The security policies implemented by the Java SecurityManager are configured
in the catalina.policy file located in the tomcat conf directory.
The catalina.policy file replaces any system java.policy file. The
catalina.policy file can be edited by hand or you can use the
policytool
application
that comes with Java 1.2.
Entries in the catalina.policy file use the standard java.policy file
format as follows:
// Example policy file entry
grant [signedBy <signer> [,codeBase <code source>] {
permission <class> [<name> [, <action list>]];
};
|
// and end at a new line.
The codeBase is in the form of a URL and for a file URL can use the ${java.home} and ${catalina.home} properties which are expanded out to the directory paths defined for them.
Default catalina.policy file
// ========== SYSTEM CODE PERMISSIONS =========================================
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the server startup code, and the servlet API
// classes that are shared across all class loaders
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/servlet.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/naming.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the container's core code, plus any additional
// libraries installed in the "server" directory
grant codeBase "file:${catalina.home}/server/-" {
permission java.security.AllPermission;
};
// These permissions apply to all extension libraries (including Jasper,
// if present) installed in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// for all files and directories in its document root.
grant {
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
permission java.io.FilePermission "jndi:/WEB-INF/-", "read";
};
// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application. For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to the
// corresponding database. You might create a "grant" entry like this:
//
// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// }
|
CATALINA_OPTS=-Djava.security.debug=all.
You will find the debug output in the log file logs/catalina.out.