NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

381

382

383

384

385

386

387

388

389

390

Security Considerations

NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006

8-40

Package Protection in NSJSP

permission java.lang.RuntimePermission "accessDeclaredMembers";

You must be careful before granting the accessDeclaredMembers permission to any

codeBase.

When NSJSP is run with the security manager with the default security policy file, all

web applications are prevented from executing code, such as System.exit().

Package Protection in NSJSP

As discussed in Securing NSJSP Resources Using the permissions Directive on

page 8-38, NSJSP provides security to prevent malicious applications from gaining

access to NSJSP internal classes. Apart from executing methods of some internal

classes, it is possible to gain entry into internal classes by defining classes in the same

package as the NSJSP internal classes. For example, all classes within the same

package have access to protected resources (for example, methods and variables) of

other classes in the package.

You can specify internal NSJSP packages that must be protected against package

definition and access. The protection can be configured in the

catalina.properties file in the <NSJSP_HOME>/conf directory using the

following package.access and package.definition properties:



package.access: This property can be used to restrict access to classes in

certain packages. For example, if the value of this property is java.io,

java.net, then access to classes in these packages is prevented unless

permissions are granted using the accessClassInPackage target name of the

java.lang.RuntimePermission.

By default, the value is not set. However, the following entry is available in the

catalina.properties file to grant access to specified packages and is

commented by default:

#package.access=sun.,org.apache.catalina.,org.apache.coyote.,

org.apache.tomcat.,org.apache.jasper.,sun.beans.



package.definition: This property can be used to restrict class definitions to

certain packages.

By default, none of the packages are restricted and none of the class loaders call

checkPackageDefinition. However, the following entry is available in the

catalina.properties file to restrict access to specified packages and is

commented by default:

#package.definition=sun.,java.,org.apache.catalina.,org.apach

e.coyote.,org.apache.tomcat.,org.apache.jasper.

Note. HP recommends that you understand the impact of providing certain security

permissions. You can find a list of all security permissions provided by Java at

http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html