大战熟女丰满人妻av-荡女精品导航-岛国aaaa级午夜福利片-岛国av动作片在线观看-岛国av无码免费无禁网站-岛国大片激情做爰视频

Tomca教程
Tomcat Manager
Tomcat Realm 配置
Tomcat 安全管理
Tomcat JNDI 資源
Tomcat JDBC 數(shù)據(jù)源
Tomcat 類加載機(jī)制
Tomcat JSPs
Tomcat SSL/TLS配置
Tomcat SSI
Tomcat CGI
Tomcat 代理支持
Tomcat MBean 描述符
Tomcat 默認(rèn) Servlet
Tomcat 集群
Tomcat 連接器
Tomcat監(jiān)控與管理
Tomcat 日志機(jī)制
Tomcat 基于 APR 的原生庫
Tomcat 虛擬主機(jī)
Tomcat 高級 IO 機(jī)制
Tomcat 附加組件
Tomcat 安全性注意事項
Tomcat Windows 服務(wù)
Tomcat Windows 認(rèn)證
Tomcat 的 JDBC 連接池
Tomcat WebSocket 支持
Tomcat 重寫機(jī)制

tomcat安全管理

背景知識

Java 的 SecurityManager 能讓 Web 瀏覽器在它自身的沙盒中運行小型應(yīng)用(applet),從而具有防止不可信代碼訪問本地文件系統(tǒng)的文件以及防止其連接到主機(jī),而不是加載該應(yīng)用的位置,等等。如同 SecurityManager 能防止不可信的小型應(yīng)用在你的瀏覽器上運行,運行 Tomcat 時,使用 SecurityManager 也能保護(hù)服務(wù)器,使其免受木馬型的 applet、JSP、JSP Bean 以及標(biāo)簽庫的侵害,甚至也可以防止由于無意中的疏忽所造成的問題。

假設(shè)網(wǎng)站有一位經(jīng)授權(quán)可發(fā)布 JSP 的用戶,他在無意中將下面這些代碼加入了 JSP 中:

<% System.exit(1); %>

每當(dāng) Tomcat 執(zhí)行這個 JSP 文件時,Tomcat 都會退出。Java 的 SecurityManager 構(gòu)成了系統(tǒng)管理員保證服務(wù)器安全可靠的另一道防線。

警告:使用 Tomcat 代碼庫時會執(zhí)行一個安全審核。大多數(shù)關(guān)鍵包已受到保護(hù),新的安全包保護(hù)機(jī)制已經(jīng)實施。然而,在允許不可信用戶發(fā)布 Web 應(yīng)用、JSP、servlet、bean 或標(biāo)簽庫之前,你仍要反復(fù)確定自己配置的 SecurityManager 是否滿足了要求。但不管怎么說,利用 SecurityManager 來運行 Tomcat 肯定比沒有它好得多

權(quán)限

權(quán)限類用于定義 Tomcat 加載的類所具有的權(quán)限。標(biāo)準(zhǔn) JDK 中包含了很多標(biāo)準(zhǔn)權(quán)限類,你還可以針對自己的 Web 應(yīng)用自定義權(quán)限類。Tomcat 支持這兩種技術(shù)。

標(biāo)準(zhǔn)權(quán)限

關(guān)于適用于 Tomcat 的標(biāo)準(zhǔn)系統(tǒng) SecurityManager 權(quán)限類,以下僅是一個簡短的總結(jié)。詳情請查看http://docs.oracle.com/javase/7/docs/technotes/guides/security/。

  • java.util.PropertyPermission——控制對 JVM 屬性的讀/寫,比如說 java.home。
  • java.lang.RuntimePermission——控制一些系統(tǒng)/運行時函數(shù)的使用,比如 exit() 和 exec() 另外也控制包的訪問/定義。
  • java.io.FilePermission——控制對文件和目錄的讀/寫/執(zhí)行。
  • java.net.SocketPermission——控制網(wǎng)絡(luò)套接字的使用。
  • java.net.NetPermission——控制組播網(wǎng)絡(luò)連接的使用。
  • java.lang.reflect.ReflectPermission——控制類反射的使用。
  • java.security.SecurityPermission——控制對 Security 方法的訪問。
  • java.security.AllPermission——允許訪問任何權(quán)限,仿佛沒有 SecurityManager。

Tomcat 自定義權(quán)限

Tomcat 使用了一個自定義權(quán)限類 org.apache.naming.JndiPermission。該權(quán)限能夠控制對 JNDI 命名的基于文件的資源的可讀訪問。權(quán)限名就是 JNDI 名,無任何行為。后面的 * 可以用來在授權(quán)時進(jìn)行模糊匹配。比如,可以在策略文件中加入以下內(nèi)容:

permission org.apache.naming.JndiPermission "jndi://localhost/examples/*";

從而為每個部署的 Web 應(yīng)用動態(tài)生成這樣的權(quán)限項,允許它們讀取自己的靜態(tài)資源,而不允許讀取其他的文件(除非顯式地賦予這些文件權(quán)限)。

另外,Tomcat 還能動態(tài)生成下面這樣的文件權(quán)限。

permission java.io.FilePermission "** your application context**", "read";
permission java.io.FilePermission
  "** application working directory**", "read,write";permission java.io.FilePermission
  "** application working directory**/-", "read,write,delete";

*application working directory 是部署應(yīng)用所用的文件夾或 WAR 文件。 application working directory 是應(yīng) Servlet 規(guī)范需要而提供給應(yīng)用的暫時性目錄。

利用 SecurityManager 配置 Tomcat

策略文件格式

Java SecurityManager 所實現(xiàn)的安全策略配置在 $CATALINA_BASE/conf/catalina.policy 文件中。該文件完全替代了 JDK 系統(tǒng)目錄中提供的 java.policy 文件。既可以手動編輯 catalina.policy 文件,也可以使用Java 1.2 或以后版本附帶的 policytool 應(yīng)用。

catalina.policy 文件中的項使用標(biāo)準(zhǔn)的 java.policy 文件格式,如下所示:

// 策略文件項范例  

grant [signedBy ,] [codeBase ] {
  permission    [ [, ]];
};

signedBy 和 codeBase 兩項在授予權(quán)限時是可選項。注釋行以 // 開始,在當(dāng)前行結(jié)束。codeBase 以 URL 的形式。對于文件 URL,可以使用 ${java.home} 與 ${catalina.home}屬性(這些屬性代表的是使用 JAVA_HOME、CATALINA_HOME 和 CATALINA_BASE 環(huán)境變量為這些屬性定義的目錄路徑)。

默認(rèn)策略文件

默認(rèn)的 $CATALINA_BASE/conf/catalina.policy 文件如下所示:


// Licensed to the Apache Software Foundation (ASF) under one or more// contributor license agreements.  See the NOTICE file distributed with// this work for additional information regarding copyright ownership.// The ASF licenses this file to You under the Apache License, Version 2.0// (the "License"); you may not use this file except in compliance with// the License.  You may obtain a copy of the License at////     http://www.apache.org/licenses/LICENSE-2.0//// Unless required by applicable law or agreed to in writing, software// distributed under the License is distributed on an "AS IS" BASIS,// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.// See the License for the specific language governing permissions and// limitations under the License.
// ============================================================================// catalina.policy - Security Policy Permissions for Tomcat//// This file contains a default set of security policies to be enforced (by the// JVM) when Catalina is executed with the "-security" option.  In addition// to the permissions granted here, the following additional permissions are// granted to each web application://// * Read access to the web application's document root directory// * Read, write and delete access to the web application's working directory// ============================================================================
// ========== SYSTEM CODE PERMISSIONS =========================================
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
        permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
        permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
        permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
        permission java.security.AllPermission;
};
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
        permission java.security.AllPermission;
};
// These permissions apply to the logging API// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},// update this section accordingly.//  grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.io.FilePermission
         "${java.home}${file.separator}lib${file.separator}logging.properties", "read";

        permission java.io.FilePermission
         "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
        permission java.io.FilePermission
         "${catalina.base}${file.separator}logs", "read, write";
        permission java.io.FilePermission
         "${catalina.base}${file.separator}logs${file.separator}*", "read, write";

        permission java.lang.RuntimePermission "shutdownHooks";
        permission java.lang.RuntimePermission "getClassLoader";
        permission java.lang.RuntimePermission "setContextClassLoader";

        permission java.lang.management.ManagementPermission "monitor";

        permission java.util.logging.LoggingPermission "control";

        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
        permission java.util.PropertyPermission "org.apache.juli.AsyncLoggerPollInterval", "read";
        permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read";
        permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read";
        permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
        permission java.util.PropertyPermission "catalina.base", "read";

        // Note: To enable per context logging configuration, permit read access to
        // the appropriate file. Be sure that the logging configuration is
        // secure before enabling such access.
        // E.g. for the examples web application (uncomment and unwrap
        // the following to be on a single line):
        // permission java.io.FilePermission "${catalina.base}${file.separator}
        //  webapps${file.separator}examples${file.separator}WEB-INF
        //  ${file.separator}classes${file.separator}logging.properties", "read";
};
// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
        permission java.security.AllPermission;
};
// These permissions apply to the servlet API classes// and those that are shared across all class loaders// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
        permission java.security.AllPermission;
};
// If using a per instance lib directory, i.e. ${catalina.base}/lib,// then the following permission will need to be uncommented// grant codeBase "file:${catalina.base}/lib/-" {//         permission java.security.AllPermission;// };
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications// In addition, a web application will be given a read FilePermission// for all files and directories in its document root.
grant {
    // Required for JNDI lookup of named JDBC DataSource's and
    // javamail named MimePart DataSource used to send mail
    permission java.util.PropertyPermission "java.home", "read";
    permission java.util.PropertyPermission "java.naming.*", "read";
    permission java.util.PropertyPermission "javax.sql.*", "read";

    // OS Specific properties to allow read access
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.version", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";

    // JVM properties to allow read access
    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "java.vendor", "read";
    permission java.util.PropertyPermission "java.vendor.url", "read";
    permission java.util.PropertyPermission "java.class.version", "read";
    permission java.util.PropertyPermission "java.specification.version", "read";
    permission java.util.PropertyPermission "java.specification.vendor", "read";
    permission java.util.PropertyPermission "java.specification.name", "read";

    permission java.util.PropertyPermission "java.vm.specification.version", "read";
    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
    permission java.util.PropertyPermission "java.vm.specification.name", "read";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";

    // Required for OpenJMX
    permission java.lang.RuntimePermission "getAttribute";

    // Allow read of JAXP compliant XML parser debug
    permission java.util.PropertyPermission "jaxp.debug", "read";

    // All JSPs need to be able to read this package
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";

    // Precompiled JSPs need access to these packages.
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
    permission java.lang.RuntimePermission
     "accessClassInPackage.org.apache.jasper.runtime.*";

    // Precompiled JSPs need access to these system properties.
    permission java.util.PropertyPermission
     "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
    permission java.util.PropertyPermission
     "org.apache.el.parser.COERCE_TO_ZERO", "read";

    // The cookie code needs these.
    permission java.util.PropertyPermission
     "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
    permission java.util.PropertyPermission
     "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
    permission java.util.PropertyPermission
     "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";

    // Applications using Comet need to be able to access this package
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";

    // Applications using WebSocket need to be able to access these packages
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
};
// The Manager application needs access to the following packages to support the// session display functionality. These settings support the following// configurations:// - default CATALINA_HOME == CATALINA_BASE// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
grant codeBase "file:${catalina.base}/webapps/manager/-" {
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
grant codeBase "file:${catalina.home}/webapps/manager/-" {
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
// You can assign additional permissions to particular web applications by// adding additional "grant" entries here, based on the code base for that// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.//// Different permissions can be granted to JSP pages, classes loaded from// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/// directory, or even to individual jar files in the /WEB-INF/lib/ directory.//// For instance, assume that the standard "examples" application// included a JDBC driver that needed to establish a network connection to the// corresponding database and used the scrape taglib to get the weather from// the NOAA web server.  You might create a "grant" entries like this://// The permissions granted to the context root directory apply to JSP pages.// grant codeBase "file:${catalina.base}/webapps/examples/-" {//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";// };//// The permissions granted to the context WEB-INF/classes directory// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {// };//// The permission granted to your JDBC driver// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";// };// The permission granted to the scrape taglib// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";// };

使用 SecurityManager 啟動 Tomcat

一旦配置好了用于 SecurityManager 的 catalina.policy 文件,就可以使用 -security 選項啟動帶有 SecurityManager 的 Tomcat。 $CATALINA_HOME/bin/catalina.sh start -security (Unix) %CATALINA_HOME%\bin\catalina start -security (Windows)

配置 Tomcat 中的包保護(hù)

Tomcat 5 開始,可以通過配置保護(hù) Tomcat 內(nèi)部包,使其免于被定義與訪問。詳情查看 http://www.oracle.com/technetwork/java/seccodeguide-139067.html。

警告:假如去除默認(rèn)的包保護(hù),可能會造成安全漏洞。

默認(rèn)屬性文件

默認(rèn)的 $CATALINA_BASE/conf/catalina.properties 文件如下所示:

## List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when# passed to checkPackageAccess unless the
# corresponding RuntimePermission ("accessClassInPackage."+package) has
# been granted.package.access=sun.,org.apache.catalina.,org.apache.coyote.,
org.apache.tomcat.,org.apache.jasper.#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageDefinition unless the
# corresponding RuntimePermission ("defineClassInPackage."+package) has
# been granted.## by default, no packages are restricted for definition, and none of
# the class loaders supplied with the JDK call checkPackageDefinition.
#package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,
org.apache.tomcat.,org.apache.jasper.

一旦為 SecurityManager 配置了 catalina.properties 文件 ,記得重啟 Tomcat。

疑難解答

假如應(yīng)用執(zhí)行一個由于缺乏所需權(quán)限而被禁止的操作,當(dāng) SecurityManager 偵測到這種違規(guī)時,就會拋出 AccessControLException 或 SecurityException 異常。雖然調(diào)試缺失的權(quán)限是很有難度的,但還是有一個辦法,那就是將在執(zhí)行中制定的所有安全決策的調(diào)試輸出打開,這需要在啟動 Tomcat 之前設(shè)置一個系統(tǒng)屬性。最簡單的方法就是通過 CATALINA_OPTS 環(huán)境變量來實現(xiàn),命令如下所示:

export CATALINA_OPTS=-Djava.security.debug=all (Unix) set CATALINA_OPTS=-Djava.security.debug=all (Windows)

記住,一定要在啟動 Tomcat 之前去做。

警告:這將生成很多兆的輸出內(nèi)容!但是,它能通過搜索關(guān)鍵字 FAILED 來鎖定問題所在位置,確定需要檢查的權(quán)限。此外,查閱 Java 安全文檔可了解更多的可設(shè)置選項。

全部教程
主站蜘蛛池模板: 四虎影院在线网址 | 国产日韩欧美精品在线 | 99久久国产 | 大学生一级黄色片 | 国产精品_国产精品_国产精品 | 久久久精品麻豆 | 欧美亚洲精品一区 | 国产波波社区精品视频 | 欧美精品福利视频 | 亚洲欧美另类在线 | 精品热久国产福利视频 | 亚洲人jizz| 精品国产你懂的在线观看 | 2021天天干| 免费亚洲成人 | 欧美一级全部免费视频 | 韩国日本一级毛片免费视频 | 九九影视理伦片 | 九九热在线精品 | 欧美成人免费全网站大片 | 久久色亚洲| 91在线永久 | 国产精品久久久久三级 | 四虎影视成人精品 | 免费国产一级特黄aa大片在线 | 久操社区 | 99热视屏| 美女在线看永久免费网址 | 国产精品视频九九九 | 久久久久久久久久免观看 | jizzjizz成熟丰满老妇 | 91精品欧美成人 | 国产亚洲精品久久yy5099 | 四虎官方影库 | 亚欧乱色精品免费观看 | 欧美日韩中文亚洲v在线综合 | 污影院 | 亚洲综合色dddd26 | 国产人成久久久精品 | 欧美日韩中文字幕在线手机版本 | cao美女视频网站在线观看 |