Grant permission to single class
Question
I'm working with a security policy on Tomcat 6. I've successfully granted permissions to my entire webapp, but would like to grant some permissions only to specific classes. However, when I try this, my doPrivileged block receives an AccessControlException.
Because I've been successful granting to a more general code base, I went back to that codebase, and tested as I added each additional subdirectory. In this manner, the most specific grant I'm able to make work is:
grant codeBase "file:${catalina.home}/webapps/ROOT/WEB-INF/-" { ... }
If I add "classes/", as in:
grant codeBase "file:${catalina.home}/webapps/ROOT/WEB-INF/classes/-" { ... }
then I resume seeing the AccessControlException. The class I'm trying to allow is located beneath the classes directory. The webapp was deployed as a .war file, and unpacked by Tomcat.
What am I doing wrong here? I'm intending to follow the example provided in the catalina.policy provided with Tomcat.
1 answers
solution1
3 ACCPTED 2010-12-25 04:54:30
The finest granularity for assigning permissions using the Java default policy file format is per-code source (ie, per-JAR or per-class-directory). As a workaround, you could split each distinctly privileged class into its own JAR in WEB-INF/lib and grant specific permissions to that JAR.
A custom ClassLoader could be made to create unique ProtectionDomains for each defineClass. The ProtectionDomains could either statically grant per-class permissions, or they could create specialized ProtectionDomains to allow a custom Policy to dynamically grant per-class permissions.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.