From 284e7da6f01cb3b0e7269fe6476a8e2eeb77b8c2 Mon Sep 17 00:00:00 2001 From: clemenso Date: Tue, 12 May 2009 14:43:16 +0000 Subject: mocca catalina.policy git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@352 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- BKUOnline/src/main/policy/50mocca.policy | 234 +++++++++++++++++++++++++++++++ BKUOnline/src/main/webapp/applet.jsp | 4 +- BKUOnline/src/main/webapp/help.jsp | 19 ++- 3 files changed, 248 insertions(+), 9 deletions(-) create mode 100644 BKUOnline/src/main/policy/50mocca.policy (limited to 'BKUOnline/src') diff --git a/BKUOnline/src/main/policy/50mocca.policy b/BKUOnline/src/main/policy/50mocca.policy new file mode 100644 index 00000000..1b62c3a8 --- /dev/null +++ b/BKUOnline/src/main/policy/50mocca.policy @@ -0,0 +1,234 @@ + + +// ========== MOCCA CODE PERMISSIONS ======================================= +// +// +// replace /home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT with ${catalina.base}/webapps/ +// replace /usr/share/java/xercesImpl.jar with the endorsed xerces (if not in jre/lib/endorsed) +// replace ${catalina.base}/work/Catalina/localhost/_ with the path to the compiled JSPs +// replace apps.egiz.gv.at with the DataURL host +// www.a-trust.at and ksp.ecard.sozialversicherung.gv.at are required for id-link template download +// replace ldap.a-trust.at:389 with any certificate revocation authority endpoint (OCSP, CRLs) + + +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/logging.properties", "read"; +}; + +grant codeBase "file:${catalina.base}/work/Catalina/localhost/_" { + permission java.io.FilePermission "/helpfiles/-", "read"; + permission java.lang.RuntimePermission "defineClassInPackage.org.apache.jasper.runtime"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/-" { + permission java.security.AllPermission; +// permission java.io.FilePermission "${catalina.base}/logs", "read, write"; +// permission java.io.FilePermission "${catalina.base}/logs/*", "read, write"; +// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write"; +// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/-" { + permission java.io.FilePermission "${catalina.base}/logs", "read, write"; + permission java.io.FilePermission "${catalina.base}/logs/*", "read, write"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/utils-1.1.2-SNAPSHOT.jar" { + permission java.util.PropertyPermission "*", "read"; + permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; + permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/bkucommon-1.1.2-SNAPSHOT.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore/-", "write"; + permission java.io.FilePermission "/usr/share/java/xercesImpl.jar", "read"; + permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; + permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve"; + permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; + permission java.net.NetPermission "specifyStreamHandler"; + permission java.util.PropertyPermission "*", "read, write"; + permission java.security.SecurityPermission "insertProvider.IAIK"; + permission java.security.SecurityPermission "putProviderProperty.IAIK"; + permission java.security.SecurityPermission "removeProvider.IAIK"; + permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; + permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; + permission java.security.SecurityPermission "insertProvider.XSECT"; + permission java.security.SecurityPermission "putProviderProperty.XSECT"; + permission java.security.SecurityPermission "insertProvider.STAL"; + permission java.security.SecurityPermission "putProviderProperty.STAL"; + // XMLDSig is moved backwards by XSECT + permission java.security.SecurityPermission "insertProvider.XMLDSig"; + permission java.security.SecurityPermission "removeProvider.XMLDSig"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" { + permission java.util.PropertyPermission "*", "read, write"; + permission java.security.SecurityPermission "insertProvider.IAIK"; + permission java.security.SecurityPermission "putProviderProperty.IAIK"; + permission java.security.SecurityPermission "removeProvider.IAIK"; + permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/iaik_ecc_signed-2.15.jar" { + permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; + permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/iaik_xsect-1.14.jar" { + permission java.util.PropertyPermission "*", "read, write"; + permission java.security.SecurityPermission "insertProvider.IAIK"; + permission java.security.SecurityPermission "putProviderProperty.IAIK"; + permission java.security.SecurityPermission "removeProvider.IAIK"; + permission java.security.SecurityPermission "insertProvider.XSECT"; + permission java.security.SecurityPermission "putProviderProperty.XSECT"; + permission java.security.SecurityPermission "insertProvider.XMLDSig"; + permission java.security.SecurityPermission "removeProvider.XMLDSig"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/iaik_pki-1.0-MOCCA.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore/-", "write"; + permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; + permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; + permission java.net.NetPermission "specifyStreamHandler"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/xalan-2.7.0.jar" { + permission java.util.PropertyPermission "*", "read"; + permission java.io.FilePermission "${java.home}/lib/xalan.properties", "read"; + permission java.lang.RuntimePermission "getClassLoader"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/commons-logging-1.1.1.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/log4j-1.2.12.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/log4j.properties", "read"; + // allow log4j to read its own properties + permission java.util.PropertyPermission "log4j.*", "read"; + // the log4j configuration might want to write logs to ${catalina.base}/logs/bkuonline.log + permission java.util.PropertyPermission "catalina.base", "read"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/spring-core-2.5.5.jar" { + permission java.lang.RuntimePermission "accessDeclaredMembers"; +}; +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/spring-web-2.5.5.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore", "write"; + permission java.io.FilePermission "/usr/share/java/xercesImpl.jar", "read"; + permission java.security.SecurityPermission "insertProvider.IAIK"; + permission java.security.SecurityPermission "putProviderProperty.IAIK"; + permission java.security.SecurityPermission "removeProvider.IAIK"; + permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; + permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; + permission java.security.SecurityPermission "insertProvider.XSECT"; + permission java.security.SecurityPermission "putProviderProperty.XSECT"; + permission java.security.SecurityPermission "insertProvider.STAL"; + permission java.security.SecurityPermission "putProviderProperty.STAL"; + permission java.security.SecurityPermission "insertProvider.XMLDSig"; + permission java.security.SecurityPermission "removeProvider.XMLDSig"; + permission java.util.PropertyPermission "*", "read, write"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/spring-beans-2.5.5.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore", "write"; + permission java.io.FilePermission "/usr/share/java/xercesImpl.jar", "read"; + permission java.security.SecurityPermission "insertProvider.IAIK"; + permission java.security.SecurityPermission "putProviderProperty.IAIK"; + permission java.security.SecurityPermission "removeProvider.IAIK"; + permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; + permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; + permission java.security.SecurityPermission "insertProvider.XSECT"; + permission java.security.SecurityPermission "putProviderProperty.XSECT"; + permission java.security.SecurityPermission "insertProvider.STAL"; + permission java.security.SecurityPermission "putProviderProperty.STAL"; + permission java.security.SecurityPermission "insertProvider.XMLDSig"; + permission java.security.SecurityPermission "removeProvider.XMLDSig"; + permission java.util.PropertyPermission "*", "read, write"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/spring-context-2.5.5.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/online/conf/certs/certStore", "write"; + permission java.io.FilePermission "/usr/share/java/xercesImpl.jar", "read"; + permission java.security.SecurityPermission "insertProvider.IAIK"; + permission java.security.SecurityPermission "putProviderProperty.IAIK"; + permission java.security.SecurityPermission "removeProvider.IAIK"; + permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; + permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; + permission java.security.SecurityPermission "insertProvider.XSECT"; + permission java.security.SecurityPermission "putProviderProperty.XSECT"; + permission java.security.SecurityPermission "insertProvider.STAL"; + permission java.security.SecurityPermission "putProviderProperty.STAL"; + permission java.security.SecurityPermission "insertProvider.XMLDSig"; + permission java.security.SecurityPermission "removeProvider.XMLDSig"; + permission java.util.PropertyPermission "*", "read, write"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/jaxws-rt-2.1.5.jar" { + // need write access to set disableCaptureStackTrace and HttpAdapter.dump + permission java.util.PropertyPermission "com.sun.xml.ws.*", "read, write"; + permission java.util.PropertyPermission "com.sun.xml.bind.*", "read"; + permission java.util.PropertyPermission "javax.xml.soap.*", "read"; + permission java.util.PropertyPermission "javax.activation.*", "read"; + permission java.util.PropertyPermission "xml.catalog.*", "read"; + permission java.util.PropertyPermission "user.dir", "read"; + permission java.util.PropertyPermission "user.home", "read"; + permission java.io.FilePermission "${java.home}/lib/jaxm.properties", "read"; + permission java.io.FilePermission "${java.home}/lib/mailcap", "read"; + permission java.io.FilePermission "${user.home}/.mailcap", "read"; + permission java.io.FilePermission "basename", "read"; + permission java.io.FilePermission "${catalina.home}/bin/xcatalog", "read"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.lang.RuntimePermission "setContextClassLoader"; + permission javax.management.MBeanServerPermission "createMBeanServer"; + permission javax.management.MBeanPermission "com.sun.xml.ws.*", "registerMBean"; + permission javax.management.MBeanTrustPermission "register"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/jaxb-impl-2.1.9.jar" { + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.1.2-SNAPSHOT/WEB-INF/lib/commons-httpclient-3.1.jar" { + permission java.util.PropertyPermission "*", "read"; +}; + +// ======== NETBEANS + +grant codeBase "file:${catalina.base}/nblib/-" { + permission java.security.AllPermission; +}; + diff --git a/BKUOnline/src/main/webapp/applet.jsp b/BKUOnline/src/main/webapp/applet.jsp index 3da17066..4b0f2240 100644 --- a/BKUOnline/src/main/webapp/applet.jsp +++ b/BKUOnline/src/main/webapp/applet.jsp @@ -40,7 +40,7 @@ String guiStyle = (String) session.getAttribute("appletGuiStyle"); String locale = (String) session.getAttribute("locale"); String extension = (String) session.getAttribute("extension"); - + String appletClass, appletArchive; if ("activation".equals(extension)) { appletArchive = "BKUAppletExt"; @@ -66,7 +66,7 @@ RandomStringUtils.randomAlphanumeric(16); appletArchive += rand; } - + %>