大战熟女丰满人妻av-荡女精品导航-岛国aaaa级午夜福利片-岛国av动作片在线观看-岛国av无码免费无禁网站-岛国大片激情做爰视频

Tomca教程
Tomcat Manager
Tomcat Realm 配置
Tomcat 安全管理
Tomcat JNDI 資源
Tomcat JDBC 數(shù)據(jù)源
Tomcat 類加載機(jī)制
Tomcat JSPs
Tomcat SSL/TLS配置
Tomcat SSI
Tomcat CGI
Tomcat 代理支持
Tomcat MBean 描述符
Tomcat 默認(rèn) Servlet
Tomcat 集群
Tomcat 連接器
Tomcat監(jiān)控與管理
Tomcat 日志機(jī)制
Tomcat 基于 APR 的原生庫
Tomcat 虛擬主機(jī)
Tomcat 高級(jí) IO 機(jī)制
Tomcat 附加組件
Tomcat 安全性注意事項(xiàng)
Tomcat Windows 服務(wù)
Tomcat Windows 認(rèn)證
Tomcat 的 JDBC 連接池
Tomcat WebSocket 支持
Tomcat 重寫機(jī)制

tomcat安全管理

背景知識(shí)

Java 的 SecurityManager 能讓 Web 瀏覽器在它自身的沙盒中運(yùn)行小型應(yīng)用(applet),從而具有防止不可信代碼訪問本地文件系統(tǒng)的文件以及防止其連接到主機(jī),而不是加載該應(yīng)用的位置,等等。如同 SecurityManager 能防止不可信的小型應(yīng)用在你的瀏覽器上運(yùn)行,運(yùn)行 Tomcat 時(shí),使用 SecurityManager 也能保護(hù)服務(wù)器,使其免受木馬型的 applet、JSP、JSP Bean 以及標(biāo)簽庫的侵害,甚至也可以防止由于無意中的疏忽所造成的問題。

假設(shè)網(wǎng)站有一位經(jīng)授權(quán)可發(fā)布 JSP 的用戶,他在無意中將下面這些代碼加入了 JSP 中:

<% System.exit(1); %>

每當(dāng) Tomcat 執(zhí)行這個(gè) JSP 文件時(shí),Tomcat 都會(huì)退出。Java 的 SecurityManager 構(gòu)成了系統(tǒng)管理員保證服務(wù)器安全可靠的另一道防線。

警告:使用 Tomcat 代碼庫時(shí)會(huì)執(zhí)行一個(gè)安全審核。大多數(shù)關(guān)鍵包已受到保護(hù),新的安全包保護(hù)機(jī)制已經(jīng)實(shí)施。然而,在允許不可信用戶發(fā)布 Web 應(yīng)用、JSP、servlet、bean 或標(biāo)簽庫之前,你仍要反復(fù)確定自己配置的 SecurityManager 是否滿足了要求但不管怎么說,利用 SecurityManager 來運(yùn)行 Tomcat 肯定比沒有它好得多

權(quán)限

權(quán)限類用于定義 Tomcat 加載的類所具有的權(quán)限。標(biāo)準(zhǔn) JDK 中包含了很多標(biāo)準(zhǔn)權(quán)限類,你還可以針對(duì)自己的 Web 應(yīng)用自定義權(quán)限類。Tomcat 支持這兩種技術(shù)。

標(biāo)準(zhǔn)權(quán)限

關(guān)于適用于 Tomcat 的標(biāo)準(zhǔn)系統(tǒng) SecurityManager 權(quán)限類,以下僅是一個(gè)簡(jiǎn)短的總結(jié)。詳情請(qǐng)查看http://docs.oracle.com/javase/7/docs/technotes/guides/security/

  • java.util.PropertyPermission——控制對(duì) JVM 屬性的讀/寫,比如說 java.home
  • java.lang.RuntimePermission——控制一些系統(tǒng)/運(yùn)行時(shí)函數(shù)的使用,比如 exit() 和 exec() 另外也控制包的訪問/定義。
  • java.io.FilePermission——控制對(duì)文件和目錄的讀/寫/執(zhí)行。
  • java.net.SocketPermission——控制網(wǎng)絡(luò)套接字的使用。
  • java.net.NetPermission——控制組播網(wǎng)絡(luò)連接的使用。
  • java.lang.reflect.ReflectPermission——控制類反射的使用。
  • java.security.SecurityPermission——控制對(duì) Security 方法的訪問。
  • java.security.AllPermission——允許訪問任何權(quán)限,仿佛沒有 SecurityManager。

Tomcat 自定義權(quán)限

Tomcat 使用了一個(gè)自定義權(quán)限類 org.apache.naming.JndiPermission。該權(quán)限能夠控制對(duì) JNDI 命名的基于文件的資源的可讀訪問。權(quán)限名就是 JNDI 名,無任何行為。后面的 * 可以用來在授權(quán)時(shí)進(jìn)行模糊匹配。比如,可以在策略文件中加入以下內(nèi)容:

permission org.apache.naming.JndiPermission "jndi://localhost/examples/*";

從而為每個(gè)部署的 Web 應(yīng)用動(dòng)態(tài)生成這樣的權(quán)限項(xiàng),允許它們讀取自己的靜態(tài)資源,而不允許讀取其他的文件(除非顯式地賦予這些文件權(quán)限)。

另外,Tomcat 還能動(dòng)態(tài)生成下面這樣的文件權(quán)限。

permission java.io.FilePermission "** your application context**", "read";
permission java.io.FilePermission
  "** application working directory**", "read,write";permission java.io.FilePermission
  "** application working directory**/-", "read,write,delete";

*application working directory 是部署應(yīng)用所用的文件夾或 WAR 文件。 application working directory 是應(yīng) Servlet 規(guī)范需要而提供給應(yīng)用的暫時(shí)性目錄。

利用 SecurityManager 配置 Tomcat

策略文件格式

Java SecurityManager 所實(shí)現(xiàn)的安全策略配置在 $CATALINA_BASE/conf/catalina.policy 文件中。該文件完全替代了 JDK 系統(tǒng)目錄中提供的 java.policy 文件。既可以手動(dòng)編輯 catalina.policy 文件,也可以使用Java 1.2 或以后版本附帶的 policytool 應(yīng)用。

catalina.policy 文件中的項(xiàng)使用標(biāo)準(zhǔn)的 java.policy 文件格式,如下所示:

// 策略文件項(xiàng)范例  

grant [signedBy ,] [codeBase ] {
  permission    [ [, ]];
};

signedBy 和 codeBase 兩項(xiàng)在授予權(quán)限時(shí)是可選項(xiàng)。注釋行以 // 開始,在當(dāng)前行結(jié)束。codeBase 以 URL 的形式。對(duì)于文件 URL,可以使用 ${java.home} 與 ${catalina.home}屬性(這些屬性代表的是使用 JAVA_HOMECATALINA_HOME 和 CATALINA_BASE 環(huán)境變量為這些屬性定義的目錄路徑)。

默認(rèn)策略文件

默認(rèn)的 $CATALINA_BASE/conf/catalina.policy 文件如下所示:


// Licensed to the Apache Software Foundation (ASF) under one or more// contributor license agreements.  See the NOTICE file distributed with// this work for additional information regarding copyright ownership.// The ASF licenses this file to You under the Apache License, Version 2.0// (the "License"); you may not use this file except in compliance with// the License.  You may obtain a copy of the License at////     http://www.apache.org/licenses/LICENSE-2.0//// Unless required by applicable law or agreed to in writing, software// distributed under the License is distributed on an "AS IS" BASIS,// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.// See the License for the specific language governing permissions and// limitations under the License.
// ============================================================================// catalina.policy - Security Policy Permissions for Tomcat//// This file contains a default set of security policies to be enforced (by the// JVM) when Catalina is executed with the "-security" option.  In addition// to the permissions granted here, the following additional permissions are// granted to each web application://// * Read access to the web application's document root directory// * Read, write and delete access to the web application's working directory// ============================================================================
// ========== SYSTEM CODE PERMISSIONS =========================================
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
        permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
        permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
        permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
        permission java.security.AllPermission;
};
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
        permission java.security.AllPermission;
};
// These permissions apply to the logging API// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},// update this section accordingly.//  grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.io.FilePermission
         "${java.home}${file.separator}lib${file.separator}logging.properties", "read";

        permission java.io.FilePermission
         "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
        permission java.io.FilePermission
         "${catalina.base}${file.separator}logs", "read, write";
        permission java.io.FilePermission
         "${catalina.base}${file.separator}logs${file.separator}*", "read, write";

        permission java.lang.RuntimePermission "shutdownHooks";
        permission java.lang.RuntimePermission "getClassLoader";
        permission java.lang.RuntimePermission "setContextClassLoader";

        permission java.lang.management.ManagementPermission "monitor";

        permission java.util.logging.LoggingPermission "control";

        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
        permission java.util.PropertyPermission "org.apache.juli.AsyncLoggerPollInterval", "read";
        permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read";
        permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read";
        permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
        permission java.util.PropertyPermission "catalina.base", "read";

        // Note: To enable per context logging configuration, permit read access to
        // the appropriate file. Be sure that the logging configuration is
        // secure before enabling such access.
        // E.g. for the examples web application (uncomment and unwrap
        // the following to be on a single line):
        // permission java.io.FilePermission "${catalina.base}${file.separator}
        //  webapps${file.separator}examples${file.separator}WEB-INF
        //  ${file.separator}classes${file.separator}logging.properties", "read";
};
// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
        permission java.security.AllPermission;
};
// These permissions apply to the servlet API classes// and those that are shared across all class loaders// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
        permission java.security.AllPermission;
};
// If using a per instance lib directory, i.e. ${catalina.base}/lib,// then the following permission will need to be uncommented// grant codeBase "file:${catalina.base}/lib/-" {//         permission java.security.AllPermission;// };
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications// In addition, a web application will be given a read FilePermission// for all files and directories in its document root.
grant {
    // Required for JNDI lookup of named JDBC DataSource's and
    // javamail named MimePart DataSource used to send mail
    permission java.util.PropertyPermission "java.home", "read";
    permission java.util.PropertyPermission "java.naming.*", "read";
    permission java.util.PropertyPermission "javax.sql.*", "read";

    // OS Specific properties to allow read access
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.version", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";

    // JVM properties to allow read access
    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "java.vendor", "read";
    permission java.util.PropertyPermission "java.vendor.url", "read";
    permission java.util.PropertyPermission "java.class.version", "read";
    permission java.util.PropertyPermission "java.specification.version", "read";
    permission java.util.PropertyPermission "java.specification.vendor", "read";
    permission java.util.PropertyPermission "java.specification.name", "read";

    permission java.util.PropertyPermission "java.vm.specification.version", "read";
    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
    permission java.util.PropertyPermission "java.vm.specification.name", "read";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";

    // Required for OpenJMX
    permission java.lang.RuntimePermission "getAttribute";

    // Allow read of JAXP compliant XML parser debug
    permission java.util.PropertyPermission "jaxp.debug", "read";

    // All JSPs need to be able to read this package
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";

    // Precompiled JSPs need access to these packages.
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
    permission java.lang.RuntimePermission
     "accessClassInPackage.org.apache.jasper.runtime.*";

    // Precompiled JSPs need access to these system properties.
    permission java.util.PropertyPermission
     "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
    permission java.util.PropertyPermission
     "org.apache.el.parser.COERCE_TO_ZERO", "read";

    // The cookie code needs these.
    permission java.util.PropertyPermission
     "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
    permission java.util.PropertyPermission
     "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
    permission java.util.PropertyPermission
     "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";

    // Applications using Comet need to be able to access this package
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";

    // Applications using WebSocket need to be able to access these packages
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
};
// The Manager application needs access to the following packages to support the// session display functionality. These settings support the following// configurations:// - default CATALINA_HOME == CATALINA_BASE// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
grant codeBase "file:${catalina.base}/webapps/manager/-" {
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
grant codeBase "file:${catalina.home}/webapps/manager/-" {
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
// You can assign additional permissions to particular web applications by// adding additional "grant" entries here, based on the code base for that// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.//// Different permissions can be granted to JSP pages, classes loaded from// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/// directory, or even to individual jar files in the /WEB-INF/lib/ directory.//// For instance, assume that the standard "examples" application// included a JDBC driver that needed to establish a network connection to the// corresponding database and used the scrape taglib to get the weather from// the NOAA web server.  You might create a "grant" entries like this://// The permissions granted to the context root directory apply to JSP pages.// grant codeBase "file:${catalina.base}/webapps/examples/-" {//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";// };//// The permissions granted to the context WEB-INF/classes directory// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {// };//// The permission granted to your JDBC driver// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";// };// The permission granted to the scrape taglib// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";// };

使用 SecurityManager 啟動(dòng) Tomcat

一旦配置好了用于 SecurityManager 的 catalina.policy 文件,就可以使用 -security 選項(xiàng)啟動(dòng)帶有 SecurityManager 的 Tomcat。 $CATALINA_HOME/bin/catalina.sh start -security (Unix) %CATALINA_HOME%\bin\catalina start -security (Windows)

配置 Tomcat 中的包保護(hù)

Tomcat 5 開始,可以通過配置保護(hù) Tomcat 內(nèi)部包,使其免于被定義與訪問。詳情查看 http://www.oracle.com/technetwork/java/seccodeguide-139067.html

警告:假如去除默認(rèn)的包保護(hù),可能會(huì)造成安全漏洞。

默認(rèn)屬性文件

默認(rèn)的 $CATALINA_BASE/conf/catalina.properties 文件如下所示:

## List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when# passed to checkPackageAccess unless the
# corresponding RuntimePermission ("accessClassInPackage."+package) has
# been granted.package.access=sun.,org.apache.catalina.,org.apache.coyote.,
org.apache.tomcat.,org.apache.jasper.#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageDefinition unless the
# corresponding RuntimePermission ("defineClassInPackage."+package) has
# been granted.## by default, no packages are restricted for definition, and none of
# the class loaders supplied with the JDK call checkPackageDefinition.
#package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,
org.apache.tomcat.,org.apache.jasper.

一旦為 SecurityManager 配置了 catalina.properties 文件 ,記得重啟 Tomcat。

疑難解答

假如應(yīng)用執(zhí)行一個(gè)由于缺乏所需權(quán)限而被禁止的操作,當(dāng) SecurityManager 偵測(cè)到這種違規(guī)時(shí),就會(huì)拋出 AccessControLException 或 SecurityException 異常。雖然調(diào)試缺失的權(quán)限是很有難度的,但還是有一個(gè)辦法,那就是將在執(zhí)行中制定的所有安全決策的調(diào)試輸出打開,這需要在啟動(dòng) Tomcat 之前設(shè)置一個(gè)系統(tǒng)屬性。最簡(jiǎn)單的方法就是通過 CATALINA_OPTS 環(huán)境變量來實(shí)現(xiàn),命令如下所示:

export CATALINA_OPTS=-Djava.security.debug=all (Unix) set CATALINA_OPTS=-Djava.security.debug=all (Windows)

記住,一定要在啟動(dòng) Tomcat 之前去做。

警告:這將生成很多兆的輸出內(nèi)容!但是,它能通過搜索關(guān)鍵字 FAILED 來鎖定問題所在位置,確定需要檢查的權(quán)限。此外,查閱 Java 安全文檔可了解更多的可設(shè)置選項(xiàng)。

全部教程
主站蜘蛛池模板: 日本天天操 | 天天干天天舔 | 日韩一级在线视频 | 久久lu| 日韩另类视频 | 久久草在线视频国产一 | 国产精品小视频在线观看 | 亚洲精品日韩中文字幕久久久 | 国产99在线播放免费 | 成人a网站 | 成人看片黄a毛片 | 五月天婷婷网站 | 99久久国产综合精品女小说 | 久久99精品久久久久久久野外 | 一区二区三区视频网站 | 国产一区二区三区欧美精品 | 青草香蕉精品视频在线观看 | 久久精品一区二区免费看 | 九九99线视频在线观看 | 欧美视频第一区 | 中国一级特黄特级毛片 | 亚洲一区二区三区不卡在线播放 | 精品无码久久久久久久动漫 | 国产欧美一区二区精品性色99 | 天天躁夜夜躁狂狂躁综合 | 成人精品区 | 羞羞视频在线看 | 亚洲一区二区三区在线视频 | 欧美人与鲁交大毛片免费 | 亚洲国产成人久久99精品 | 免费国产一级特黄aa大片在线 | 亚洲另类 专区 欧美 制服 | 国产亚洲视频在线观看 | 波多野结衣精品中文字幕 | www亚洲欲色成人久久精品 | 九九热免费在线视频 | 国产一区二区三区免费在线观看 | 98精品国产综合久久 | 欧美极品妇xxxxxbbbbb | 色片免费 | 欧美男女视频 |