permissions = policy.getPermissions(source);
// Create a file read permission for web app context directory
if (!docBase.endsWith(File.separator)){
permissions.add
(new FilePermission(docBase,"read"));
docBase = docBase + File.separator;
} else {
permissions.add
(new FilePermission
(docBase.substring(0,docBase.length() - 1),"read"));
}
docBase = docBase + "-";
permissions.add(new FilePermission(docBase,"read"));
// Spec says apps should have read/write for their temp
// directory. This is fine, as no security sensitive files, at
// least any that the app doesn't have full control of anyway,
// will be written here.
String workDir = options.getScratchDir().toString();
if (!workDir.endsWith(File.separator)){
permissions.add
(new FilePermission(workDir,"read,write"));
workDir = workDir + File.separator;
}
workDir = workDir + "-";
permissions.add(new FilePermission(
workDir,"read,write,delete"));
// Allow the JSP to access org.apache.jasper.runtime.HttpJspBase
permissions.add( new RuntimePermission(
"accessClassInPackage.org.apache.jasper.runtime") );
if (parentClassLoader instanceof URLClassLoader) {
URL [] urls = ((URLClassLoader)parentClassLoader).getURLs();
String jarUrl = null;
String jndiUrl = null;
for (int i=0; i<urls.length; i++) {
if (jndiUrl == null
&& urls[i].toString().startsWith("jndi:") ) {
jndiUrl = urls[i].toString() + "-";
}
if (jarUrl == null
&& urls[i].toString().startsWith("jar:jndi:")
) {
jarUrl = urls[i].toString();
jarUrl = jarUrl.substring(0,jarUrl.length() - 2);
jarUrl = jarUrl.substring(0,
jarUrl.lastIndexOf('/')) + "/-";
}
}
if (jarUrl != null) {
permissions.add(
new FilePermission(jarUrl,"read"));
permissions.add(
new FilePermission(jarUrl.substring(4),"read"));
}
if (jndiUrl != null)
permissions.add(
new FilePermission(jndiUrl,"read") );
}
} catch(Exception e) {
context.log("Security Init for context failed",e);
}
}