Re: Tomcat + Hibernate2 + Security Manager

Wed, 28 Jan 2004 04:24:48 -0800 

Hi !


On Tue, 27 Jan 2004 12:14:16 -0500, Jeanfrancois Arcand <[EMAIL PROTECTED]> escreveu:

> De: Jeanfrancois Arcand <[EMAIL PROTECTED]>
> Data: Tue, 27 Jan 2004 12:14:16 -0500
> Para: Tomcat Users List <[EMAIL PROTECTED]>
> Assunto: Re: Tomcat + Hibernate2 + Security Manager
> 
> 
> 
> Webmaster wrote:
> 
> >Hi all,
> >
> >I know this is a little bit out of topic, but the general concept is useful for 
> >everybody.
> >
> >I run tomcat with security manager for a dozen users. Recently, people started to 
> >use the hibernate 2 which requires some funky permissions.
> >
> >I had to put these lines in the 'global' permission to make it work:
> >
> >grant {
> >
> >...
> >
> >  permission java.lang.RuntimePermission "accessDeclaredMembers";
> >  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
> >  permission java.lang.RuntimePermission "defineCGLIBClassInJavaPackage";
> >
> >...
> >}
> >
> >Note: I DID test using a codebase like:
> >
> >grant codeBase "file:/home//client/public_html/WEB-INF/lib/hibernate2.jar!/-" { 
> >....
> >
> >but the classes hibernate creates after reflection stop obeying the security 
> >manager.
> >  
> >
> Do you have the exception? Which Tomcat version are you using?

I'm using 4.1.29. The classes that hibernate creates dinamically are the ones that 
don't follow the codebase anymore, it's like they have a 'null' codebase after they 
are created.

> >Are there any security risks on a security setup with those 3 lines for all classes 
> >in the JVM ?
> >  
> >
> 
> Yes. It will now allow a Servlet to "load" tomcat internal classes and 
> "maybe" do malicious things. 

Right now, my clients don't have permissions to read the classes in /server/lib 
directory ( I don't give file io permission to this directory, only to /common/lib ). 
Would that be enough to stop these malicious things ?

> -- Jeanfrancois
> 
> 
> >Thanks
> >Renato.
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >  
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to