "file:${catalina.home}/lib/-" { }; +// If using a per instance lib directory, i.e. ${catalina.base}/lib, +// then the following permission will need to be uncommented +// grant codeBase "file:${catalina.base}/lib/-" { +// permission java.security.AllPermission; +// }; + // ========== WEB APPLICATION PERMISSIONS ===================================== // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission -// and JndiPermission for all files and directories in its document root. +// for all files and directories in its document root. grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail @@ -168,10 +189,7 @@ grant { // Applications using Comet need to be able to access this package permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet"; - // Applications using the legacy WebSocket implementation need to be able to access this package - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.websocket"; - - // Applications using the JSR-356 WebSocket implementation need to be able to access these packages + // Applications using WebSocket need to be able to access these packages permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server"; }; @@ -210,3 +228,23 @@ grant codeBase "file:${catalina.home}/webapps/manager/-" { // included a JDBC driver that needed to establish a network connection to the // corresponding database and used the scrape taglib to get the weather from // the NOAA web server. You might create a "grant" entries like this: +// +// The permissions granted to the context root directory apply to JSP pages. +// grant codeBase "file:${catalina.base}/webapps/examples/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; +// +// The permissions granted to the context WEB-INF/classes directory +// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { +// }; +// +// The permission granted to your JDBC driver +// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { +// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; +// }; +// The permission granted to the scrape taglib +// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { +// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; +// }; +