Author: markt
Date: Mon Feb 7 15:20:38 2011
New Revision: 1067963
URL: http://svn.apache.org/viewvc?rev=1067963&view=rev
Log:
Add additional roles to the Admin, Manager and Host-Manager applications
(admin-gui, admin-script; manager-gui, manager-script, manager-jmx,
manager-status) to allow more fine-grained control over which functionality is
accessible.
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
tomcat/tc5.5.x/trunk/build/resources/confinstall/tomcat-users_1.xml
tomcat/tc5.5.x/trunk/build/tomcat.nsi
tomcat/tc5.5.x/trunk/container/catalina/src/conf/tomcat-users.xml
tomcat/tc5.5.x/trunk/container/webapps/admin/WEB-INF/web.xml
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
tomcat/tc5.5.x/trunk/container/webapps/host-manager/WEB-INF/web.xml
tomcat/tc5.5.x/trunk/container/webapps/manager/WEB-INF/web.xml
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=1067963&r1=1067962&r2=1067963&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Mon Feb 7 15:20:38 2011
@@ -25,10 +25,3 @@ $Id$
PATCHES PROPOSED TO BACKPORT:
[ New proposals should be added at the end of the list ]
-* Add additional roles to the Admin, Manager and Host-Manager applications
- (admin-gui, admin-script; manager-gui, manager-script, manager-jmx,
manager-status)
- to allow more fine-grained control over which functionality is accessible,
- like it was done in Tomcat 6.
- http://people.apache.org/~kkolinko/patches/2011-02-03_tc55_roles.patch
- +1: kkolinko, pero, markt
- -1:
Modified: tomcat/tc5.5.x/trunk/build/resources/confinstall/tomcat-users_1.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/build/resources/confinstall/tomcat-users_1.xml?rev=1067963&r1=1067962&r2=1067963&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/build/resources/confinstall/tomcat-users_1.xml
(original)
+++ tomcat/tc5.5.x/trunk/build/resources/confinstall/tomcat-users_1.xml Mon Feb
7 15:20:38 2011
@@ -15,8 +15,8 @@
limitations under the License.
-->
<!--
- NOTE: By default, no user is included in the "manager" role required
- to operate the "/manager" web application. If you wish to use this app,
+ NOTE: By default, no user is included in the "manager-gui" role required
+ to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
<tomcat-users>
Modified: tomcat/tc5.5.x/trunk/build/tomcat.nsi
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/build/tomcat.nsi?rev=1067963&r1=1067962&r2=1067963&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/build/tomcat.nsi (original)
+++ tomcat/tc5.5.x/trunk/build/tomcat.nsi Mon Feb 7 15:20:38 2011
@@ -433,7 +433,7 @@ Function pageComponentsLeave
IntOp $0 $0 & ${SF_SELECTED}
${If} $0 <> 0
StrCpy $TomcatAdminEnable "1"
- StrCpy $TomcatAdminRoles "manager"
+ StrCpy $TomcatAdminRoles "manager-gui"
${EndIf}
SectionGetFlags ${SecHostManager} $0
@@ -441,9 +441,9 @@ Function pageComponentsLeave
${If} $0 <> 0
StrCpy $TomcatAdminEnable "1"
${If} $TomcatAdminRoles != ""
- StrCpy $TomcatAdminRoles "admin,$TomcatAdminRoles"
+ StrCpy $TomcatAdminRoles "admin-gui,$TomcatAdminRoles"
${Else}
- StrCpy $TomcatAdminRoles "admin"
+ StrCpy $TomcatAdminRoles "admin-gui"
${EndIf}
${EndIf}
FunctionEnd
Modified: tomcat/tc5.5.x/trunk/container/catalina/src/conf/tomcat-users.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/conf/tomcat-users.xml?rev=1067963&r1=1067962&r2=1067963&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/catalina/src/conf/tomcat-users.xml (original)
+++ tomcat/tc5.5.x/trunk/container/catalina/src/conf/tomcat-users.xml Mon Feb
7 15:20:38 2011
@@ -16,8 +16,8 @@
limitations under the License.
-->
<!--
- NOTE: By default, no user is included in the "manager" role required
- to operate the "/manager" web application. If you wish to use this app,
+ NOTE: By default, no user is included in the "manager-gui" role required
+ to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
<tomcat-users>
Modified: tomcat/tc5.5.x/trunk/container/webapps/admin/WEB-INF/web.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/admin/WEB-INF/web.xml?rev=1067963&r1=1067962&r2=1067963&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/admin/WEB-INF/web.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/admin/WEB-INF/web.xml Mon Feb 7
15:20:38 2011
@@ -129,6 +129,7 @@
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
+ <role-name>admin-gui</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
@@ -148,6 +149,12 @@
<description>
The role that is required to log in to the Administration Application
</description>
+ <role-name>admin-gui</role-name>
+ </security-role>
+ <security-role>
+ <description>
+ Deprecated role name, that provides the same access as the "admin-gui"
role.
+ </description>
<role-name>admin</role-name>
</security-role>
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=1067963&r1=1067962&r2=1067963&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Mon Feb 7
15:20:38 2011
@@ -63,6 +63,12 @@
Improve the descriptions of the components.
(kkolinko, mturk, markt)
</fix>
+ <add>
+ Add roles (admin-gui, admin-script, manager-gui, manager-script,
+ manager-jmx, manager-status) to the Manager, Host Manager and Admin
+ applications to allow more fine-grained control of permissions. The old
+ roles are deprecated but will still work in the same way. (kkolinko)
+ </add>
</changelog>
</subsection>
<subsection name="Catalina">
Modified: tomcat/tc5.5.x/trunk/container/webapps/host-manager/WEB-INF/web.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/host-manager/WEB-INF/web.xml?rev=1067963&r1=1067962&r2=1067963&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/host-manager/WEB-INF/web.xml
(original)
+++ tomcat/tc5.5.x/trunk/container/webapps/host-manager/WEB-INF/web.xml Mon Feb
7 15:20:38 2011
@@ -79,8 +79,7 @@
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
- <web-resource-name>HTMLHostManager and HostManager
commands</web-resource-name>
- <url-pattern>/html/*</url-pattern>
+ <web-resource-name>HostManager commands</web-resource-name>
<url-pattern>/list</url-pattern>
<url-pattern>/add</url-pattern>
<url-pattern>/remove</url-pattern>
@@ -88,7 +87,19 @@
<url-pattern>/stop</url-pattern>
</web-resource-collection>
<auth-constraint>
- <!-- NOTE: This role is not present in the default users file -->
+ <!-- NOTE: None of these roles is present in the default users file -->
+ <role-name>admin-script</role-name>
+ <role-name>admin</role-name>
+ </auth-constraint>
+ </security-constraint>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>HTMLHostManager commands</web-resource-name>
+ <url-pattern>/html/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <!-- NOTE: None of these roles is present in the default users file -->
+ <role-name>admin-gui</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
@@ -102,7 +113,19 @@
<!-- Security roles referenced by this web application -->
<security-role>
<description>
- The role that is required to log in to the Manager Application
+ The role that is required to access the text Host Manager pages
+ </description>
+ <role-name>admin-script</role-name>
+ </security-role>
+ <security-role>
+ <description>
+ The role that is required to access the HTML Host Manager pages
+ </description>
+ <role-name>admin-gui</role-name>
+ </security-role>
+ <security-role>
+ <description>
+ Deprecated role that can access all Host Manager functionality
</description>
<role-name>admin</role-name>
</security-role>
Modified: tomcat/tc5.5.x/trunk/container/webapps/manager/WEB-INF/web.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/manager/WEB-INF/web.xml?rev=1067963&r1=1067962&r2=1067963&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/manager/WEB-INF/web.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/manager/WEB-INF/web.xml Mon Feb 7
15:20:38 2011
@@ -146,9 +146,7 @@
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
- <web-resource-name>HTMLManager and Manager command</web-resource-name>
- <url-pattern>/jmxproxy/*</url-pattern>
- <url-pattern>/html/*</url-pattern>
+ <web-resource-name>Manager commands</web-resource-name>
<url-pattern>/list</url-pattern>
<url-pattern>/sessions</url-pattern>
<url-pattern>/start</url-pattern>
@@ -160,12 +158,48 @@
<url-pattern>/reload</url-pattern>
<url-pattern>/save</url-pattern>
<url-pattern>/serverinfo</url-pattern>
- <url-pattern>/status/*</url-pattern>
<url-pattern>/roles</url-pattern>
<url-pattern>/resources</url-pattern>
</web-resource-collection>
<auth-constraint>
- <!-- NOTE: This role is not present in the default users file -->
+ <!-- NOTE: None of these roles is present in the default users file -->
+ <role-name>manager-script</role-name>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>HTMLManager commands</web-resource-name>
+ <url-pattern>/html/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <!-- NOTE: None of these roles is present in the default users file -->
+ <role-name>manager-gui</role-name>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>JMX proxy</web-resource-name>
+ <url-pattern>/jmxproxy/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <!-- NOTE: None of these roles is present in the default users file -->
+ <role-name>manager-jmx</role-name>
+ <role-name>manager</role-name>
+ </auth-constraint>
+ </security-constraint>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Status</web-resource-name>
+ <url-pattern>/status/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <!-- NOTE: None of these roles is present in the default users file -->
+ <role-name>manager-status</role-name>
+ <role-name>manager-gui</role-name>
+ <role-name>manager-script</role-name>
+ <role-name>manager-jmx</role-name>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
@@ -179,7 +213,31 @@
<!-- Security roles referenced by this web application -->
<security-role>
<description>
- The role that is required to log in to the Manager Application
+ The role that is required to access the HTML Manager pages
+ </description>
+ <role-name>manager-gui</role-name>
+ </security-role>
+ <security-role>
+ <description>
+ The role that is required to access the text Manager pages
+ </description>
+ <role-name>manager-script</role-name>
+ </security-role>
+ <security-role>
+ <description>
+ The role that is required to access the HTML JMX Proxy
+ </description>
+ <role-name>manager-jmx</role-name>
+ </security-role>
+ <security-role>
+ <description>
+ The role that is required to access to the Manager Status pages
+ </description>
+ <role-name>manager-status</role-name>
+ </security-role>
+ <security-role>
+ <description>
+ Deprecated role that can access all Manager functionality
</description>
<role-name>manager</role-name>
</security-role>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
