From 79016a7b2f9d89e52e991b0abdfc73ad24e60979 Mon Sep 17 00:00:00 2001
From: clemenso <clemenso@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Thu, 13 Aug 2009 09:19:28 +0000
Subject: [#433] update BKU Web Start CertStore WebStart configuration
 refactored

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@423 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 .../java/at/gv/egiz/bku/webstart/Container.java    | 75 ++++++++++++++++++----
 1 file changed, 62 insertions(+), 13 deletions(-)

(limited to 'BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java')

diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
index 89044486..4df90ab2 100644
--- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
+++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
@@ -1,22 +1,28 @@
 package at.gv.egiz.bku.webstart;
 
 import at.gv.egiz.bku.utils.StreamUtil;
+import java.awt.AWTPermission;
 import java.io.BufferedOutputStream;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
+import java.io.FilePermission;
 import java.io.FileReader;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.lang.reflect.ReflectPermission;
+import java.net.NetPermission;
+import java.net.SocketPermission;
+import java.security.Permissions;
+import java.security.SecurityPermission;
+import java.util.PropertyPermission;
+import javax.smartcardio.CardPermission;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.mortbay.jetty.Connector;
-import org.mortbay.jetty.Handler;
 import org.mortbay.jetty.Server;
-import org.mortbay.jetty.handler.DefaultHandler;
-import org.mortbay.jetty.handler.HandlerCollection;
 import org.mortbay.jetty.nio.SelectChannelConnector;
 import org.mortbay.jetty.security.SslSocketConnector;
 import org.mortbay.jetty.webapp.WebAppContext;
@@ -28,12 +34,18 @@ public class Container {
   public static final String HTTPS_PORT_PROPERTY = "mocca.http.port";
 
   private static Log log = LogFactory.getLog(Container.class);
+  static {
+    if (log.isDebugEnabled()) {
+      //Jetty log INFO and WARN, include ignored exceptions
+      //jetty logging may be further restricted by setting level in log4j.properties
+      System.setProperty("VERBOSE", "true");
+      //do not set Jetty DEBUG logging, produces loads of output
+      //System.setProperty("DEBUG", "true");
+    }
+  }
 
   private Server server;
 
-  public Container() {
-  }
-
   public void init() throws IOException {
 //    System.setProperty("DEBUG", "true");
     server = new Server();
@@ -55,15 +67,15 @@ public class Container {
     sslConnector.setPort(Integer.getInteger(HTTPS_PORT_PROPERTY, 3496).intValue());
     sslConnector.setAcceptors(1);
     sslConnector.setHost("127.0.0.1");
-    File configDir = new File(System.getProperty("user.home") + "/" + BKULauncher.CONFIG_DIR);
-    File keystoreFile = new File(configDir, BKULauncher.KEYSTORE_FILE);
+    File configDir = new File(System.getProperty("user.home") + "/" + Configurator.CONFIG_DIR);
+    File keystoreFile = new File(configDir, Configurator.KEYSTORE_FILE);
     if (!keystoreFile.canRead()) {
       log.error("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath());
       throw new FileNotFoundException("MOCCA keystore file not readable: " + keystoreFile.getAbsolutePath());
     }
     log.debug("loading MOCCA keystore from " + keystoreFile.getAbsolutePath());
     sslConnector.setKeystore(keystoreFile.getAbsolutePath());
-    File passwdFile = new File(configDir, BKULauncher.PASSWD_FILE);
+    File passwdFile = new File(configDir, Configurator.PASSWD_FILE);
     BufferedReader reader = new BufferedReader(new FileReader(passwdFile));
     String pwd;
     while ((pwd = reader.readLine()) != null) {
@@ -107,7 +119,6 @@ public class Container {
 
     sslConnector.setExcludeCipherSuites(RFC4492CipherSuites);
 
-
     server.setConnectors(new Connector[] { connector, sslConnector });
     
     WebAppContext webapp = new WebAppContext();
@@ -116,13 +127,13 @@ public class Container {
     webapp.setExtractWAR(true); 
     webapp.setParentLoaderPriority(false);
 
-    webapp.setWar(copyWebapp(webapp.getTempDirectory())); //getClass().getClassLoader().getResource("BKULocalWar/").toString());
-
+    webapp.setWar(copyWebapp(webapp.getTempDirectory()));
+    webapp.setPermissions(getPermissions(webapp.getTempDirectory()));
+    
     server.setHandler(webapp);
     server.setGracefulShutdown(1000*3);
   }
 
-
   private String copyWebapp(File webappDir) throws IOException {
     File webapp = new File(webappDir, "BKULocal.war");
     log.debug("copying BKULocal classpath resource to " + webapp);
@@ -133,6 +144,44 @@ public class Container {
     return webapp.getPath();
   }
 
+  private Permissions getPermissions(File webappDir) {
+    Permissions perms = new Permissions();
+
+    // jetty-webstart (spring?)
+    perms.add(new RuntimePermission("getClassLoader"));
+
+    // standard permissions
+    perms.add(new PropertyPermission("*", "read"));
+    perms.add(new RuntimePermission("accessDeclaredMembers"));
+    perms.add(new RuntimePermission("accessClassInPackage.*"));
+    perms.add(new RuntimePermission("defineClassInPackage.*"));
+    perms.add(new RuntimePermission("setFactory"));
+    perms.add(new RuntimePermission("getProtectionDomain"));
+    perms.add(new RuntimePermission("modifyThread"));
+    perms.add(new RuntimePermission("modifyThreadGroup"));
+    perms.add(new RuntimePermission("setFactory"));
+    perms.add(new ReflectPermission("suppressAccessChecks"));
+
+    // MOCCA specific
+    perms.add(new SocketPermission("*", "connect,resolve"));
+    perms.add(new NetPermission("specifyStreamHandler"));
+    perms.add(new SecurityPermission("insertProvider.*"));
+    perms.add(new SecurityPermission("putProviderProperty.*"));
+    perms.add(new SecurityPermission("removeProvider.*"));
+    perms.add(new CardPermission("*", "*"));
+    perms.add(new AWTPermission("*"));
+
+    perms.add(new FilePermission(webappDir.getAbsolutePath() + "/-", "read"));
+    perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xalan.properties").getAbsolutePath(), "read"));
+    perms.add(new FilePermission(new File(System.getProperty("java.home") + "/lib/xerces.properties").getAbsolutePath(), "read"));
+    perms.add(new FilePermission(new File(System.getProperty("user.home")).getAbsolutePath(), "read, write"));
+    perms.add(new FilePermission(new File(System.getProperty("user.home") + "/-").getAbsolutePath(), "read, write"));
+    perms.add(new FilePermission(new File(System.getProperty("user.home") + "/.mocca/logs/*").getAbsolutePath(), "read, write,delete"));
+
+
+    return perms;
+  }
+
   public void start() throws Exception {
     server.start();
   }
-- 
cgit v1.2.3