commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Thomas (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (DBCP-177) [dbcp] redesign to use dbcp with security manager
Date Fri, 07 Feb 2014 14:57:19 GMT

     [ https://issues.apache.org/jira/browse/DBCP-177?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Mark Thomas resolved DBCP-177.
------------------------------

    Resolution: Fixed

I really don't know what to say about how long this has taken to fix. Sorry doesn't really
cut it.

I have just committed the fix for this for DBCP 2. I have only been testing with my fairly
basic database application. We may need to pre-load a few more classes to prevent AccessControlExceptions
for all use cases. DBCP 2 is feeding in the Tomcat 8 beta releases so we should get some good
feedback from those.

> [dbcp] redesign to use dbcp with security manager
> -------------------------------------------------
>
>                 Key: DBCP-177
>                 URL: https://issues.apache.org/jira/browse/DBCP-177
>             Project: Commons Dbcp
>          Issue Type: Improvement
>         Environment: Operating System: All
> Platform: All
>            Reporter: Gernot Pfingstl
>            Priority: Minor
>             Fix For: 2.0
>
>
> Dbcp is not designed to run with security manager, especially when dbcp is used
> in a servlet container (like tomcat) there are problems to set up security
> policy in a correct manner.
> e.g.: to get a connection should be completely transparent to the (web)app -
> only dbcp should know how to get the datasource/connection. If the connection
> uses tcp (which will be in the most cases) only dbcp should be granted a socket
> permission. The app itself should not be granted this permission - the app
> should not be able to connect the dbserver itself.
> So dbcp needs some "doPrivileged()".
> see Bug 35034: 
> Running tomcat with security manager: To get a datasource (with jndi) and to use
> statements you have to grant several accessClassInPackage Permissions to tomcat
> internal packages to the webapp:
>       permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat.dbcp.collections";
>       permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat.dbcp.pool.impl";
>       permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat.dbcp.dbcp";
>       permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat.dbcp.pool";
> Additionally dbcp needs a permission java.lang.RuntimePermission
> "getClassLoader"; permission to load the jdbc driver.
> And in most cases you need some socket permissions.
> Datasources will be made available by the container (with JNDI). So the app
> doesn't matter where the database resides nor how the container makes the
> connection. The app is not interested in the details how the container will get
> the connection - it is only interested to have a connection. 
> There is no need to give the whole app a permission to connect to some server
> only because the container wants to make some connection to this server. The
> permission if a app should be able to make a connection is given by a
> resource-link entry in context.xml.
> The permission to connect to the database server should be given at the
> container level and only there.
> Why should the whole app have permission to access tomcat internal packages
> (org.apache.tomcat.*)?
> ------- Additional Comment #1 From Remy Maucherat 2005-05-24 09:58 [reply] -------
> The commons-dbcp library would need to be written with the security manager in
> mind (ie, it needs to have PAs). Not a Tomcat bug, and you should be able to use
> alternate datasource providers.: 
> Running tomcat with security manager: To get a datasource (with jndi) and to use
> statements you have to grant several accessClassInPackage Permissions to tomcat
> internal packages to the webapp:
>       permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat.dbcp.collections";
>       permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat.dbcp.pool.impl";
>       permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat.dbcp.dbcp";
>       permission java.lang.RuntimePermission
> "accessClassInPackage.org.apache.tomcat.dbcp.pool";
> Additionally dbcp needs a permission java.lang.RuntimePermission
> "getClassLoader"; permission to load the jdbc driver.
> And in most cases you need some socket permissions.
> Datasources will be made available by the container (with JNDI). So the app
> doesn't matter where the database resides nor how the container makes the
> connection. The app is not interested in the details how the container will get
> the connection - it is only interested to have a connection. 
> There is no need to give the whole app a permission to connect to some server
> only because the container wants to make some connection to this server. The
> permission if a app should be able to make a connection is given by a
> resource-link entry in context.xml.
> The permission to connect to the database server should be given at the
> container level and only there.
> Why should the whole app have permission to access tomcat internal packages
> (org.apache.tomcat.*)?



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message