[Pki-devel] [PATCH] 130 Enabled Tomcat security manager.
Endi Sukma Dewata
edewata at redhat.com
Sat Oct 27 04:39:38 UTC 2012
On 10/26/2012 9:39 PM, Matthew Harmsen wrote:
> ACK
>
> Applied patch, built, installed, and successfully tested a CA running
> under the Tomcat Java Security Manager:
>
> * # ps -ef | grep tomcat
> pkiuser 28050 1 2 19:15 ? 00:00:17
> /usr/lib/jvm/jre/bin/java -classpath
> :/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar
> -Dcatalina.base=/var/lib/pki/pki-tomcat
> -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs=
> -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp
> *-Djava.security.manager
> -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy* -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties
> -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
> org.apache.catalina.startup.Bootstrap start
>
> I noticed one oddity in the '/usr/sbin/tomcat' file where they had
> specified*-Djava.security.policy=="${CATALINA_BASE}/conf/catalina.policy"*
> rather than
> *-Djava.security.policy="${CATALINA_BASE}/conf/catalina.policy"* (used
> an "==" rather than an single "="), but when I manually changed this,
> and restarted the server, I was still able to successfully request,
> approve, and issue another cert.
Yes, single equal sign means we append the catalina.policy to the
standard Java policy (/usr/lib/jvm/jre/lib/security/java.policy). The
double equal signs mean that we use catalina.policy exclusively.
http://download.java.net/jdk8/docs/technotes/guides/security/PolicyFiles.html
Pushed to master. Thanks.
--
Endi S. Dewata
More information about the Pki-devel
mailing list