summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorclemenso <clemenso@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2009-05-19 14:27:23 +0000
committerclemenso <clemenso@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2009-05-19 14:27:23 +0000
commitc3d2c49c2020c24aabf7412edd24196c12918eb3 (patch)
tree447f24e7529b8a773bc6ca330b653adcd2d3ad11
parent4af6912e43237c3678f05e30c69385481f42ae76 (diff)
downloadmocca-c3d2c49c2020c24aabf7412edd24196c12918eb3.tar.gz
mocca-c3d2c49c2020c24aabf7412edd24196c12918eb3.tar.bz2
mocca-c3d2c49c2020c24aabf7412edd24196c12918eb3.zip
mocca policy
git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@355 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
-rw-r--r--BKUOnline/src/main/policy/50mocca.policy117
-rw-r--r--BKUOnline/src/main/webapp/SLRequestForm.html4
-rw-r--r--BKUOnline/src/main/webapp/WEB-INF/web.xml16
3 files changed, 111 insertions, 26 deletions
diff --git a/BKUOnline/src/main/policy/50mocca.policy b/BKUOnline/src/main/policy/50mocca.policy
index 1b62c3a8..6292d24d 100644
--- a/BKUOnline/src/main/policy/50mocca.policy
+++ b/BKUOnline/src/main/policy/50mocca.policy
@@ -1,16 +1,49 @@
-
-
+// Copyright 2008 Federal Chancellery Austria and
+// Graz University of Technology
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+// =========================================================================
+// || IMPORTANT: REVIEW AND ADAPT TO YOUR NEEDS PRIOR TO INSTALLATION
+// =========================================================================
+//
+//
// ========== MOCCA CODE PERMISSIONS =======================================
//
+// replace /home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT
+// with ${catalina.base}/webapps/<mocca_context>
+// replace /usr/share/java/xercesImpl.jar
+// with <path_to_endorsed_xerces> (if not in jre/lib/endorsed)
+// replace ${catalina.base}/work/Catalina/localhost/_
+// with ${catalina.base}/work/Catalina/localhost/<mocca_context> (the path to the compiled JSPs, excl. package dir: org/apache/jsp/)
+// replace apps.egiz.gv.at
+// with <DataURL_host:DataURL_port>
+// replace localhost:8080
+// with <StylesheetURL_host:StylesheetURL_port>
+// replace www.xslt-stylesheet-include-url.org:80
+// with <XSL_include_URL>
+// replace ../conf/secret.xml
+// with <any_resource_you_would_like_to_grant_XSLTs_document()_function_access_to>
+//
+// replace www.a-trust.at and ksp.ecard.sozialversicherung.gv.at
+// with <idLink_template_download_URL>
+// replace ldap.a-trust.at:389 and ocsp.ecard.sozialversicherung.at:80
+// with <certificate_revocation_authority_endpoint> (OCSP, CRLs)
//
-// replace /home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT with ${catalina.base}/webapps/<mocca_context>
-// replace /usr/share/java/xercesImpl.jar with the endorsed xerces (if not in jre/lib/endorsed)
-// replace ${catalina.base}/work/Catalina/localhost/_ with the path to the compiled JSPs
-// replace apps.egiz.gv.at with the DataURL host
-// www.a-trust.at and ksp.ecard.sozialversicherung.gv.at are required for id-link template download
-// replace ldap.a-trust.at:389 with any certificate revocation authority endpoint (OCSP, CRLs)
-
+// =========== container grants required by MOCCA
+//
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/logging.properties", "read";
@@ -21,23 +54,31 @@ grant codeBase "file:${catalina.base}/work/Catalina/localhost/_" {
permission java.lang.RuntimePermission "defineClassInPackage.org.apache.jasper.runtime";
};
+// =========== MOCCA grants
+//
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/-" {
permission java.security.AllPermission;
// permission java.io.FilePermission "${catalina.base}/logs", "read, write";
// permission java.io.FilePermission "${catalina.base}/logs/*", "read, write";
+// permission java.io.FilePermission "${catalina.base}/logs/*", "delete";
// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write";
// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write";
};
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/-" {
+ // the log4j configuration might want to write logs to ${catalina.base}/logs/bkuonline.log
permission java.io.FilePermission "${catalina.base}/logs", "read, write";
permission java.io.FilePermission "${catalina.base}/logs/*", "read, write";
+ permission java.io.FilePermission "${catalina.base}/logs/*", "delete";
+
};
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/utils-1.1.2-SNAPSHOT.jar" {
permission java.util.PropertyPermission "*", "read";
permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve";
permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve";
+ permission java.net.SocketPermission "localhost:8080", "connect, resolve";
+ permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
@@ -45,11 +86,16 @@ grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/bkucommon-1.1.2-SNAPSHOT.jar" {
permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore", "write";
permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore/-", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore/toBeAdded/-", "delete";
permission java.io.FilePermission "/usr/share/java/xercesImpl.jar", "read";
+ permission java.io.FilePermission "../conf/secret.xml", "read";
permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve";
permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve";
permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve";
permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve";
+ permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve";
+ permission java.net.SocketPermission "localhost:8080", "connect, resolve";
+ permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
permission java.net.NetPermission "specifyStreamHandler";
permission java.util.PropertyPermission "*", "read, write";
permission java.security.SecurityPermission "insertProvider.IAIK";
@@ -78,6 +124,7 @@ grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve";
+ permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve";
};
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/iaik_ecc_signed-2.15.jar" {
@@ -99,36 +146,69 @@ grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/iaik_pki-1.0-MOCCA.jar" {
permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore", "write";
permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore/-", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore/toBeAdded/-", "delete";
permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve";
permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve";
+ permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve";
permission java.net.NetPermission "specifyStreamHandler";
permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap";
};
-grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/xalan-2.7.0.jar" {
- permission java.util.PropertyPermission "*", "read";
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar" {
permission java.io.FilePermission "${java.home}/lib/xalan.properties", "read";
+ permission java.util.PropertyPermission "*", "read";
+ permission java.lang.RuntimePermission "getClassLoader";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/serializer-2.7.1.jar" {
+ permission java.util.PropertyPermission "*", "read";
+ permission java.lang.RuntimePermission "getClassLoader";
+};
+
+// allow xsl:include from the specified URL
+grant codeBase "jar:file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" {
+ permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
+};
+
+// allow XSLT document function to reference the specified URL
+grant codeBase "jar:file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" {
+ permission java.io.FilePermission "../conf/secret.xml", "read";
+};
+
+// use tomcat/jre endorsed xerces instead
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/xercesImpl-2.9.1.jar" {
+ permission java.io.FilePermission "${java.home}/lib/xerces.properties", "read";
+ permission java.io.FilePermission "../conf/secret.xml", "read";
+ permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
+ permission java.util.PropertyPermission "*", "read";
permission java.lang.RuntimePermission "getClassLoader";
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
};
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/commons-logging-1.1.1.jar" {
- permission java.security.AllPermission;
+ permission java.util.PropertyPermission "org.apache.commons.logging.*", "read";
+ permission java.util.PropertyPermission "log4j.*", "read";
+ permission java.util.PropertyPermission "catalina.base", "read";
+ permission java.lang.RuntimePermission "getClassLoader";
+ permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
};
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/log4j-1.2.12.jar" {
permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/log4j.properties", "read";
// allow log4j to read its own properties
permission java.util.PropertyPermission "log4j.*", "read";
- // the log4j configuration might want to write logs to ${catalina.base}/logs/bkuonline.log
permission java.util.PropertyPermission "catalina.base", "read";
permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
};
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/spring-core-2.5.5.jar" {
permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.RuntimePermission "modifyThread";
};
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/spring-web-2.5.5.jar" {
permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore/-", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore/toBeAdded/-", "delete";
permission java.io.FilePermission "/usr/share/java/xercesImpl.jar", "read";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
@@ -143,6 +223,7 @@ grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.
permission java.security.SecurityPermission "removeProvider.XMLDSig";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
@@ -150,6 +231,8 @@ grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.
};
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/spring-beans-2.5.5.jar" {
permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore/-", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore/toBeAdded/-", "delete";
permission java.io.FilePermission "/usr/share/java/xercesImpl.jar", "read";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
@@ -171,6 +254,8 @@ grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.
};
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/spring-context-2.5.5.jar" {
permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore/-", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore/toBeAdded/-", "delete";
permission java.io.FilePermission "/usr/share/java/xercesImpl.jar", "read";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
@@ -185,13 +270,13 @@ grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.
permission java.security.SecurityPermission "removeProvider.XMLDSig";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
-
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/jaxws-rt-2.1.5.jar" {
// need write access to set disableCaptureStackTrace and HttpAdapter.dump
permission java.util.PropertyPermission "com.sun.xml.ws.*", "read, write";
@@ -220,6 +305,7 @@ grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read";
+ permission java.util.PropertyPermission "user.dir", "read";
};
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/commons-httpclient-3.1.jar" {
@@ -230,5 +316,4 @@ grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.
grant codeBase "file:${catalina.base}/nblib/-" {
permission java.security.AllPermission;
-};
-
+}; \ No newline at end of file
diff --git a/BKUOnline/src/main/webapp/SLRequestForm.html b/BKUOnline/src/main/webapp/SLRequestForm.html
index 4714e82f..b3aeb8e0 100644
--- a/BKUOnline/src/main/webapp/SLRequestForm.html
+++ b/BKUOnline/src/main/webapp/SLRequestForm.html
@@ -176,8 +176,8 @@
name="RedirectURL" value="" id="RedirectURL"></p>
<p><label for="DataURL">DataURL</label> <input name="DataURL"
value="" id="DataURL"></p>
- <p><label for="StyleSheetURL">StyleSheetURL</label> <input
- name="StyleSheetURL" value="" id="StyleSheetURL"></p>
+ <p><label for="StylesheetURL">StylesheetURL</label> <input
+ name="StylesheetURL" value="" id="StylesheetURL"></p>
<p>
-->
</fieldset>
diff --git a/BKUOnline/src/main/webapp/WEB-INF/web.xml b/BKUOnline/src/main/webapp/WEB-INF/web.xml
index 7697885e..46e69c4a 100644
--- a/BKUOnline/src/main/webapp/WEB-INF/web.xml
+++ b/BKUOnline/src/main/webapp/WEB-INF/web.xml
@@ -54,7 +54,7 @@
<servlet-name>help</servlet-name>
<jsp-file>/help.jsp</jsp-file>
</servlet>
- <servlet-mapping>
+ <servlet-mapping>
<servlet-name>BKUServlet</servlet-name>
<url-pattern>/http-security-layer-request</url-pattern>
</servlet-mapping>
@@ -70,17 +70,17 @@
<servlet-name>help</servlet-name>
<url-pattern>/help/*</url-pattern>
</servlet-mapping>
-
- <!--
+
+ <!--
| Configure alternative applet pages that may be requested
- | via the 'appletPage' form parameter (cf. SLRequestForm.html)
+ | via the 'appletPage' form parameter (cf. SLRequestForm.html)
<servlet>
<servlet-name>BKUAppletAlternative</servlet-name>
<jsp-file>/appletAlternative.jsp</jsp-file>
</servlet-->
-
- <!--
- | To disable applet caching load the applet via the AppletDispatcher
+
+ <!--
+ | To disable applet caching load the applet via the AppletDispatcher
| (cf. applet.jsp)
<servlet>
<servlet-name>AppletDispatcher</servlet-name>
@@ -113,7 +113,7 @@
<welcome-file>index.html</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
- <session-config>
+ <session-config>
<session-timeout>5</session-timeout>
</session-config>
</web-app>