Example 61 with FilePermission
use of java.io.FilePermission in project wildfly by wildfly.
the class ServletResourceOverlaysTestCase method single.
@Deployment
public static WebArchive single() {
WebArchive war = ShrinkWrap.create(WebArchive.class, "single.war");
war.addAsWebResource(new StringAsset("a"), "a.txt");
war.addAsWebResource(new StringAsset("b"), "b.txt");
war.addClass(PathAccessCheckServlet.class);
war.addAsManifestResource(createPermissionsXmlAsset(new FilePermission("/-", "read"), new PropertyPermission("java.io.tmpdir", "read"), new VirtualFilePermission(Paths.get(System.getProperty("java.io.tmpdir"), "noaccess.txt").toFile().getAbsolutePath(), "read")), "permissions.xml");
JavaArchive jar = ShrinkWrap.create(JavaArchive.class, "test.jar");
jar.addAsManifestResource(new StringAsset("b - overlay"), new BasicPath("resources", "b.txt"));
jar.addAsManifestResource(new StringAsset("c - overlay"), new BasicPath("resources", "c.txt"));
war.addAsLibrary(jar);
return war;
}
Also used :
StringAsset(org.jboss.shrinkwrap.api.asset.StringAsset)
PropertyPermission(java.util.PropertyPermission)
WebArchive(org.jboss.shrinkwrap.api.spec.WebArchive)
VirtualFilePermission(org.jboss.vfs.VirtualFilePermission)
BasicPath(org.jboss.shrinkwrap.impl.base.path.BasicPath)
FilePermission(java.io.FilePermission)
VirtualFilePermission(org.jboss.vfs.VirtualFilePermission)
JavaArchive(org.jboss.shrinkwrap.api.spec.JavaArchive)
Deployment(org.jboss.arquillian.container.test.api.Deployment)
Example 62 with FilePermission
use of java.io.FilePermission in project tomcat by apache.
the class JspRuntimeContext method initSecurity.
/**
* Method used to initialize SecurityManager data.
*/
private SecurityHolder initSecurity() {
// Setup the PermissionCollection for this web app context
// based on the permissions configured for the root of the
// web app context directory, then add a file read permission
// for that directory.
Policy policy = Policy.getPolicy();
CodeSource source = null;
PermissionCollection permissions = null;
if (policy != null) {
try {
// Get the permissions for the web app context
String docBase = context.getRealPath("/");
if (docBase == null) {
docBase = options.getScratchDir().toString();
}
String codeBase = docBase;
if (!codeBase.endsWith(File.separator)) {
codeBase = codeBase + File.separator;
}
File contextDir = new File(codeBase);
URL url = contextDir.getCanonicalFile().toURI().toURL();
source = new CodeSource(url, (Certificate[]) null);
permissions = policy.getPermissions(source);
// Create a file read permission for web app context directory
if (!docBase.endsWith(File.separator)) {
permissions.add(new FilePermission(docBase, "read"));
docBase = docBase + File.separator;
} else {
permissions.add(new FilePermission(docBase.substring(0, docBase.length() - 1), "read"));
}
docBase = docBase + "-";
permissions.add(new FilePermission(docBase, "read"));
// Spec says apps should have read/write for their temp
// directory. This is fine, as no security sensitive files, at
// least any that the app doesn't have full control of anyway,
// will be written here.
String workDir = options.getScratchDir().toString();
if (!workDir.endsWith(File.separator)) {
permissions.add(new FilePermission(workDir, "read,write"));
workDir = workDir + File.separator;
}
workDir = workDir + "-";
permissions.add(new FilePermission(workDir, "read,write,delete"));
// Allow the JSP to access org.apache.jasper.runtime.HttpJspBase
permissions.add(new RuntimePermission("accessClassInPackage.org.apache.jasper.runtime"));
} catch (RuntimeException | IOException e) {
context.log(Localizer.getMessage("jsp.error.security"), e);
}
}
return new SecurityHolder(source, permissions);
}
Also used :
Policy(java.security.Policy)
PermissionCollection(java.security.PermissionCollection)
IOException(java.io.IOException)
CodeSource(java.security.CodeSource)
File(java.io.File)
FilePermission(java.io.FilePermission)
URL(java.net.URL)
Example 63 with FilePermission
use of java.io.FilePermission in project ignite by apache.
the class SecuritySubjectPermissionsTest method beforeTestsStarted.
/**
* {@inheritDoc}
*/
@Override
protected void beforeTestsStarted() throws Exception {
if (System.getSecurityManager() == null) {
Policy.setPolicy(new Policy() {
@Override
public PermissionCollection getPermissions(CodeSource cs) {
Permissions res = new Permissions();
res.add(new RuntimePermission("*"));
res.add(new MBeanServerPermission("*"));
res.add(new MBeanPermission("*", "*"));
res.add(new MBeanTrustPermission("*"));
res.add(new ReflectPermission("*"));
res.add(new SSLPermission("*"));
res.add(new ManagementPermission("monitor"));
res.add(new ManagementPermission("control"));
res.add(new SerializablePermission("*"));
res.add(new SecurityPermission("*"));
res.add(new SocketPermission("*", "connect,accept,listen,resolve"));
res.add(new FilePermission("<<ALL FILES>>", "read,write,delete,execute,readlink"));
res.add(new PropertyPermission("*", "read,write"));
res.add(new TestPermission("common"));
return res;
}
});
System.setSecurityManager(new SecurityManager());
setupSM = true;
}
}
Also used :
Policy(java.security.Policy)
PermissionCollection(java.security.PermissionCollection)
PropertyPermission(java.util.PropertyPermission)
MBeanPermission(javax.management.MBeanPermission)
SocketPermission(java.net.SocketPermission)
ManagementPermission(java.lang.management.ManagementPermission)
SSLPermission(javax.net.ssl.SSLPermission)
CodeSource(java.security.CodeSource)
FilePermission(java.io.FilePermission)
MBeanServerPermission(javax.management.MBeanServerPermission)
MBeanTrustPermission(javax.management.MBeanTrustPermission)
Permissions(java.security.Permissions)
ReflectPermission(java.lang.reflect.ReflectPermission)
SerializablePermission(java.io.SerializablePermission)
SecurityPermission(java.security.SecurityPermission)
Example 64 with FilePermission
use of java.io.FilePermission in project elasticsearch by elastic.
the class ESPolicy method implies.
@Override
@SuppressForbidden(reason = "fast equals check is desired")
public boolean implies(ProtectionDomain domain, Permission permission) {
CodeSource codeSource = domain.getCodeSource();
// codesource can be null when reducing privileges via doPrivileged()
if (codeSource == null) {
return false;
}
URL location = codeSource.getLocation();
// https://bugs.openjdk.java.net/browse/JDK-8129972
if (location != null) {
// run scripts with limited permissions
if (BootstrapInfo.UNTRUSTED_CODEBASE.equals(location.getFile())) {
return untrusted.implies(domain, permission);
}
// check for an additional plugin permission: plugin policy is
// only consulted for its codesources.
Policy plugin = plugins.get(location.getFile());
if (plugin != null && plugin.implies(domain, permission)) {
return true;
}
}
// yeah right, REMOVE THIS when hadoop is fixed
if (permission instanceof FilePermission && "<<ALL FILES>>".equals(permission.getName())) {
for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
if ("org.apache.hadoop.util.Shell".equals(element.getClassName()) && "runCommand".equals(element.getMethodName())) {
// we found the horrible method: the hack begins!
// force the hadoop code to back down, by throwing an exception that it catches.
rethrow(new IOException("no hadoop, you cannot do this."));
}
}
}
// otherwise defer to template + dynamic file permissions
return template.implies(domain, permission) || dynamic.implies(permission) || system.implies(domain, permission);
}
Also used :
Policy(java.security.Policy)
IOException(java.io.IOException)
CodeSource(java.security.CodeSource)
FilePermission(java.io.FilePermission)
URL(java.net.URL)
SuppressForbidden(org.elasticsearch.common.SuppressForbidden)
Example 65 with FilePermission
use of java.io.FilePermission in project elasticsearch by elastic.
the class Security method addPath.
/**
* Add access to path (and all files underneath it)
* @param policy current policy to add permissions to
* @param configurationName the configuration name associated with the path (for error messages only)
* @param path the path itself
* @param permissions set of file permissions to grant to the path
*/
static void addPath(Permissions policy, String configurationName, Path path, String permissions) {
// paths may not exist yet, this also checks accessibility
try {
ensureDirectoryExists(path);
} catch (IOException e) {
throw new IllegalStateException("Unable to access '" + configurationName + "' (" + path + ")", e);
}
// add each path twice: once for itself, again for files underneath it
policy.add(new FilePermission(path.toString(), permissions));
policy.add(new FilePermission(path.toString() + path.getFileSystem().getSeparator() + "-", permissions));
}
Also used :
IOException(java.io.IOException)
FilePermission(java.io.FilePermission)
Aggregations
FilePermission (java.io.FilePermission)143
Deployment (org.jboss.arquillian.container.test.api.Deployment)38
StringAsset (org.jboss.shrinkwrap.api.asset.StringAsset)29
JavaArchive (org.jboss.shrinkwrap.api.spec.JavaArchive)29
PropertyPermission (java.util.PropertyPermission)23
IOException (java.io.IOException)22
RemotingPermission (org.jboss.remoting3.security.RemotingPermission)21
Permission (java.security.Permission)20
File (java.io.File)19
URL (java.net.URL)19
PermissionCollection (java.security.PermissionCollection)19
SocketPermission (java.net.SocketPermission)18
WebArchive (org.jboss.shrinkwrap.api.spec.WebArchive)16
ReflectPermission (java.lang.reflect.ReflectPermission)12
Test (org.junit.Test)12
Permissions (java.security.Permissions)11
CodeSource (java.security.CodeSource)9
Path (java.nio.file.Path)8
SecurityPermission (java.security.SecurityPermission)8
Policy (java.security.Policy)7
