[ https://issues.apache.org/jira/browse/DBCP-177?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mark Thomas resolved DBCP-177. ------------------------------ Resolution: Fixed I really don't know what to say about how long this has taken to fix. Sorry doesn't really cut it. I have just committed the fix for this for DBCP 2. I have only been testing with my fairly basic database application. We may need to pre-load a few more classes to prevent AccessControlExceptions for all use cases. DBCP 2 is feeding in the Tomcat 8 beta releases so we should get some good feedback from those. > [dbcp] redesign to use dbcp with security manager > ------------------------------------------------- > > Key: DBCP-177 > URL: https://issues.apache.org/jira/browse/DBCP-177 > Project: Commons Dbcp > Issue Type: Improvement > Environment: Operating System: All > Platform: All > Reporter: Gernot Pfingstl > Priority: Minor > Fix For: 2.0 > > > Dbcp is not designed to run with security manager, especially when dbcp is > used > in a servlet container (like tomcat) there are problems to set up security > policy in a correct manner. > e.g.: to get a connection should be completely transparent to the (web)app - > only dbcp should know how to get the datasource/connection. If the connection > uses tcp (which will be in the most cases) only dbcp should be granted a > socket > permission. The app itself should not be granted this permission - the app > should not be able to connect the dbserver itself. > So dbcp needs some "doPrivileged()". > see Bug 35034: > Running tomcat with security manager: To get a datasource (with jndi) and to > use > statements you have to grant several accessClassInPackage Permissions to > tomcat > internal packages to the webapp: > permission java.lang.RuntimePermission > "accessClassInPackage.org.apache.tomcat.dbcp.collections"; > permission java.lang.RuntimePermission > "accessClassInPackage.org.apache.tomcat.dbcp.pool.impl"; > permission java.lang.RuntimePermission > "accessClassInPackage.org.apache.tomcat.dbcp.dbcp"; > permission java.lang.RuntimePermission > "accessClassInPackage.org.apache.tomcat.dbcp.pool"; > Additionally dbcp needs a permission java.lang.RuntimePermission > "getClassLoader"; permission to load the jdbc driver. > And in most cases you need some socket permissions. > Datasources will be made available by the container (with JNDI). So the app > doesn't matter where the database resides nor how the container makes the > connection. The app is not interested in the details how the container will > get > the connection - it is only interested to have a connection. > There is no need to give the whole app a permission to connect to some server > only because the container wants to make some connection to this server. The > permission if a app should be able to make a connection is given by a > resource-link entry in context.xml. > The permission to connect to the database server should be given at the > container level and only there. > Why should the whole app have permission to access tomcat internal packages > (org.apache.tomcat.*)? > ------- Additional Comment #1 From Remy Maucherat 2005-05-24 09:58 [reply] > ------- > The commons-dbcp library would need to be written with the security manager in > mind (ie, it needs to have PAs). Not a Tomcat bug, and you should be able to > use > alternate datasource providers.: > Running tomcat with security manager: To get a datasource (with jndi) and to > use > statements you have to grant several accessClassInPackage Permissions to > tomcat > internal packages to the webapp: > permission java.lang.RuntimePermission > "accessClassInPackage.org.apache.tomcat.dbcp.collections"; > permission java.lang.RuntimePermission > "accessClassInPackage.org.apache.tomcat.dbcp.pool.impl"; > permission java.lang.RuntimePermission > "accessClassInPackage.org.apache.tomcat.dbcp.dbcp"; > permission java.lang.RuntimePermission > "accessClassInPackage.org.apache.tomcat.dbcp.pool"; > Additionally dbcp needs a permission java.lang.RuntimePermission > "getClassLoader"; permission to load the jdbc driver. > And in most cases you need some socket permissions. > Datasources will be made available by the container (with JNDI). So the app > doesn't matter where the database resides nor how the container makes the > connection. The app is not interested in the details how the container will > get > the connection - it is only interested to have a connection. > There is no need to give the whole app a permission to connect to some server > only because the container wants to make some connection to this server. The > permission if a app should be able to make a connection is given by a > resource-link entry in context.xml. > The permission to connect to the database server should be given at the > container level and only there. > Why should the whole app have permission to access tomcat internal packages > (org.apache.tomcat.*)? -- This message was sent by Atlassian JIRA (v6.1.5#6160)