大战熟女丰满人妻av-荡女精品导航-岛国aaaa级午夜福利片-岛国av动作片在线观看-岛国av无码免费无禁网站-岛国大片激情做爰视频

Tomca教程
Tomcat Manager
Tomcat Realm 配置
Tomcat 安全管理
Tomcat JNDI 資源
Tomcat JDBC 數(shù)據(jù)源
Tomcat 類加載機(jī)制
Tomcat JSPs
Tomcat SSL/TLS配置
Tomcat SSI
Tomcat CGI
Tomcat 代理支持
Tomcat MBean 描述符
Tomcat 默認(rèn) Servlet
Tomcat 集群
Tomcat 連接器
Tomcat監(jiān)控與管理
Tomcat 日志機(jī)制
Tomcat 基于 APR 的原生庫
Tomcat 虛擬主機(jī)
Tomcat 高級(jí) IO 機(jī)制
Tomcat 附加組件
Tomcat 安全性注意事項(xiàng)
Tomcat Windows 服務(wù)
Tomcat Windows 認(rèn)證
Tomcat 的 JDBC 連接池
Tomcat WebSocket 支持
Tomcat 重寫機(jī)制

tomcat安全管理

背景知識(shí)

Java 的 SecurityManager 能讓 Web 瀏覽器在它自身的沙盒中運(yùn)行小型應(yīng)用(applet),從而具有防止不可信代碼訪問本地文件系統(tǒng)的文件以及防止其連接到主機(jī),而不是加載該應(yīng)用的位置,等等。如同 SecurityManager 能防止不可信的小型應(yīng)用在你的瀏覽器上運(yùn)行,運(yùn)行 Tomcat 時(shí),使用 SecurityManager 也能保護(hù)服務(wù)器,使其免受木馬型的 applet、JSP、JSP Bean 以及標(biāo)簽庫的侵害,甚至也可以防止由于無意中的疏忽所造成的問題。

假設(shè)網(wǎng)站有一位經(jīng)授權(quán)可發(fā)布 JSP 的用戶,他在無意中將下面這些代碼加入了 JSP 中:

<% System.exit(1); %>

每當(dāng) Tomcat 執(zhí)行這個(gè) JSP 文件時(shí),Tomcat 都會(huì)退出。Java 的 SecurityManager 構(gòu)成了系統(tǒng)管理員保證服務(wù)器安全可靠的另一道防線。

警告:使用 Tomcat 代碼庫時(shí)會(huì)執(zhí)行一個(gè)安全審核。大多數(shù)關(guān)鍵包已受到保護(hù),新的安全包保護(hù)機(jī)制已經(jīng)實(shí)施。然而,在允許不可信用戶發(fā)布 Web 應(yīng)用、JSP、servlet、bean 或標(biāo)簽庫之前,你仍要反復(fù)確定自己配置的 SecurityManager 是否滿足了要求但不管怎么說,利用 SecurityManager 來運(yùn)行 Tomcat 肯定比沒有它好得多

權(quán)限

權(quán)限類用于定義 Tomcat 加載的類所具有的權(quán)限。標(biāo)準(zhǔn) JDK 中包含了很多標(biāo)準(zhǔn)權(quán)限類,你還可以針對(duì)自己的 Web 應(yīng)用自定義權(quán)限類。Tomcat 支持這兩種技術(shù)。

標(biāo)準(zhǔn)權(quán)限

關(guān)于適用于 Tomcat 的標(biāo)準(zhǔn)系統(tǒng) SecurityManager 權(quán)限類,以下僅是一個(gè)簡(jiǎn)短的總結(jié)。詳情請(qǐng)查看http://docs.oracle.com/javase/7/docs/technotes/guides/security/

  • java.util.PropertyPermission——控制對(duì) JVM 屬性的讀/寫,比如說 java.home
  • java.lang.RuntimePermission——控制一些系統(tǒng)/運(yùn)行時(shí)函數(shù)的使用,比如 exit() 和 exec() 另外也控制包的訪問/定義。
  • java.io.FilePermission——控制對(duì)文件和目錄的讀/寫/執(zhí)行。
  • java.net.SocketPermission——控制網(wǎng)絡(luò)套接字的使用。
  • java.net.NetPermission——控制組播網(wǎng)絡(luò)連接的使用。
  • java.lang.reflect.ReflectPermission——控制類反射的使用。
  • java.security.SecurityPermission——控制對(duì) Security 方法的訪問。
  • java.security.AllPermission——允許訪問任何權(quán)限,仿佛沒有 SecurityManager。

Tomcat 自定義權(quán)限

Tomcat 使用了一個(gè)自定義權(quán)限類 org.apache.naming.JndiPermission。該權(quán)限能夠控制對(duì) JNDI 命名的基于文件的資源的可讀訪問。權(quán)限名就是 JNDI 名,無任何行為。后面的 * 可以用來在授權(quán)時(shí)進(jìn)行模糊匹配。比如,可以在策略文件中加入以下內(nèi)容:

permission org.apache.naming.JndiPermission "jndi://localhost/examples/*";

從而為每個(gè)部署的 Web 應(yīng)用動(dòng)態(tài)生成這樣的權(quán)限項(xiàng),允許它們讀取自己的靜態(tài)資源,而不允許讀取其他的文件(除非顯式地賦予這些文件權(quán)限)。

另外,Tomcat 還能動(dòng)態(tài)生成下面這樣的文件權(quán)限。

permission java.io.FilePermission "** your application context**", "read";
permission java.io.FilePermission
  "** application working directory**", "read,write";permission java.io.FilePermission
  "** application working directory**/-", "read,write,delete";

*application working directory 是部署應(yīng)用所用的文件夾或 WAR 文件。 application working directory 是應(yīng) Servlet 規(guī)范需要而提供給應(yīng)用的暫時(shí)性目錄。

利用 SecurityManager 配置 Tomcat

策略文件格式

Java SecurityManager 所實(shí)現(xiàn)的安全策略配置在 $CATALINA_BASE/conf/catalina.policy 文件中。該文件完全替代了 JDK 系統(tǒng)目錄中提供的 java.policy 文件。既可以手動(dòng)編輯 catalina.policy 文件,也可以使用Java 1.2 或以后版本附帶的 policytool 應(yīng)用。

catalina.policy 文件中的項(xiàng)使用標(biāo)準(zhǔn)的 java.policy 文件格式,如下所示:

// 策略文件項(xiàng)范例  

grant [signedBy ,] [codeBase ] {
  permission    [ [, ]];
};

signedBy 和 codeBase 兩項(xiàng)在授予權(quán)限時(shí)是可選項(xiàng)。注釋行以 // 開始,在當(dāng)前行結(jié)束。codeBase 以 URL 的形式。對(duì)于文件 URL,可以使用 ${java.home} 與 ${catalina.home}屬性(這些屬性代表的是使用 JAVA_HOMECATALINA_HOME 和 CATALINA_BASE 環(huán)境變量為這些屬性定義的目錄路徑)。

默認(rèn)策略文件

默認(rèn)的 $CATALINA_BASE/conf/catalina.policy 文件如下所示:


// Licensed to the Apache Software Foundation (ASF) under one or more// contributor license agreements.  See the NOTICE file distributed with// this work for additional information regarding copyright ownership.// The ASF licenses this file to You under the Apache License, Version 2.0// (the "License"); you may not use this file except in compliance with// the License.  You may obtain a copy of the License at////     http://www.apache.org/licenses/LICENSE-2.0//// Unless required by applicable law or agreed to in writing, software// distributed under the License is distributed on an "AS IS" BASIS,// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.// See the License for the specific language governing permissions and// limitations under the License.
// ============================================================================// catalina.policy - Security Policy Permissions for Tomcat//// This file contains a default set of security policies to be enforced (by the// JVM) when Catalina is executed with the "-security" option.  In addition// to the permissions granted here, the following additional permissions are// granted to each web application://// * Read access to the web application's document root directory// * Read, write and delete access to the web application's working directory// ============================================================================
// ========== SYSTEM CODE PERMISSIONS =========================================
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
        permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
        permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
        permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
        permission java.security.AllPermission;
};
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
        permission java.security.AllPermission;
};
// These permissions apply to the logging API// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},// update this section accordingly.//  grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.io.FilePermission
         "${java.home}${file.separator}lib${file.separator}logging.properties", "read";

        permission java.io.FilePermission
         "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
        permission java.io.FilePermission
         "${catalina.base}${file.separator}logs", "read, write";
        permission java.io.FilePermission
         "${catalina.base}${file.separator}logs${file.separator}*", "read, write";

        permission java.lang.RuntimePermission "shutdownHooks";
        permission java.lang.RuntimePermission "getClassLoader";
        permission java.lang.RuntimePermission "setContextClassLoader";

        permission java.lang.management.ManagementPermission "monitor";

        permission java.util.logging.LoggingPermission "control";

        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
        permission java.util.PropertyPermission "org.apache.juli.AsyncLoggerPollInterval", "read";
        permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read";
        permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read";
        permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
        permission java.util.PropertyPermission "catalina.base", "read";

        // Note: To enable per context logging configuration, permit read access to
        // the appropriate file. Be sure that the logging configuration is
        // secure before enabling such access.
        // E.g. for the examples web application (uncomment and unwrap
        // the following to be on a single line):
        // permission java.io.FilePermission "${catalina.base}${file.separator}
        //  webapps${file.separator}examples${file.separator}WEB-INF
        //  ${file.separator}classes${file.separator}logging.properties", "read";
};
// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
        permission java.security.AllPermission;
};
// These permissions apply to the servlet API classes// and those that are shared across all class loaders// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
        permission java.security.AllPermission;
};
// If using a per instance lib directory, i.e. ${catalina.base}/lib,// then the following permission will need to be uncommented// grant codeBase "file:${catalina.base}/lib/-" {//         permission java.security.AllPermission;// };
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications// In addition, a web application will be given a read FilePermission// for all files and directories in its document root.
grant {
    // Required for JNDI lookup of named JDBC DataSource's and
    // javamail named MimePart DataSource used to send mail
    permission java.util.PropertyPermission "java.home", "read";
    permission java.util.PropertyPermission "java.naming.*", "read";
    permission java.util.PropertyPermission "javax.sql.*", "read";

    // OS Specific properties to allow read access
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.version", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";

    // JVM properties to allow read access
    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "java.vendor", "read";
    permission java.util.PropertyPermission "java.vendor.url", "read";
    permission java.util.PropertyPermission "java.class.version", "read";
    permission java.util.PropertyPermission "java.specification.version", "read";
    permission java.util.PropertyPermission "java.specification.vendor", "read";
    permission java.util.PropertyPermission "java.specification.name", "read";

    permission java.util.PropertyPermission "java.vm.specification.version", "read";
    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
    permission java.util.PropertyPermission "java.vm.specification.name", "read";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";

    // Required for OpenJMX
    permission java.lang.RuntimePermission "getAttribute";

    // Allow read of JAXP compliant XML parser debug
    permission java.util.PropertyPermission "jaxp.debug", "read";

    // All JSPs need to be able to read this package
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";

    // Precompiled JSPs need access to these packages.
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
    permission java.lang.RuntimePermission
     "accessClassInPackage.org.apache.jasper.runtime.*";

    // Precompiled JSPs need access to these system properties.
    permission java.util.PropertyPermission
     "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
    permission java.util.PropertyPermission
     "org.apache.el.parser.COERCE_TO_ZERO", "read";

    // The cookie code needs these.
    permission java.util.PropertyPermission
     "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
    permission java.util.PropertyPermission
     "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
    permission java.util.PropertyPermission
     "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";

    // Applications using Comet need to be able to access this package
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";

    // Applications using WebSocket need to be able to access these packages
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
};
// The Manager application needs access to the following packages to support the// session display functionality. These settings support the following// configurations:// - default CATALINA_HOME == CATALINA_BASE// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
grant codeBase "file:${catalina.base}/webapps/manager/-" {
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
grant codeBase "file:${catalina.home}/webapps/manager/-" {
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
// You can assign additional permissions to particular web applications by// adding additional "grant" entries here, based on the code base for that// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.//// Different permissions can be granted to JSP pages, classes loaded from// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/// directory, or even to individual jar files in the /WEB-INF/lib/ directory.//// For instance, assume that the standard "examples" application// included a JDBC driver that needed to establish a network connection to the// corresponding database and used the scrape taglib to get the weather from// the NOAA web server.  You might create a "grant" entries like this://// The permissions granted to the context root directory apply to JSP pages.// grant codeBase "file:${catalina.base}/webapps/examples/-" {//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";// };//// The permissions granted to the context WEB-INF/classes directory// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {// };//// The permission granted to your JDBC driver// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";// };// The permission granted to the scrape taglib// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";// };

使用 SecurityManager 啟動(dòng) Tomcat

一旦配置好了用于 SecurityManager 的 catalina.policy 文件,就可以使用 -security 選項(xiàng)啟動(dòng)帶有 SecurityManager 的 Tomcat。 $CATALINA_HOME/bin/catalina.sh start -security (Unix) %CATALINA_HOME%\bin\catalina start -security (Windows)

配置 Tomcat 中的包保護(hù)

Tomcat 5 開始,可以通過配置保護(hù) Tomcat 內(nèi)部包,使其免于被定義與訪問。詳情查看 http://www.oracle.com/technetwork/java/seccodeguide-139067.html

警告:假如去除默認(rèn)的包保護(hù),可能會(huì)造成安全漏洞。

默認(rèn)屬性文件

默認(rèn)的 $CATALINA_BASE/conf/catalina.properties 文件如下所示:

## List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when# passed to checkPackageAccess unless the
# corresponding RuntimePermission ("accessClassInPackage."+package) has
# been granted.package.access=sun.,org.apache.catalina.,org.apache.coyote.,
org.apache.tomcat.,org.apache.jasper.#
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageDefinition unless the
# corresponding RuntimePermission ("defineClassInPackage."+package) has
# been granted.## by default, no packages are restricted for definition, and none of
# the class loaders supplied with the JDK call checkPackageDefinition.
#package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,
org.apache.tomcat.,org.apache.jasper.

一旦為 SecurityManager 配置了 catalina.properties 文件 ,記得重啟 Tomcat。

疑難解答

假如應(yīng)用執(zhí)行一個(gè)由于缺乏所需權(quán)限而被禁止的操作,當(dāng) SecurityManager 偵測(cè)到這種違規(guī)時(shí),就會(huì)拋出 AccessControLException 或 SecurityException 異常。雖然調(diào)試缺失的權(quán)限是很有難度的,但還是有一個(gè)辦法,那就是將在執(zhí)行中制定的所有安全決策的調(diào)試輸出打開,這需要在啟動(dòng) Tomcat 之前設(shè)置一個(gè)系統(tǒng)屬性。最簡(jiǎn)單的方法就是通過 CATALINA_OPTS 環(huán)境變量來實(shí)現(xiàn),命令如下所示:

export CATALINA_OPTS=-Djava.security.debug=all (Unix) set CATALINA_OPTS=-Djava.security.debug=all (Windows)

記住,一定要在啟動(dòng) Tomcat 之前去做。

警告:這將生成很多兆的輸出內(nèi)容!但是,它能通過搜索關(guān)鍵字 FAILED 來鎖定問題所在位置,確定需要檢查的權(quán)限。此外,查閱 Java 安全文檔可了解更多的可設(shè)置選項(xiàng)。

全部教程
主站蜘蛛池模板: 四虎网址换成什么了2021 | aaa影院| 欧美aaa毛片免费看 欧美aaa性bbb毛片 | 国产一区二区三区久久 | 一区二区三区在线免费观看视频 | 一级国产20岁美女毛片 | 亚洲国产精品综合久久久 | 日本在线一卡二卡毛片 | 久久综合欧美 | 午夜在线播放免费高清观看 | 色综合视频一区二区三区 | 毛片在线观看网站 | 五月天婷五月天综合网在线 | 国产精品久久久久一区二区三区 | 狠狠躁夜夜躁人人爽天天段 | 中文字幕日本一区久久 | 一本色道久久爱88a 一本色道久久爱88av俺来也 | 欧美色婷婷 | 亚洲精品久久午夜香蕉 | 国内亚州视频在线观看 | 亚洲视频一区在线观看 | 成人欧美日韩高清不卡 | 看免费一级片 | 亚洲综合激情 | 成人毛片18女人毛片 | 久久婷婷网 | 在线免费不卡视频 | 精品一区二区三区亚洲 | 美女视频很黄很黄又免费的 | 久久久久久久久免费影院 | 亚洲精品ccc | 日韩欧美国产一区二区三区四区 | 五月激情婷婷综合 | 美女超逼 | 亚洲精品福利一区二区三区 | 黄色在线免费网站 | 夜夜操女人 | 桃色婷婷 | 四虎高清在线精品免费观看 | 中国女人18毛片 | 久久狠狠色狠狠色综合 |