Links Getting Started Administrators Application Developers Catalina Developers Jasper Developers | Security Manager HOW-TO| ¹è°æ Background |
ÀÚ¹Ù º¸¾È°ü¸®ÀÚ SecurityManager´Â Ŭ¶óÀ̾ðÆ®
ÆÄÀÏ ½Ã½ºÅÛ¿¡ ÀÖ´Â ÆÄÀÏ¿¡ Á¢±ÙÇϰųª, ¾ÖÇø´ÀÌ °¡Á®¿Â °÷ÀÌ ¾Æ´Ñ
´Ù¸¥ È£½ºÆ®¿¡ ¿¬°áÇÏ·Á Çϰųª ÇÏ´Â µîÀÇ ½Å·ÚÇÏÁö ¸øÇÒ ÄÚµåµéÀÌ
½ÇÇàµÇ´Â °ÍÀ» ¸·±âÀ§ÇØ À¥ ºê¶ó¿ìÀú ³»ºÎÀÇ »÷µå¹Ú½º ³»¿¡¼ ¾ÖÇø´À»
½ÇÇàÇϵµ·Ï Çã°¡ÇØÁÖ´Â °ÍÀÔ´Ï´Ù. º¸¾È°ü¸®ÀÚ°¡ ºê¶ó¿ìÀú¿¡¼ ½Å·ÚµÇÁö
¾ÊÀº ¾ÖÇø´ÀÇ ½ÇÇàÀ» ¸·´Â °Í°ú ¸¶Âù°¡Áö·Î Tomcat ¿î¿µÁß¿¡ º¸¾È°ü¸®ÀÚ¸¦
»ç¿ëÇϸé, Æ®·ÎÀ̸ñ¸¶Çü ¼ºí¸´°ú JSP ÆäÀÌÁöµé°ú JSP ºó°ú ű׶óÀ̺귯¸®¿Í
½ÉÁö¾î ÀǵµÀûÀÌÁö ¾ÊÀº ½Ç¼ö·ÎºÎÅÍ ¼¹ö¸¦ º¸È£ÇÒ ¼ö ÀÖ½À´Ï´Ù.
¸¸ÀÏ À¥»çÀÌÆ®ÀÇ JSP ¸¦ ¸¸Áú ¼ö ÀÖ´Â ´©±º°¡ ¹«½É°á¿¡ ´ÙÀ½ ¹®ÀåÀ» Æ÷ÇÔÇÏ´Â
JSPÆÄÀÏÀ» ¿Ã·Á³õ´Â´Ù°í Çϸé:
ÀÌ JSP ÆäÀÌÁö°¡ Tomcat ¿¡¼ ½ÇÇàµÉ ¶§¸¶´Ù, Tomcat ÀÌ Á¾·áµË´Ï´Ù. ÀÚ¹Ù
º¸¾È °ü¸®ÀÚ¸¦ »ç¿ëÇÏ´Â °ÍÀº ½Ã½ºÅÛ °ü¸®ÀÚ°¡ ¼¹öÀÇ º¸¾È¼º°ú ¾ÈÁ¤¼ºÀ» À¯ÁöÇϱâ
À§ÇØ ¹æ¾îÇÏ´Â ÇÑÁÙÀ» ´õ ¾²´Â °ÍÀÔ´Ï´Ù.
°æ°í - Tomcat ¿¡¼ º¸¾È°ü¸®ÀÚ ±¸ÇöÀº ¿Ïº®ÇÏ°Ô
Å×½ºÆ®µÇ°Å³ª, º¸¾È °¨»ç¸¦ ¹ÞÁö ¾Ê¾Ò½À´Ï´Ù. ½Å·ÚÇÒ ¼ö ¾ø´Â »ç¿ëÀÚ°¡ À¥
¾îÇø®ÄÉÀ̼Ç, JSP, ¼ºí¸´, ºó, ű׶óÀ̺귯¸® ¿Ã·Á¼ »ç¿ëÇÏ´Â °ÍÀ» Çã¶ôÇϱâ
Àü¿¡ Àü¿¡ º¸¾È°ü¸®ÀÚ È¯°æ¼³Á¤¿¡ ¸¸Á·ÇÏ´ÂÁö ¸ÕÀú È®½ÇÈ÷ ÇϽʽÿÀ. ÇÏÁö¸¸,
º¸¾È°ü¸®ÀÚ°¡ ¾ø´Â °Íº¸´Ù´Â È®½ÇÈ÷ »ç¿ëÇÏ´Â °ÍÀÌ ³´½À´Ï´Ù.
|
| 񀀥 Permissions |
±ÇÇÑ Å¬·¡½º´Â Tomcat ÀÌ ·ÎµåÇÒ Å¬·¡½ºÀÇ ±ÇÇÑÀ» Á¤ÀÇÇϴµ¥ ¾²ÀÔ´Ï´Ù. JDKÀÇ
Áß¿¡ ¸î°¡Áö Ç¥ÁØ ±ÇÇÑ Å¬·¡½ºµéÀÌ ÀÖ°í, À¥ ¾îÇø®ÄÉÀ̼ǿ¡¼ »ç¿ëÇÒ ±ÇÇÑ
Ŭ·¡½º¸¦ Á÷Á¢ ¸¸µé ¼öµµ ÀÖ½À´Ï´Ù. µÎ°¡Áö ±â¼ú ¸ðµÎ Tomcat 4¿¡¼ »ç¿ëÇÒ
¼ö ÀÖ½À´Ï´Ù.
| Ç¥ÁØ ±ÇÇÑ Standard Permissions |
Tomcat ¿¡ Àû¿ëÇÒ ¼ö Àִ ǥÁØ ½Ã½ºÅÛ º¸¾È°ü¸®ÀÚ ±ÇÇÑ Å¬·¡½ºµéÀÇ °£´ÜÇÑ
¿ä¾àÀÔ´Ï´Ù. ÀÚ¼¼ÇÑ ³»¿ëÀº
http://java.sun.com/security/
¸¦ Âü°íÇϽʽÿÀ.
- java.util.PropertyPermission -
java.home
¿Í °°Àº JVM ÇÁ·ÎÆÛƼ¿¡ ´ëÇÑ Àбâ/¾²±â Á¢±ÙÀ» Á¦¾î.
- java.lang.RuntimePermission - ¸î¸î System/Runtime ÀÇ
ÇÔ¼öµéÀÇ »ç¿ë Á¦¾î. ¿¹)
exit() ¿Í exec().
- java.io.FilePermission - ÆÄÀÏ°ú µð·ºÅ丮¿¡ ´ëÇÑ
Àбâ/¾²±â/½ÇÇà Á¢±Ù Á¦¾î.
- java.net.SocketPermission - ³×Æ®¿öÅ© ¼ÒÄÏ »ç¿ë Á¦¾î.
- java.net.NetPermission - ´ÙÁßij½ºÆ® ³×Æ®¿öÅ© ¿¬°á »ç¿ë
Á¦¾î.
- java.lang.reflect.ReflectPermission - Ŭ·¡½º ÀÎÆ®·Î½ºÆå¼Ç
¿¡ »ç¿ëµÇ´Â ¸®Ç÷º¼ÇÀÇ »ç¿ë Á¦¾î.
- java.security.SecurityPermission - º¸¾È ¸Þ¼Òµå¿¡
Á¢±Ù Á¦¾î.
- java.security.AllPermission - ¸ðµç ±ÇÇÑ¿¡ ´ëÇØ Á¢±ÙÀ»
Çã°¡ÇÕ´Ï´Ù. ¸¶Ä¡, º¸¾È°ü¸®ÀÚ ¾øÀÌ Tomcat À» ¿î¿µÇÏ´Â °Í°ú °°½À´Ï´Ù.
|
|
| Tomcat º¸¾È°ü¸®ÀÚ ¼³Á¤Çϱâ Configuring Tomcat With A SecurityManager |
Á¤Ã¥ ÆÄÀÏ Çü½Ä Policy File Format
ÀÚ¹Ù º¸¾È°ü¸®ÀÚ¿¡¼ ±¸ÇöµÇ´Â º¸¾È Á¤Ã¥Àº $CATALINA_HOME/conf/catalina.policy
ÆÄÀÏ¿¡ ¼³Á¤µË´Ï´Ù. ÀÌ ÆÄÀÏÀº ÇöÀç JDK ½Ã½ºÅÛ µð·ºÅ丮¿¡ ÀÖ´Â java.policy
ÆÄÀÏÀ» ´ëÄ¡ÇÕ´Ï´Ù. catalina.policy ÆÄÀÏÀº ¼öµ¿À¸·Î ¹Ù²Ü ¼ö ÀÖ°í,
Java 1.2 ³ª ÀÌÈÄÀÇ ¹öÀü¿¡ ÀÖ´Â
Á¤Ã¥µµ±¸ policytool
¾îÇø®ÄÉÀ̼ÇÀ» ÀÌ¿ëÇÒ ¼öµµ ÀÖ½À´Ï´Ù.
catalina.policy ÆÄÀÏ¿¡ ÀÖ´Â ¿£Æ®¸®µéÀº ´ÙÀ½°ú °°ÀÌ Ç¥ÁØ
java.policy ÆÄÀÏ Çü½ÄÀ» »ç¿ëÇÕ´Ï´Ù:
 | | | |
// Example policy file entry
grant [signedBy <signer>,] [codeBase <code source>] {
permission <class> [<name> [, <action list>]];
};
| | | | |
signedBy ¿Í codeBase Ç׸ñÀº ±ÇÇÑÀ» ºÎ¿©ÇÒ¶§
¼±ÅÃÀûÀÔ´Ï´Ù. ÁÖ¼® ÁÙÀº "//" ·Î ½ÃÀÛÇÏ°í ÁÙ ³¡±îÁö ÁÖ¼®¿¡ ÇØ´çµË´Ï´Ù.
codeBase ´Â URL Çü½ÄÀÌ°í, (JAVA_HOME °ú
CATALINA_HOME ȯ°æº¯¼ö¿¡ ÀÇÇØ Á¤ÇØÁø µð·ºÅ丮¸¦ ¶æÇÏ´Â)
${java.home} °ú ${catalina.home} ÇÁ·ÎÆÛƼ¸¦
ÆÄÀÏ URL ¿¡¼ »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù.
±âº» Á¤Ã¥ ÆÄÀÏ The Default Policy File
±âº» $CATALINA_HOME/conf/catalina.policy ÆÄÀÏÀº ´ÙÀ½°ú °°½À´Ï´Ù:
| | | |
// ============================================================================
// catalina.corepolicy - Tomcat 4.0 ÀÇ º¸¾È Á¤Ã¥ ±ÇÇÑ
//
// ÀÌ ÆÄÀÏÀº Catalina ½ÇÇà½Ã "-security" ¿É¼ÇÀ» ÁÖ¾úÀ» ¶§ (JVM ¿¡ ÀÇÇØ ) °Á¦µÈ
// º¸¾È Á¤Ã¥ ±âº» ¼¼ÆÃÀ» Æ÷ÇÔÇÕ´Ï´Ù. ¿©±â¿¡ ºÎ¿©µÈ ±ÇÇÑ¿¡ Ãß°¡·Î, ´ÙÀ½ÀÇ ºÎ°¡
// ±ÇÇÑÀÌ °¢°¢ÀÇ À¥ ¾îÇø®ÄÉÀ̼ǿ¡ ÁöÁ¤µÈ codebase ¿¡ ºÎ¿©µË´Ï´Ù:
//
// * µµÅ¥¸ÕÆ® ·çÆ® µð·ºÅ丮 Àбâ Á¢±Ù
//
// ============================================================================
// ========== SYSTEM CODE PERMISSIONS =========================================
// javac ¿¡ Àû¿ë
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// ¸ðµç °øÀ¯ ½Ã½ºÅÛ ÀͽºÅټǿ¡ Àû¿ë
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};
// ${java.home} ÀÌ $JAVA_HOME/jre À» °¡¸£Å³ ¶§ javac ¿¡ Àû¿ë
grant codeBase "file:${java.home}/../lib/-" {
permission java.security.AllPermission;
};
// ${java.home} ÀÌ $JAVA_HOME/jre À» °¡¸£Å³ ¶§
// ¸ðµç °øÀ¯ ½Ã½ºÅÛ ÀͽºÅټǿ¡ Àû¿ë
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
// ========== CATALINA CODE PERMISSIONS =======================================
// ¼¹ö ½ÃÀÛ Äڵ忡 Àû¿ë
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
// ¼ºí¸´ API Ŭ·¡½º¿Í "common" µð·ºÅ丮¿¡ ÀÖ´Â ¸ðµç Ŭ·¡½º ·Î´õµé¿¡
// °ÉÃļ °øÀ¯µÈ Ŭ·¡½ºµé¿¡ Àû¿ë
grant codeBase "file:${catalina.home}/common/-" {
permission java.security.AllPermission;
};
// ÄÁÅ×ÀÌ³Ê ÄÚ¾î ÄÚµå¿Í "server" µð·ºÅ丮¿¡ ¼³Ä¡µÈ ºÎ°¡ÀûÀÎ
// ¶óÀ̺귯¸®¿¡ Àû¿ë
grant codeBase "file:${catalina.home}/server/-" {
permission java.security.AllPermission;
};
// jasper ÆäÀÌÁö ÄÄÆÄÀÏ·¯¿¡ Àû¿ë
grant codeBase "file:${catalina.home}/shared/lib/jasper-compiler.jar" {
permission java.security.AllPermission;
};
// jasper JSP runtime ¿¡ Àû¿ë
grant codeBase "file:${catalina.home}/shared/lib/jasper-runtime.jar" {
permission java.security.AllPermission;
};
// Ưº°È÷ Çã°¡µÈ admin °ú manager À¥ ¾îÇø®ÄÉÀ̼ǿ¡ Àû¿ë
grant codeBase "file:${catalina.home}/server/webapps/admin/WEB-INF/classes/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${catalina.home}/server/webapps/admin/WEB-INF/lib/struts.jar" {
permission java.security.AllPermission;
};
// ========== WEB APPLICATION PERMISSIONS =====================================
// ÀÌ ±ÇÇѵéÀº ±âº»ÀûÀ¸·Î ¸ðµç À¥ ¾îÇø®ÄÉÀ̼ǿ¡ ºÎ¿©µÈ °ÍÀÔ´Ï´Ù.
// µ¡ºÙ¿©¼, À¥ ¾îÇø®ÄÉÀ̼ÇÀº ÇØ´ç ¹®¼ ·çÆ®¿¡ ÀÖ´Â ¸ðµç ÆÄÀϵé°ú µð·ºÅ丮µé¿¡
// ´ëÇؼ FilePermission °ú JndiPermission Àб⠱ÇÇÑÀÌ ÁÖ¾îÁ®ÀÖ½À´Ï´Ù.
grant {
// ¸í¸íµÈ JDBC DataSource ÀÇ JNDI lookup ¿Í ¸ÞÀÏ º¸³»´Âµ¥ »ç¿ëµÇ´Â ¸í¸íµÈ
// MimePart DataSource ÀÇ javamail ¿¡ ¿ä±¸µÊ
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.naming.*", "read";
permission java.util.PropertyPermission "javax.sql.*", "read";
// Àбâ Á¢±ÙÀº Çã°¡ÇÏ´Â OS ¿¡ µû¸¥ ÇÁ·ÎÆÛƼ
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
// Àбâ Á¢±ÙÀº Çã°¡ÇÏ´Â JVM ÇÁ·ÎÆÛƼ
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
// BeanInfo °¡Á®¿À±â¿¡ ¿ä±¸µÊ
permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.*";
// JSPC °¡ »ý¼ºÇÑ ¼ºí¸´ ½ÇÇà¿¡ ¿ä±¸µÊ
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
// OpenJMX ¿¡ ¿ä±¸µÊ
permission java.lang.RuntimePermission "getAttribute";
// JAXP ȣȯ XML Æļ µð¹ö±× Àб⸦ Çã°¡
permission java.util.PropertyPermission "jaxp.debug", "read";
};
// ƯÁ¤ÇÑ À¥ ¾îÇø®ÄÉÀ̼ǿ¡ ¿©±â ÀÖ´Â °Íó·³ Ãß°¡ÇÒ "grant" ¿£Æ®¸®¸¦ µ¡ºÙ¿©¼,
// Ãß°¡ ±ÇÇÑÀ» ¼³Á¤ÇÒ ¼ö ÀÖ½À´Ï´Ù. ÇØ´ç ¾îÇø®ÄÉÀ̼Ç, /WEB-INF/classes/, ¶Ç´Â
// /WEB-INF/lib/ jarÆÄÀϵéÀÇ ÄÚµå º£À̽º¿¡ ±â¹ÝÇÕ´Ï´Ù.
//
// JSP ÆäÀÌÁö, /WEB-INF/classes/ µð·ºÅ丮¿¡¼ ºÒ·¯¿Â Ŭ·¡½º ÆÄÀÏ, /WEB-INF/lib/
// µð·ºÅ丮¿¡ ÀÖ´Â ¸ðµç jar ÆÄÀÏ, ½ÉÁö¾î °³º°ÀûÀ¸·Î ¸¸µç /WEB-INF/lib/ ¿¡ ÀÖ´Â
// jar ÆÄÀÏ¿¡ ´ëÇؼµµ ´Ù¸¥ ±ÇÇÑÀ» ºÎ¿©ÇÒ ¼ö ÀÖ½À´Ï´Ù.
//
// ¿¹¸¦ µé¾î, Ç¥ÁØ "examples" ¾îÇø®ÄÉÀ̼ÇÀÌ NOAA À¥¼¹ö·ÎºÎÅÍ ³¯¾¾Á¤º¸¸¦
// °¡Á®¿À´Â scrape taglib À» »ç¿ëÇϰųª, ÇØ´ç DB¿¡ ³×Æ®¿öÅ© ¿¬°áÀ» ¼³Á¤ÇÒ
// ÇÊ¿ä°¡ ÀÖ´Â JDBC ÇÁ·Î±×·¥À» Æ÷ÇÔÇÑ´Ù°í °¡Á®Çϸé
// ÀÌ·¸°Ô "grant" ¿£Æ®¸®¸¦ ¸¸µé¾î¾ß µÉ ¼öµµ ÀÖ½À´Ï´Ù:
//
// ÄÁÅؽºÆ® ·çÆ® µð·ºÅ丮ÀÇ jsp ÆäÀÌÁö¿¡ ºÎ¿©µÇ´Â ±ÇÇÑ
// grant codeBase "file:${catalina.home}/webapps/examples/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// ÄÁÅؽºÆ® WEB-INF/classes µð·ºÅ丮¿¡ ÁÖ¾îÁö´Â ±ÇÇÑ
// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {
// };
//
// JDBC driver ¿¡ ÁÖ¾îÁö´Â ±ÇÇÑ
// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// };
// scrape taglib ¿¡ ÁÖ¾îÁö´Â ±ÇÇÑ
// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar" {
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
| | | | |
º¸¾È°ü¸®ÀÚ¿Í ÇÔ²² Tomcat ½ÃÀÛÇϱâ Starting Tomcat With A SecurityManager
º¸¾È°ü¸®ÀÚ¸¦ »ç¿ëÇϱâ À§ÇØ catalina.policy ÆÄÀÏÀ» ¼³Á¤Çß´Ù¸é,
"-security" ¿É¼ÇÀ» ÁÖ¾î¼ º¸¾È°ü¸®ÀÚ¿Í ÇÔ²² Tomcat À» ½ÃÀÛÇÒ ¼ö ÀÖ½À´Ï´Ù:
| | | |
$CATALINA_HOME/bin/catalina.sh start -security (Unix)
%CATALINA_HOME%\bin\catalina start -security (Windows)
| | | | |
|
|
