Protection Domain Infrastructure in Tomcat
Legitimate code can be used to introduce harmful measures into the web application. For instance, calls for disk access and calls to System.Exit can be hidden in classpaths. An effective measure against such intrusions is to implement a protection domain. In Tomcat you have to enable the Tomcat Security Manager then edit its parameters according to the requirements of your server environment.
The ProtectionDomain class encloses a group of classes whose instances have the same permissions, public keys, and URI. A given class can belong to only one ProtectionDomain. For more information on ProtectionDomain, see the Java documentation.
Enabling the JVM Security Manager
The Security Manager restricts permissions at the application server level. By default, no permissions are disallowed at that level, so legitimate permissions must be specifically added. You must add permissions for JasperReports Server. Doing so does not interfere with server operations because JasperReports Server security restrictions occur on other levels.
Add the enabling code for the Security Manager in the file <apache-tomcat>/conf/catalina.policy. ProtectionDomains can be enabled, as defined in <js-webapp>/WEB-INF/applicationContext.xml, reportsProtectionDomainProvider bean.
To enable the Security Manager and give JasperReports Server full permissions there, add the following code fragment at the end of catalina.policy:
After enabling the manager, you should add the security parameter to your Tomcat startup command. For example:
<apache-tomcat>binstartup -security
If you didn't add the permissions properly, you will receive errors like the following:
Restoring Disallowed Permissions
The file <js-webapp>/WEB-INF/applicationContext.xml defines the permissions allowed for java.security.Class. You might have to use the file to add permissions disallowed by enabling the Security Manager. On the application level, only specified permissions are granted now, so any application-level permissions you were using have been disallowed. You must write code that restores them.
To help you restore necessary permissions, the following commented sample code is provided in the applicationContext.xml file. For instance, to add permission for read/write access to the /temp folder, you would uncomment the code for the bean class java.io.FilePermission:
Additional Customizations for Previous Versions of Tomcat
For Tomcat versions 6.0.20 and earlier, you also need to add permissions for Groovy scripts in the catalina.policy file and in the protection domain for reports.
In <apache-tomcat>/conf/catalina.policy, you need to grant Groovy scripts permission to read the JasperReports Server classpath:
In <js-webapp>/WEB-INF/applicationContext.xml, the same permissions need to be added to reportsProtectionDomainProvider. This change grants access to reports that use the Groovy language, plus reports that need to load additional classes from the JasperReports Server web application:
Also, for a Tomcat bug found in 6.0.16, and fixed in 6.0.18, the following configuration change is required for JasperReports Server to start properly.
In <apache-tomcat>/conf/catalina.policy, find the section that starts with:
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
Add the following line in that section:
Recommended Comments
There are no comments to display.