Question around catalina.policy change back with 9.0.33, etc.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Question around catalina.policy change back with 9.0.33, etc.

jonmcalexander
I have a developer that is asking WHY the following policies were set to read only. The Change Log doesn't illuminate why.

    // The cookie code needs these.
    permission java.util.PropertyPermission
     "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
    permission java.util.PropertyPermission
     "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
    permission java.util.PropertyPermission
     "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";

Any information I can share with her?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

[hidden email]<mailto:[hidden email]>


This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.

Reply | Threaded
Open this post in threaded view
|

Re: Question around catalina.policy change back with 9.0.33, etc.

markt
On 26/06/2020 00:15, [hidden email] wrote:

> I have a developer that is asking WHY the following policies were set to read only. The Change Log doesn't illuminate why.
>
>     // The cookie code needs these.
>     permission java.util.PropertyPermission
>      "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
>     permission java.util.PropertyPermission
>      "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
>     permission java.util.PropertyPermission
>      "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
>
> Any information I can share with her?

Those permissions were removed, not set to read only, for 9.0.9 onwards.

It was the result of a refactoring:
https://github.com/apache/tomcat/commit/6ceb931e1aac0355e0980d09814559f24406a14a

I made the change but it was 2 years ago. I don't recall the motivation
off-hand. /me heads off to look at the archives...

..and that is why we have the archives.

It appears to stem from this issue:
https://bz.apache.org/bugzilla/show_bug.cgi?id=43925

The fix for that issue led to this:
https://tomcat.markmail.org/thread/mab6jbyb57phslwk

Rather than add a permission, the code was refactored so the additional
permission (and some of the existing permissions) were no longer required.

It isn't documented, but I strongly suspect that got me looking at other
permissions which led to the refactoring that allowed the removal of the
cookie permissions.

The general principle behind all of this being the fewer explicit
permissions you need to give to applications the better.

HTH,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Question around catalina.policy change back with 9.0.33, etc.

jonmcalexander
Thank you so much Mark!!!


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

[hidden email]


This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.


-----Original Message-----
From: Mark Thomas <[hidden email]>
Sent: Friday, June 26, 2020 5:14 AM
To: [hidden email]
Subject: Re: Question around catalina.policy change back with 9.0.33, etc.

On 26/06/2020 00:15, [hidden email] wrote:

> I have a developer that is asking WHY the following policies were set to read only. The Change Log doesn't illuminate why.
>
>     // The cookie code needs these.
>     permission java.util.PropertyPermission
>      "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
>     permission java.util.PropertyPermission
>      "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
>     permission java.util.PropertyPermission
>      
> "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR",
> "read";
>
> Any information I can share with her?

Those permissions were removed, not set to read only, for 9.0.9 onwards.

It was the result of a refactoring:
https://github.com/apache/tomcat/commit/6ceb931e1aac0355e0980d09814559f24406a14a

I made the change but it was 2 years ago. I don't recall the motivation off-hand. /me heads off to look at the archives...

..and that is why we have the archives.

It appears to stem from this issue:
https://bz.apache.org/bugzilla/show_bug.cgi?id=43925

The fix for that issue led to this:
https://tomcat.markmail.org/thread/mab6jbyb57phslwk

Rather than add a permission, the code was refactored so the additional permission (and some of the existing permissions) were no longer required.

It isn't documented, but I strongly suspect that got me looking at other permissions which led to the refactoring that allowed the removal of the cookie permissions.

The general principle behind all of this being the fewer explicit permissions you need to give to applications the better.

HTH,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]