History | Log In     View a printable version of the current page.  
   HOME       BROWSE PROJECT       FIND ISSUES   
    QUICK SEARCH:  
Issue Details (XML | Word | Printable)

Key: XWIKI-348
Type: Improvement Improvement
Status: Closed Closed
Resolution: Won't Fix
Priority: Critical Critical
Assignee: Sergiu Dumitriu
Reporter: Sergiu Dumitriu
Votes: 0
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
XWiki Core

XWiki does not work with java security on

Created: 03/Oct/06 20:32   Updated: 11/Mar/08 18:19
Component/s: Core
Affects Version/s: 0.9.1252
Fix Version/s: None

Environment: Debian, tomcat -secure

Date of First Response: 05/Mar/07 04:34
Resolution Date: 11/Mar/08 18:19


 Description  « Hide
Servlets can work in two security models: the standard servlet model and the standard java model.

The standard servlet model is on by default on most distributions and web servers. In this model, a webapp cannot exit the directory specified by the docBase attribute of the Context element, but no other restrictions apply, meaning that a servelt or jsp can call System.exit() and shut down the whole server. In this model, / in a path means the directory or .war file of the webapp.

The java security model is the one active for applets and WebStart applications. Such an application can access anything as long as there is a policy that gives the proper rights. This model can be selected in tomcat by starting it with "tomcat start -security". In this model, / means the system root.

The problem is that all paths in XWiki are specified with a leading /. So, every file is searched on the root filesystem instead of the XWiki directory.

This can be fixed by removing the leading / in all paths. The servlet specification says that all relative paths start from the docBase, so nothing else should be changed.

 All   Comments   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Tom Oehser - 05/Mar/07 04:34

I think it would be more correct if XWiki were to limit or eliminate use of the filesystem via java.io.*.

Things like the log4j config should be made easily configurable- not buried- and documented as something to configure during installation. Obviously, you can dig for it and replace it earlier in the classpath...

It is not hard, also, to make log4j reload configurations once the cfg file is read, or once the database is read, so that things like log output files can be configured more in the normal configuration process.

But, in general, there should not be paths in a J2EE database application.

-Tom


[ Permlink | « Hide ]
Stefan Oberwahrenbrock - 19/Jul/07 16:18
Instead of disabling TOMCAT5_SECURITY completely in /etc/default/tomcat5.5 it is "smarter" to disable it on an "per application basis". Therefor we created an additional file in /etc/tomcat5.5/policy.d/ named 49xwiki.policy with the following content:

// These permissions apply to xwiki
grant codeBase "file:${catalina.base}/webapps/xwiki/-" { permission java.security.AllPermission; };

Restarting Tomcat you can now use the default security settings provided by the Debian Package (TOMCAT5_SECURITY=yes). Should work on Debian 4.0 systems where xwiki ist installed under the default path for Tomcat applications (/var/lib/tomcat5.5/webapps/xwiki/).

Stefan


[ Permlink | « Hide ]
Sergiu Dumitriu - 24/Dec/07 12:14
With the new component-based architecture, Plexus fails to initialize with a "java.lang.RuntimePermission createClassLoader" permission exception.

[ Permlink | « Hide ]
Sergiu Dumitriu - 07/Jan/08 14:49
I tried to determine the minimum security rules which must be added in order for XWiki to work. With the current trunk (rev. 6639), these changes are needed:
  • Remove the xerxesImpl jar, as it will be used by Tomcat to load it's own resources, thus throwing security exceptions. I'd say this is a bug in Tomcat.
  • Disable the file logger in log4j.properties
  • Add the following in a policy file:

grant codeBase "file:${catalina.home}/webapps/xwiki/WEB-INF/lib/-" { permission java.util.PropertyPermission "file.encoding", "read"; // Needed by Hibernate -> antlr permission java.util.PropertyPermission "ANTLR_DO_NOT_EXIT", "read"; permission java.util.PropertyPermission "ANTLR_USE_DIRECT_CLASS_LOADING", "read"; // Needed by Plexus. Can be omitted if Plexus is disabled (OK in XWiki <= 1.2) permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; // Needed by Plexus and Hibernate permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Needed by commons-logging permission java.util.PropertyPermission "org.apache.commons.logging.LogFactory.HashtableImpl", "read"; // Needed for connecting to the database permission java.net.SocketPermission "127.0.0.1:3306", "connect,resolve"; // Needed by the scheduler plugin -> quartz, but works without (maybe except scheduling? should be checked) // permission java.util.PropertyPermission "org.quartz.properties", "read"; };

Our code is pretty safe for the moment, but some of the projects we are using have some problems, like antlr (v3 doesn't require them, but Hibernate still uses v2), hibernate and plexus which require custom class loading and reflection, and commons-logging.


[ Permlink | « Hide ]
Sergiu Dumitriu - 11/Mar/08 18:19
Most of the things that could be improved already committed. There is nothing else we can do.


Powered by a free Atlassian JIRA open source license for XWiki. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.12.3-#302) - Bug/feature request - Atlassian news - Contact Administrators