Running JForum with Security Policy

Ranch Hand

Posts: 17424

posted 19 years ago

Number of slices to send:

Optional 'thank-you' note:

Send

I am running JForum on Tomcat with the security manager. It took a while for me to get the security policy created. I basically ran with security debugging on and granted permissions when I saw access errors. I did this until it ran without errors. I have been running a couple of days without access errors so this is pretty close to everything you need. The security is relatively fine grained but in general I gave permissions to all classes and libraries within the application directory to work within the application directory at the access level they needed. I could have given the permissions to specific classes but this would have taken even longer and been more complicated to manage. I think this provides a reasonable security policy. Let me know if you have any suggestions for improvement. I am posting here as a starting point for others.

// permissions for gtdogpark jforum
// allows creating subdirectory for logging and writing logs
grant codeBase "file:${catalina.home}/webapps/gtdogpark.forum/-" {
   permission java.io.FilePermission "${catalina.home}/logs", "read,write";
   permission java.io.FilePermission "${catalina.home}/logs/jforum/*", "read,write,delete";
};

grant codeBase "file:${catalina.home}/webapps/gtdogpark.forum/-" {
   permission java.net.SocketPermission "localhost:1024", "listen,resolve";
   permission java.net.SocketPermission "localhost:1024-", "listen,resolve";
   permission org.apache.naming.JndiPermission "jndi://localhost/gtdogpark.forum/*";
   permission java.io.FilePermission "${catalina.home}/webapps/gtdogpark.forum", "read";
   permission java.util.PropertyPermission "*","read";
};

// todo use ${java.home}? variable for jre permissions
grant codeBase "file:${catalina.home}/webapps/gtdogpark.forum/WEB-INF/-" {
   permission java.lang.RuntimePermission "getClassLoader";
   permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
   permission java.lang.RuntimePermission "defineClassInPackage.java.util";
   permission java.lang.RuntimePermission "defineClassInPackage.org.apache.catalina.connector";
   permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.collections";
   permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.dbcp";
   permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.pool";
   permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.dbcp.pool.impl";
   permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.http";
   permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.connector";
   permission java.io.FilePermission "/usr/local/web-chroot/usr/java/jdk1.5.0_06/jre/lib/*", "read";
   permission java.io.FilePermission "${catalina.home}/common/lib/*", "read";
   permission java.io.FilePermission "${catalina.home}/webapps/gtdogpark.forum/WEB-INF/config/database/mysql/*", "read,write,delete";
   // this is for the file upload permission
   permission java.io.FilePermission "${catalina.home}/../jforum-upload/upload/-", "read,write,delete";
   permission java.io.FilePermission "${catalina.home}/webapps/gtdogpark.forum/tmp/-", "read,write,delete";
   permission java.io.FilePermission "${catalina.home}/webapps/gtdogpark.forum/WEB-INF/config/-", "read,write,delete";
   // this is for sending mail.  The user running tomcat home directory has mail capability file
   permission java.io.FilePermission "${catalina.home}/../../../home/webapp/.mailcap", "read";
   permission java.net.SocketPermission "localhost:3306", "connect,resolve";
   permission java.net.SocketPermission "www.jforum.net:80", "connect,resolve";
   permission java.net.SocketPermission "smtp.cox-internet.com:25", "connect,resolve";
};

[originally posted on jforum.net by parisila]