Author: cbrisson Date: Wed Jun 20 00:58:00 2018 New Revision: 1833884 URL: http://svn.apache.org/viewvc?rev=1833884&view=rev Log: [tools] Put the showcase webapp tests under a security manager
Added: velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/policy/ velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/policy/showcase.policy Modified: velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/pom.xml velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/webapp/WEB-INF/web.xml Modified: velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/pom.xml URL: http://svn.apache.org/viewvc/velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/pom.xml?rev=1833884&r1=1833883&r2=1833884&view=diff ============================================================================== --- velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/pom.xml (original) +++ velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/pom.xml Wed Jun 20 00:58:00 2018 @@ -27,6 +27,9 @@ <groupId>org.apache.velocity</groupId> <version>3.0-SNAPSHOT</version> </parent> + <properties> + <webapp-slf4j-logger.version>1.3</webapp-slf4j-logger.version> + </properties> <groupId>org.apache.velocity</groupId> <artifactId>velocity-tools-examples-showcase</artifactId> <packaging>war</packaging> @@ -37,7 +40,7 @@ <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-failsafe-plugin</artifactId> - <version>2.19.1</version> + <version>2.22.0</version> <executions> <execution> <id>integration-test</id> @@ -56,21 +59,43 @@ <plugin> <groupId>org.codehaus.cargo</groupId> <artifactId>cargo-maven2-plugin</artifactId> - <version>1.6.0</version> - <!-- enable remote debugging + <version>1.6.8</version> <configuration> + <container> + <containerId>jetty9x</containerId> + </container> <configuration> + <files> + <copy> + <file>${project.basedir}/src/main/policy/showcase.policy</file> + <todir>/</todir> + <configfile>true</configfile> + </copy> + </files> <properties> + <cargo.container>${project.build.directory}/cargo/installs</cargo.container> + <cargo.repository>${settings.localRepository}</cargo.repository> + <cargo.webapp>${project.build.directory}/${project.artifactId}</cargo.webapp> + <cargo.velocity-engine.version>${velocity.engine.version}</cargo.velocity-engine.version> + <cargo.velocity-tools.version>${project.version}</cargo.velocity-tools.version> + <cargo.slf4j.version>${slf4j.version}</cargo.slf4j.version> + <cargo.webapp-slf4j-logger.version>${webapp-slf4j-logger.version}</cargo.webapp-slf4j-logger.version> <cargo.jvmargs> - -Xdebug - -Xrunjdwp:transport=dt_socket,server=n,suspend=y,address=5005 - -Xnoagent - -Djava.compiler=NONE + <!-- enable remote debugging + -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5006 + --> + + <!-- enable Jetty debug log + -Dorg.eclipse.jetty.LEVEL=DEBUG + --> + + <!-- enable security manager --> + -Djava.security.manager + -Djava.security.policy=${project.build.directory}/cargo/configurations/jetty9x/showcase.policy </cargo.jvmargs> </properties> </configuration> </configuration> - --> <executions> <execution> <configuration> @@ -122,7 +147,7 @@ <dependency> <groupId>rhino</groupId> <artifactId>js</artifactId> - <version>1.6R5</version> + <version>1.7R2</version> </dependency> <dependency> <groupId>org.apache.velocity</groupId> @@ -146,7 +171,7 @@ <dependency> <groupId>com.republicate</groupId> <artifactId>webapp-slf4j-logger</artifactId> - <version>1.1</version> + <version>${webapp-slf4j-logger.version}</version> <scope>runtime</scope> </dependency> </dependencies> Added: velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/policy/showcase.policy URL: http://svn.apache.org/viewvc/velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/policy/showcase.policy?rev=1833884&view=auto ============================================================================== --- velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/policy/showcase.policy (added) +++ velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/policy/showcase.policy Wed Jun 20 00:58:00 2018 @@ -0,0 +1,155 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +/////////////////////////////////////////////////// +// +// Give Maven repository libs all permissions +// +/////////////////////////////////////////////////// + +grant codeBase "file:@cargo.repository@/-" +{ + permission java.security.AllPermission "", ""; +}; + +/////////////////////////////////////////////////// +// +// Give Jetty libs all permissions +// +/////////////////////////////////////////////////// + +grant codeBase "file:@cargo.container@/-" +{ + permission java.security.AllPermission "", ""; +}; + +/////////////////////////////////////////////////// +// +// Give anyone basic and reflection runtime rights +// +/////////////////////////////////////////////////// + +grant +{ + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "getClassLoader"; +}; + +/////////////////////////////////////////////////// +// +// Let webapp resolve classes dependencies +// +/////////////////////////////////////////////////// + +grant codeBase "file:@cargo.webapp@/WEB-INF/classes/-" +{ + permission java.io.FilePermission "@cargo.webapp@/WEB-INF/lib/*", "read"; + permission java.io.FilePermission "@cargo.webapp@/WEB-INF/classes/-", "read"; +}; + +grant codeBase "file:@cargo.webapp@/WEB-INF/lib/*" +{ + permission java.io.FilePermission "@cargo.webapp@/WEB-INF/lib/*", "read"; + permission java.io.FilePermission "@cargo.webapp@/WEB-INF/classes/-", "read"; +}; + + +/////////////////////////////////////////////////// +// +// Give webapp-slf4j-logger all permissions +// +/////////////////////////////////////////////////// + +// (since the logger will install an IPFilter tag, it's here in all calling stacks) + +grant codeBase "file:@cargo.webapp@/WEB-INF/lib/webapp-slf4j-logger-@cargo.webapp-slf4j-logger.version@.jar +{ + permission java.security.AllPermission "", ""; +}; + +/////////////////////////////////////////////////// +// +// Give slf4j permission to read its properties +// +/////////////////////////////////////////////////// + +// all calling chain is needed + +grant codeBase "file:@cargo.webapp@/WEB-INF/lib/slf4j-api-@cargo.slf4j.version@.jar" +{ + permission java.util.PropertyPermission "slf4j.*", "read"; +}; + +grant codeBase "file:@cargo.webapp@/WEB-INF/lib/velocity-engine-core-@cargo.velocity-engine.version@.jar" +{ + permission java.util.PropertyPermission "slf4j.*", "read"; +}; + +grant codeBase "file:@cargo.webapp@/WEB-INF/lib/velocity-tools-view-@cargo.velocity-tools.version@.jar" +{ + permission java.util.PropertyPermission "slf4j.*", "read"; +}; + +/////////////////////////////////////////////////// +// +// Give velocity, velocity-tools-generic and velocity-tools-view only needed rights +// +/////////////////////////////////////////////////// + +// engine + +grant codeBase "file:@cargo.webapp@/WEB-INF/lib/velocity-engine-core-@cargo.velocity-engine.version@.jar" +{ + // read default velocity.properties from velocity-engine-core jar + permission java.io.FilePermission "@cargo.webapp@/WEB-INF/lib/velocity-engine-core-@cargo.velocity-engine.version@.jar", "read"; +}; + +// generic tools + +grant codeBase "file:@cargo.webapp@/WEB-INF/lib/velocity-tools-generic-@cargo.velocity-tools.version@.jar" +{ + // read default velocity.properties and default toolbox from velocity-tools-view jar + permission java.io.FilePermission "@cargo.webapp@/WEB-INF/lib/velocity-tools-view-@cargo.velocity-tools.version@.jar", "read"; + + // read default toolbox from velocity-tools-generic jar + permission java.io.FilePermission "@cargo.webapp@/WEB-INF/lib/velocity-tools-generic-@cargo.velocity-tools.version@.jar", "read"; +}; + + +// view tools + +grant codeBase "file:@cargo.webapp@/WEB-INF/lib/velocity-tools-view-@cargo.velocity-tools.version@.jar" +{ + // read permissions on the webapp + permission java.io.FilePermission "@cargo.webapp@/-", "read"; + + // get request character encoding (specific to jetty) + permission java.util.PropertyPermission "org.eclipse.jetty.util.UrlEncoding.charset","read"; +}; + +/////////////////////////////////////////////////// +// +// Showcase samples need some more permissions +// +/////////////////////////////////////////////////// + +grant codeBase "file:@cargo.webapp@/WEB-INF/classes/-" +{ +}; Modified: velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/webapp/WEB-INF/web.xml URL: http://svn.apache.org/viewvc/velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/webapp/WEB-INF/web.xml?rev=1833884&r1=1833883&r2=1833884&view=diff ============================================================================== --- velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/webapp/WEB-INF/web.xml (original) +++ velocity/tools/trunk/velocity-tools-examples/velocity-tools-examples-showcase/src/main/webapp/WEB-INF/web.xml Wed Jun 20 00:58:00 2018 @@ -21,8 +21,8 @@ <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" - version="2.5"> + xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3.0.xsd" + version="3.0"> <servlet> <servlet-name>velocity</servlet-name> <servlet-class>org.apache.velocity.tools.view.VelocityLayoutServlet</servlet-class>