NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

381

382

383

384

385

386

387

388

389

390

Security Considerations

NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006

8-39

Securing NSJSP Resources Using the

permissions Directive

By default, all web applications are granted read permission to all the file resources

under the web application’s base directory. This enables the application to read the

static resources. Permissions are granted to access the resources either through JNDI

or through classes in the java.io package.

The following sample iTP_catalina.policy file shows permissions to read system

properties:

grant {

// Required for JNDI lookup of named JDBC DataSource's and

// javamail named MimePart DataSource used to send mail

permission java.util.PropertyPermission "java.home", "read";

permission java.util.PropertyPermission "java.naming.*", "read";

permission java.util.PropertyPermission "javax.sql.*", "read";

…

As the grant directive does not specify any codeBase, the grant directive applies to

every codeBase. This means that all container libraries and web applications are

granted permission to read system properties, such as java.home.

The following sample grant directive grants permissions to all the jar files present in

the ${catalina.home}/lib directory, which in NSJSP translates to

<NSJSP_HOME>/lib:

grant codeBase "file:${catalina.home}/lib/-" {

permission java.security.AllPermission;

};

Providing all permissions is the same as running without the Java Security Manager for

the codeBase in consideration.

While running NSJSP under a Java Security Manager, with the default security policy,

some JSP examples throw a security exception. For example, running

examples/jsp/jsp2/simpletag/hello.jsp throws the following exception:

access: access denied (java.lang.RuntimePermission accessDeclaredMembers)

java.lang.Exception: Stack trace

at java.lang.Thread.dumpStack(Thread.java:1158)

java.security.AccessControlContext.checkPermission(AccessControlConte

xt.java:253)

at java.security.AccessController.checkPermission

(AccessController.java:427)

at java.lang.SecurityManager.checkPermission

(SecurityManager.java:532)

at java.lang.SecurityManager.checkMemberAccess(SecurityManager.

java:1662

)

….

This exception is thrown because the user applications are not provided the

accessDeclaredMembers permission. This permission can be granted to every

codeBase by adding the following permission in a grant block: