All geek questions in one place

Tomcat Security Manager - determining which permissions are required for a web application

I have a very large web application that I would like to publish specifications about what permissions are required to provide Tomcat Security Manager to work correctly with the web application.

Is there any automatic way to launch a web application and generate a list of all the necessary permissions?

I tried to do this manually by enabling Tomcat Security Manager and working my way through security exceptions and adding the necessary permissions. The problem with this, however, is that only one security exception is displayed at a time, and after each exception I need to update the .policy catalina, restart Tomcat and continue to the next exception.

I literally spent 2 hours doing this without any hint of being close to completion. There must be a better way.

Tomcat security manager

+3
source share
3 answers

I found the answer to this question.

Adding the following Java option to Tomcat will create an entry in stderr for each required permission:

= -Djava.security.debug everything

I'm not sure why I did not find this before, but it was documented in the Tomcat 6.0 manual.

http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html#Troubleshooting

0
source

-, Tomcat Security Manager, , Tomcat , , , .

grant codeBase "file:${catalina.home}/path/to/my/application-" {
  permission java.net.SocketPermission "IPAddress:Port", "connect";
  permission java.security.AllPermission;

};

. /path/to/my/application - /webapps/mySuperAwesomeApplication

0

How about using -Djava.security.debug = fail?

0
source

Source: https://habr.com/ru/post/1780504/

More articles:


All Articles