001: /*
002: * Licensed to the Apache Software Foundation (ASF) under one or more
003: * contributor license agreements. See the NOTICE file distributed with
004: * this work for additional information regarding copyright ownership.
005: * The ASF licenses this file to You under the Apache License, Version 2.0
006: * (the "License"); you may not use this file except in compliance with
007: * the License. You may obtain a copy of the License at
008: *
009: * http://www.apache.org/licenses/LICENSE-2.0
010: *
011: * Unless required by applicable law or agreed to in writing, software
012: * distributed under the License is distributed on an "AS IS" BASIS,
013: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014: * See the License for the specific language governing permissions and
015: * limitations under the License.
016: */
017: package org.apache.catalina.security;
018:
019: import java.security.Security;
020: import org.apache.catalina.startup.CatalinaProperties;
021:
022: /**
023: * Util class to protect Catalina against package access and insertion.
024: * The code are been moved from Catalina.java
025: * @author the Catalina.java authors
026: * @author Jean-Francois Arcand
027: */
028: public final class SecurityConfig {
029: private static SecurityConfig singleton = null;
030:
031: private static org.apache.juli.logging.Log log = org.apache.juli.logging.LogFactory
032: .getLog(SecurityConfig.class);
033:
034: private final static String PACKAGE_ACCESS = "sun.,"
035: + "org.apache.catalina." + ",org.apache.jasper."
036: + ",org.apache.coyote." + ",org.apache.tomcat.";
037:
038: private final static String PACKAGE_DEFINITION = "java.,sun."
039: + ",org.apache.catalina." + ",org.apache.coyote."
040: + ",org.apache.tomcat." + ",org.apache.jasper.";
041: /**
042: * List of protected package from conf/catalina.properties
043: */
044: private String packageDefinition;
045:
046: /**
047: * List of protected package from conf/catalina.properties
048: */
049: private String packageAccess;
050:
051: /**
052: * Create a single instance of this class.
053: */
054: private SecurityConfig() {
055: try {
056: packageDefinition = CatalinaProperties
057: .getProperty("package.definition");
058: packageAccess = CatalinaProperties
059: .getProperty("package.access");
060: } catch (java.lang.Exception ex) {
061: if (log.isDebugEnabled()) {
062: log
063: .debug(
064: "Unable to load properties using CatalinaProperties",
065: ex);
066: }
067: }
068: }
069:
070: /**
071: * Returns the singleton instance of that class.
072: * @return an instance of that class.
073: */
074: public static SecurityConfig newInstance() {
075: if (singleton == null) {
076: singleton = new SecurityConfig();
077: }
078: return singleton;
079: }
080:
081: /**
082: * Set the security package.access value.
083: */
084: public void setPackageAccess() {
085: // If catalina.properties is missing, protect all by default.
086: if (packageAccess == null) {
087: setSecurityProperty("package.access", PACKAGE_ACCESS);
088: } else {
089: setSecurityProperty("package.access", packageAccess);
090: }
091: }
092:
093: /**
094: * Set the security package.definition value.
095: */
096: public void setPackageDefinition() {
097: // If catalina.properties is missing, protect all by default.
098: if (packageDefinition == null) {
099: setSecurityProperty("package.definition",
100: PACKAGE_DEFINITION);
101: } else {
102: setSecurityProperty("package.definition", packageDefinition);
103: }
104: }
105:
106: /**
107: * Set the proper security property
108: * @param properties the package.* property.
109: */
110: private final void setSecurityProperty(String properties,
111: String packageList) {
112: if (System.getSecurityManager() != null) {
113: String definition = Security.getProperty(properties);
114: if (definition != null && definition.length() > 0) {
115: definition += ",";
116: }
117:
118: Security.setProperty(properties,
119: // FIX ME package "javax." was removed to prevent HotSpot
120: // fatal internal errors
121: definition + packageList);
122: }
123: }
124:
125: }
|