前面说了,TOMCAT作为服务时加一个参数,这样TOMCAT就安全多了。接下来我们可以在catalina.policy,进行一下具体权限控制:
下面代码仅供参考:
/* AUTOMATICALLY GENERATED ON Mon Oct 15 09:50:33 CST 2007*/
/* DO NOT EDIT http://www.jspzg.com */
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/jre/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
grant {
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.security.auth.AuthPermission "getSubjectFromDomainCombiner";
permission javax.security.auth.AuthPermission "setReadOnly";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
permission javax.security.auth.AuthPermission "refreshCredential";
permission javax.security.auth.AuthPermission "destroyCredential";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "refreshLoginConfiguration";
permission java.util.logging.LoggingPermission "control";
permission java.net.NetPermission "setDefaultAuthenticator";
permission java.net.NetPermission "requestPasswordAuthentication";
permission java.net.NetPermission "specifyStreamHandler";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.io.SerializablePermission "enableSubclassImplementation";
permission java.io.SerializablePermission "enableSubstitution";
permission java.sql.SQLPermission "setLog";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission javax.net.ssl.SSLPermission "getSSLSessionContext";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "setIO";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "stopThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "readFileDescriptor";
permission java.lang.RuntimePermission "writeFileDescriptor";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "defineClassInPackage.*";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "enableContextClassLoaderOverride";
permission java.security.SecurityPermission "putProviderProperty.SunJCE";
permission java.security.SecurityPermission "insertProvider.SunJCE";
};
grant {
permission java.net.SocketPermission "*:1-", "connect, accept";
permission java.util.PropertyPermission "os.*", "read";
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.*", "read";
permission java.util.PropertyPermission "*", "read";
permission java.io.FilePermission ".", "read";
};
// 指定临时文件目录的位置,替换掉 E:\\temp_root\\ 为你机器上临时文件的目录。
// 注意:在此规则中,windows 路径要用 \\ 来代替。
grant {
permission java.io.FilePermission "C:\\Tomcat6\\temp\\", "read, write, delete";
permission java.io.FilePermission "C:\\Tomcat6\\temp\\-", "read, write, delete";
};
// 复制下面的规则,替换掉ftp根目录。
// 一定注意格式,斜线,反斜线,双反斜线,还有最后那个分号,否则,规则不起作用,还会报错。
// 双斜线代表注释。
// 每添加一个 jsp web 站点都必须添加相应的下面注释中的规则,保存后必须重新启动 Tomcat。
// 此规则仅适用于 Tomcat, 不适用于 Resin。
//grant codeBase "file:d:/webroot/ftp根目录/-" {
// permission java.io.FilePermission "d:\\webroot\\ftp根目录\\", "read";
// permission java.io.FilePermission "d:\\webroot\\ftp根目录\\-", "read, write, delete";
//};
grant codeBase "file:d:/webroot/9902y/-" {
permission java.io.FilePermission "d:\\webroot\\9902y\\", "read";
permission java.io.FilePermission "d:\\webroot\\9902y\\-", "read, write, delete";
};
grant codeBase "file:d:/webroot/seanzou/-" {
permission java.security.AllPermission;
};
腾讯QQ
MSN(Live)
Skype
傲游Maxthon
火狐Firefox
Opera
Kmplayer
暴风影音
RealPlayer
Foobar
Winamp
千千静听
优化大师
超级兔子
Vista优化大师
搜狗拼音
紫光拼音
五笔输入
卡巴斯基
Mcafee麦咖啡
瑞星杀毒
木马清道夫
木马克星
360安全卫士
1121695897