001: /*
002: * Copyright 1999,2004 The Apache Software Foundation.
003: *
004: * Licensed under the Apache License, Version 2.0 (the "License");
005: * you may not use this file except in compliance with the License.
006: * You may obtain a copy of the License at
007: *
008: * http://www.apache.org/licenses/LICENSE-2.0
009: *
010: * Unless required by applicable law or agreed to in writing, software
011: * distributed under the License is distributed on an "AS IS" BASIS,
012: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013: * See the License for the specific language governing permissions and
014: * limitations under the License.
015: */
016: package org.apache.catalina.security;
017:
018: import java.security.Security;
019: import org.apache.catalina.startup.CatalinaProperties;
020:
021: /**
022: * Util class to protect Catalina against package access and insertion.
023: * The code are been moved from Catalina.java
024: * @author the Catalina.java authors
025: * @author Jean-Francois Arcand
026: */
027: public final class SecurityConfig {
028: private static SecurityConfig singleton = null;
029:
030: private static org.apache.commons.logging.Log log = org.apache.commons.logging.LogFactory
031: .getLog(SecurityConfig.class);
032:
033: private final static String PACKAGE_ACCESS = "sun.,"
034: + "org.apache.catalina." + ",org.apache.jasper."
035: + ",org.apache.coyote." + ",org.apache.tomcat.";
036:
037: private final static String PACKAGE_DEFINITION = "java.,sun."
038: + ",org.apache.catalina." + ",org.apache.coyote."
039: + ",org.apache.tomcat." + ",org.apache.jasper.";
040: /**
041: * List of protected package from conf/catalina.properties
042: */
043: private String packageDefinition;
044:
045: /**
046: * List of protected package from conf/catalina.properties
047: */
048: private String packageAccess;
049:
050: /**
051: * Create a single instance of this class.
052: */
053: private SecurityConfig() {
054: try {
055: packageDefinition = CatalinaProperties
056: .getProperty("package.definition");
057: packageAccess = CatalinaProperties
058: .getProperty("package.access");
059: } catch (java.lang.Exception ex) {
060: if (log.isDebugEnabled()) {
061: log
062: .debug(
063: "Unable to load properties using CatalinaProperties",
064: ex);
065: }
066: }
067: }
068:
069: /**
070: * Returns the singleton instance of that class.
071: * @return an instance of that class.
072: */
073: public static SecurityConfig newInstance() {
074: if (singleton == null) {
075: singleton = new SecurityConfig();
076: }
077: return singleton;
078: }
079:
080: /**
081: * Set the security package.access value.
082: */
083: public void setPackageAccess() {
084: // If catalina.properties is missing, protect all by default.
085: if (packageAccess == null) {
086: setSecurityProperty("package.access", PACKAGE_ACCESS);
087: } else {
088: setSecurityProperty("package.access", packageAccess);
089: }
090: }
091:
092: /**
093: * Set the security package.definition value.
094: */
095: public void setPackageDefinition() {
096: // If catalina.properties is missing, protect all by default.
097: if (packageDefinition == null) {
098: setSecurityProperty("package.definition",
099: PACKAGE_DEFINITION);
100: } else {
101: setSecurityProperty("package.definition", packageDefinition);
102: }
103: }
104:
105: /**
106: * Set the proper security property
107: * @param properties the package.* property.
108: */
109: private final void setSecurityProperty(String properties,
110: String packageList) {
111: if (System.getSecurityManager() != null) {
112: String definition = Security.getProperty(properties);
113: if (definition != null && definition.length() > 0) {
114: definition += ",";
115: }
116:
117: Security.setProperty(properties,
118: // FIX ME package "javax." was removed to prevent HotSpot
119: // fatal internal errors
120: definition + packageList);
121: }
122: }
123:
124: }
|