SecurityConfig


1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one or more
3    * contributor license agreements.  See the NOTICE file distributed with
4    * this work for additional information regarding copyright ownership.
5    * The ASF licenses this file to You under the Apache License, Version 2.0
6    * (the "License"); you may not use this file except in compliance with
7    * the License.  You may obtain a copy of the License at
8    * 
9    *      http://www.apache.org/licenses/LICENSE-2.0
10   * 
11   * Unless required by applicable law or agreed to in writing, software
12   * distributed under the License is distributed on an "AS IS" BASIS,
13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14   * See the License for the specific language governing permissions and
15   * limitations under the License.
16   */
17  package org.apache.catalina.security;
18  
19  import java.security.Security  ;
20  import org.apache.catalina.startup.CatalinaProperties;
21  
22  /**
23   * Util class to protect Catalina against package access and insertion.
24   * The code are been moved from Catalina.java
25   * @author the Catalina.java authors
26   * @author Jean-Francois Arcand
27   */
28  public final class SecurityConfig{
29      private static SecurityConfig singleton = null;
30  
31      private static org.apache.commons.logging.Log log=
32          org.apache.commons.logging.LogFactory.getLog( SecurityConfig.class );
33  
34      
35      private final static String   PACKAGE_ACCESS =  "sun.,"
36                                                  + "org.apache.catalina." 
37                                                  + ",org.apache.jasper."
38                                                  + ",org.apache.coyote."
39                                                  + ",org.apache.tomcat.";
40      
41      private final static String   PACKAGE_DEFINITION= "java.,sun."
42                                                  + ",org.apache.catalina." 
43                                                  + ",org.apache.coyote."
44                                                  + ",org.apache.tomcat."
45                                                  + ",org.apache.jasper.";
46      /**
47       * List of protected package from conf/catalina.properties
48       */
49      private String   packageDefinition;
50      
51      
52      /**
53       * List of protected package from conf/catalina.properties
54       */
55      private String   packageAccess; 
56      
57      
58      /**
59       * Create a single instance of this class.
60       */
61      private SecurityConfig(){  
62          try{
63              packageDefinition = CatalinaProperties.getProperty("package.definition");
64              packageAccess = CatalinaProperties.getProperty("package.access");
65          } catch (java.lang.Exception   ex){
66              if (log.isDebugEnabled()){
67                  log.debug("Unable to load properties using CatalinaProperties", ex); 
68              }            
69          }
70      }
71      
72      
73      /**
74       * Returns the singleton instance of that class.
75       * @return an instance of that class.
76       */
77      public static SecurityConfig newInstance(){
78          if (singleton == null){
79              singleton = new SecurityConfig();
80          }
81          return singleton;
82      }
83      
84      
85      /**
86       * Set the security package.access value.
87       */
88      public void setPackageAccess(){
89          // If catalina.properties is missing, protect all by default.
90          if (packageAccess == null){
91              setSecurityProperty("package.access", PACKAGE_ACCESS);   
92          } else {
93              setSecurityProperty("package.access", packageAccess);   
94          }
95      }
96      
97      
98      /**
99       * Set the security package.definition value.
100      */
101      public void setPackageDefinition(){
102         // If catalina.properties is missing, protect all by default.
103          if (packageDefinition == null){
104             setSecurityProperty("package.definition", PACKAGE_DEFINITION);
105          } else {
106             setSecurityProperty("package.definition", packageDefinition);
107          }
108     }
109      
110      
111     /**
112      * Set the proper security property
113      * @param properties the package.* property.
114      */
115     private final void setSecurityProperty(String   properties, String   packageList){
116         if (System.getSecurityManager() != null){
117             String   definition = Security.getProperty(properties);
118             if( definition != null && definition.length() > 0 ){
119                 definition += ",";
120             }
121 
122             Security.setProperty(properties,
123                 // FIX ME package "javax." was removed to prevent HotSpot
124                 // fatal internal errors
125                 definition + packageList);      
126         }
127     }
128     
129     
130 }
131 
132 
133 
134 
135
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags