Chapter 14: Tomcat Security // Precompiled JSPs need
Chapter 14: Tomcat Security // Precompiled JSPs need access to this package. permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper .runtime ; permission java.lang.RuntimePermission accessClassInPackage.org.apache.jasper .runtime.* ; }; Note that system administrators are not only free to modify Tomcat s policy file, they are encouraged to do so. Once the Security Manager has been enabled, it s likely that changes to it will be required in order for certain aspects of deployed Web applications to function. Recommended Security Manager Practices You have explored the process of enabling the Security Manager with Tomcat, and are familiar with the location of Tomcat s policy file. The following are recommended practices for granting permissions to applications. These techniques prevent tampering of the underlying operating system, other machines on the network, and the Tomcat server instance, from potentially malicious Web applications. Using the Security Manager If the Security Manager is not used with Tomcat, any JSP or class file in a badly written or malicious Web application is free to perform any action on the server machine that it desires. This includes opening unauthorized connections to other network hosts, writing to the server file system where is shouldn t, or abnormally terminating Tomcat itself by issuing the System.exit(n)command. Clearly, to maintain a secure Tomcat installation, the Security Manager should be enabled, and fine- grained permissions should be set. Understanding Application Requirements If Tomcat s default policy file is enabled, Web applications are likely to be unable to perform certain required functions. Consider the following tasks that are unauthorized with Tomcat s default policy configuration: . Creating a class loader . Accessing a database via a socket (for example, the MySQL JDBC driver trying to establish a connection with a MySQL database) . Sending an e-mail via the JavaMail API . Reading or writing to files outside of the Web application s directory There are a myriad of permissions that an application may require. System administrators must communicate with the application developers to understand which permissions the Web applications will require. Examples for enabling some of the common permissions listed here are reviewed in the next section. To learn about other permissions, review the Java Security documentation links provided earlier in this chapter.
If you looking for unlimited one inclusive web hosting plan please check web hosting plan website.