Added: tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-localization-howto.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-localization-howto.html?rev=1305109&view=auto
==============================================================================
--- tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-localization-howto.html (added)
+++ tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-localization-howto.html Sun
Mar 25 19:52:05 2012
@@ -0,0 +1,198 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+ <head>
+ <!-- $Id: tomcat-localization-howto.html,v 1.1.2.1 2001/03/20 16:31:06
arieh Exp $ -->
+ <!-- Copyright 2001, Apache Software Foundation -->
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+ <title>Tomcat - Localization</title>
+ </head>
+ <body bgcolor="#ffffff" text="#000000" vlink="#525D76">
+
+ <table border="0" width="100%" cellspacing="0">
+ <!-- TOP IMAGE -->
+ <tr>
+ <td>
+ <p align="left">
+ <a href="http://jakarta.apache.org/index.html";>
+ <img src="http://jakarta.apache.org/images/jakarta-logo.gif";
+ align="left"
+ alt="The Jakarta Project"
+ border="0">
+ </a>
+ </td>
+ </tr>
+ </table>
+
+ <H1> Localization in Tomcat </H1>
+
+ <p> This document attempts to provide information necessary for
+ development of localized content that is served under Tomcat.</p>
+ <p> The audience of this document is developers of Tomcat applications,
+ internationalization and localization experts that need to
+ perform conversions of content to specific locales.</p>
+ <p> The document is divided into several sections.</p>
+
+ <H2> How to organize Localized Resources in Tomcat</H2>
+
+ <p> This section will describe the schemes that are available under
+ Tomcat to provide access to localized versions of resources,
+ including but not limited to HTML pages, javascript files,
+ image files, etc.</p>
+
+ <p> Tomcat provides three mechanisms that enable it to serve
+ localized versions of content:
+ <br>
+ <br>
+ <UL>
+ <LI> no lookup for localized resource</LI>
+ <LI> file based organization for lookup of localized resource</LI>
+ <LI> docbase based organization for lookup for localized resource</LI
+ </UL></p>
+
+ <H3> File based organization for localized resource lookup</H3>
+
+ <P> This type of organization of localized content attempts to find the
+ localized version of the resource queried based on the basename of
+ the resource, using the lookup conventions specified in
+ <code>java.lang.ResourceBundle</code>.</p>
+
+ <p>For example, assume the following scenario:
+ <br>
+ <br>
+ <UL>
+ <LI> User's Locale: <code>fr_CA</code></LI>
+ <LI> Webserver's Locale: <code>es_AR</code></LI>
+ <LI> docbase: <code>/myapp</code></LI>
+ <LI> User's URL query: <code>/myapp/index.html</code></LI>
+ </UL></p>
+
+ <p>This scheme will try to look up for the resource in the following
+ priority order:
+ <br>
+ <br>
+ <UL>
+ <LI>/myapp/index_fr_CA.html</LI>
+ <LI>/myapp/index_fr.html</LI>
+ <LI>/myapp/index_es_AR.html</LI>
+ <LI>/myapp/index_es.html</LI>
+ <LI>/myapp/index.html</LI>
+ </UL><p>
+
+ <p> When using this scheme, all localized versions will end up
+ residing on the same directory where the default (the one without
+ the localized name) file is located.
+ <p> Developer's note: there is no need to change the URLs on each one
+ of the localized versions of the files provided.</p>
+
+
+ <h3> Docbase based organization for localized resource lookup</h3>
+
+ <p> This type of organization of the localized resources attempts to
+ find the localized version of the resource queried based on the
+ existence of a localized document hierarchy under the 'docbase'
+ directory.
+ The organization of the documents is similar to the one that JavaHelp
+ uses.</p>
+
+ <p>For example, assume the following scenario:
+ <br>
+ <br>
+ <UL>
+ <LI> User's Locale: <code>fr_CA</code></LI>
+ <LI> Webserver's Locale: <code>es_AR</code></LI>
+ <LI> docbase: <code>/myapp</code></LI>
+ <LI> User's URL query: <code>/myapp/index.html</code></LI>
+ </UL></p>
+
+ <p> This scheme will try to look up for the resource in the following
+ priority order:
+ <br>
+ <br>
+ <UL>
+ <LI> /myapp/fr_CA/index.html</LI>
+ <LI> /myapp/fr/index.html</LI>
+ <LI> /myapp/es_AR/index.html</LI>
+ <LI> /myapp/es/index.html</LI>
+ <LI> /myapp/index.html</LI>
+ </UL></p>
+
+ <p> When using this scheme, all localized versions will end up
+ residing on different directories. All the files for a specific
+ locale will appear in subdirectories under a common
+ parent <code><em>[docbase]/[locale]</em></code> directory.</p>
+ <p> Developer's note: on the localized version(s) of the file, there may
be
+ a need to change the URLs. This, especially when there
+ are relative references in those URLs (for example,
+ accessing documents in a directory above).</p>
+
+
+ <h2> Implementation Topics </h2>
+
+ <p> The <code>org.apache.tomcat.request.StaticInterceptor</code> class
+ is used to handle the lookup for localized resources.</p>
+
+ <p> This is accomplished by specifying on the corresponding entry on
+ server.xml. The <code>StaticInterceptor</code> class includes
+ a property called <code><em>localization</em></code> that can
+ be set to any of the values below:
+ <br>
+ <br>
+ <UL>
+ <LI> <code>"file"</code></LI>
+ <LI> <code>"docbase"</code></LI>
+ </UL><p>
+
+ <p> Below is an example of what the StaticInterceptor entry should look
+ for file-based lookup.</p>
+
+ <blockquote>
+ <code>
+ <RequestInterceptor
+ className="org.apache.tomcat.request.StaticInterceptor"
+ debug="0" localization="file" suppress="false" />
+ </code>
+ </blockquote>
+
+ <p> Below is an example of what the StaticInterceptor entry should look
+ for docbase-based lookup.</p>
+
+ <blockquote>
+ <code>
+ <RequestInterceptor
+ className="org.apache.tomcat.request.StaticInterceptor"
+ debug="0" localization="docbase" suppress="false" />
+ </code>
+ </blockquote>
+
+ <p>The default mode is set not to perform localized resource lookup.</P>
+
+ <h2> Futures and Extensibility </h2>
+
+ <p> The mechanism by which the above mentioned file organization
+ schemes has been implemented can be extended to support future
+ types of localization organization.</p>
+
+ <p> This section concerns Jakarta developers. Tomcat users may skip
+ this section.</p>
+ <p> The steps to carry this out include modification of the
+ <code>org.apache.tomcat.request.StaticInterceptor</code>,
+ <code>org.apache.tomcat.util.FileUtil</code>,
+ <code>org.apache.tomcat.core.Context</code> as appropriate.</p>
+ <p> Among the activities required the team will have to develop
+ localized lookup methods (in <code>FileUtil</code>), code to
+ invoke the lookup methods (in <code>StaticInterceptor</a> and
+ <code>Context</code>.</p>
+ <!-- FOOTER -->
+ <table>
+ <tr><td colspan="2">
+ <hr noshade="" size="1"/>
+ </td></tr>
+ <tr><td colspan="2">
+ <div align="center"><font color="#525D76" size="-1"><em>
+ Copyright © 1999-2001, Apache Software Foundation
+ </em></font></div>
+ </td></tr>
+ </table>
+ </body>
+</html>
+
Propchange: tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-localization-howto.html
------------------------------------------------------------------------------
svn:eol-style = native
Added: tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-netscape-howto.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-netscape-howto.html?rev=1305109&view=auto
==============================================================================
--- tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-netscape-howto.html (added)
+++ tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-netscape-howto.html Sun Mar 25
19:52:05 2012
@@ -0,0 +1,283 @@
+<html>
+
+<head>
+<title>Jakarta IIS Howto</title>
+</head>
+
+<body>
+
+<h1>Tomcat Netscape HowTo</h1>
+
+<p>By Gal Shachor <shac...@il.ibm.com></p>
+
+<p>This document explains how to set up Netscape web servers to cooperate with
+Tomcat. Normally the Netscape web servers come with their own Servlet engine,
+but you can also configure them to send servlet and JSP requests to Tomcat
+using the Tomcat redirector plugin.</p>
+
+<h2>Document Conventions and Assumptions</h2>
+
+<p><tomcat_home> is the root directory of tomcat. Your Tomcat
+installation should have the following subdirectories:
+
+<ol>
+ <li><tomcat_home>\conf - Where you can place various configuration
files</li>
+ <li><tomcat_home>\webapps - Containing example applications </li>
+ <li><tomcat_home>\bin - Where you place web server plugins </li>
+</ol>
+
+<p>In all the examples in this document <tomcat_home> will be
c:\jakarta-tomcat.</p>
+
+<p>A <tt>worker</tt> is defined to be a tomcat process that accepts work from
+the Netscape server.</p>
+
+<h2>Supported Configuration</h2>
+
+<p>The Netscape-Tomcat redirector was developed and tested on:
+
+<ol>
+ <li>WinNT4.0-i386 SP4/SP5/SP6a (it should be able to work on other versions
+ of the NT service pack and also UNIX) </li>
+ <li>Netscape Enterprise 3.0 and 3.61</li>
+ <li>Tomcat3.0 - Tomcat3.2 </li>
+</ol>
+
+<p>The redirector uses <b>ajp12</b> to send requests to the Tomcat
+containers. There is also an option to use Tomcat in process, more about the
+in-process mode can be found in the in process howto.</p>
+
+<h2>Installation</h2>
+
+<p>As of Tomcat 3.2, a pre-built version of the Netscape redirector server
plugin
+for Win32, <tt>nsapi_redirect.dll</tt>, is available under the win32/i386
+directory where you downloaded the <a
href="http://jakarta.apache.org/downloads/binindex.html";>
+Tomcat binary distribution.</a> For those using Netscape as your browser, try
+downloading a zip version of the file, if available. There can be problems
using
+Netscape to download DLL files.</p>
+
+<p>You can also build a copy locally from the source in Tomcat's source
+distribution.</p>
+
+<p>The Tomcat redirector requires two entities:
+
+<ol>
+ <li>nsapi_redirect.dll - The Netscape server plugin, either obtain a
+ pre-built DLL or build it yourself (see the build section).</li>
+ <li>workers.properties - A file that describes the host(s) and port(s)
+ used by the workers (Tomcat processes). This file is located
+ in (<tt>tomcat/conf/workers.properties</tt>).</li>
+</ol>
+
+<p>The installation includes the following parts:
+
+<ol>
+ <li>Configuring the NSAPI redirector with a default /examples context and
+ checking that you can serve servlets with Netscape.</li>
+ <li>Adding more contexts to the configuration.</li>
+</ol>
+
+<h3>Configuring the NSAPI Redirector</h3>
+
+<p>In this document I will assume that nsapi_redirect.dll is placed in
+c:\jakarta-tomcat\bin\win32\i386\nsapi_redirect.dll and that you created the
+properties files are in c:\jakarta-tomcat\conf.</p>
+
+<ol>
+ <li>If the Netscape built in servlet support is working disable it.</li>
+ <li>Add the redirector plugin into the Netscape server configuration. Edit
your server
+ obj.conf and add the following lines:</li>
+ <ul>
+ <li>In the Init section:<br>
+ <tt>Init fn="load-modules" funcs="jk_init,jk_service"
+ shlib="d:/tomcat/bin/netscape/nt4/i386/nsapi_redirect.dll"<br>
+ Init fn="jk_init"
worker_file="d:/tomcat/conf/workers.properties"
+ log_level="debug"
log_file="d:/tomcat/nsapi.log"</tt> </li>
+ <li>In the default object NameTrans section<br>
+ <tt>NameTrans fn="assign-name" from="/servlet/*"
+ name="servlet"<br>
+ NameTrans fn="assign-name" from="/examples/*"
name="servlet"</tt></li>
+ <li>Create a new configuration object by adding the following lines to the
end of the
+ obj.conf file:<br>
+ <tt><Object name=servlet> <br>
+ ObjectType fn=force-type type=text/plain <br>
+ Service fn="jk_service" worker="ajp12" <br>
+ </Object></tt></li>
+ </ul>
+ <li>Restart Netscape (stop and start the server)</li>
+</ol>
+
+<p>That's all, now you should start tomcat and ask Netscape for
+http://server:port/examples/</p>
+
+<h3>Adding additional Contexts</h3>
+
+<p>The examples context is useful for verifying your installation, but you
will also need
+to add your own contexts. Adding a new context requires two operations:
+
+<ol>
+ <li>Adding the context to Tomcat (I am not going to talk about this).</li>
+ <li>Assigning the NSAPI redirector to handle this context.</li>
+</ol>
+
+<p>Assigning the NSAPI redirector to handle this context is simple, all you
need to do is
+to edit obj.conf and add a NameTrans line that looks like:</p>
+
+<p><tt>NameTrans fn="assign-name" from="/<context
name>/*"
+name="servlet" </tt></p>
+
+<p>After saving obj.conf restart Netscape and it will serve the new
context.</p>
+
+<p>As a new feature in Tomcat 3.2, a <tt>obj.conf-auto</tt> is
+automatically written each time Tomcat is started. This file includes settings
+for each of the contexts that Tomcat will serve during its run. Each context
+has settings to have Tomcat handle servlet and JSP requests, as well as a
setting
+to have Netscape serve all other content. This file requires some modification
+before it can be used directly. If you wish to use this file directly, instead
+of copying some of its contents to another file, you should rename it (so it
won't
+be overwritten the next time Tomcat is started) and make any required
modifications.
+</p>
+
+<h2>Building the redirector</h2>
+
+<p>The redirector was developed using Visual C++ Ver.6.0, so having this
environment is a
+prereq if you want to perform a custom build.</p>
+
+<p>The steps that you need to take are:
+
+<ol>
+ <li>Change directory to the nsapi plugins source directory.</li>
+ <li>Edit <tt>nsapi.dsp</tt> and update the include and library path to
reflect your own
+ Netscape server installation (search for a <tt>/I</tt> compiler option and
<tt>/libpath</tt>
+ linker option)</li>
+ <li>Execute the following command:<br>
+ <tt>MSDEV nsapi.dsp /MAKE ALL</tt><br>
+ If msdev is not in your path, enter the full path to msdev.exe</li>
+</ol>
+
+<p>This will build both release and debug versions of the redirector plugin.
</p>
+
+<p>An alternative will be to open the nsapi workspace file (nsapi.dsw) in
msdev and build
+it using the build menu.</p>
+
+<h2>How does it work? </h2>
+
+<ol>
+ <li>The Netscape-Tomcat redirector is an Netscape service step plugin,
Netscape load the
+ redirector plugin and calls its service handler function for request that
are assigned to
+ the "servlet" configuration object. </li>
+ <li>For each in-coming request Netscape will execute the set of NameTrans
directives that we
+ added to obj.conf, the assign-name function will check if it's from
parameter matches the
+ request URL.</li>
+ <li>If a match is found, assign-name will assign the servlet object name to
the request.
+ This will cause Netscape to send the request to the servlet configuration
object.</li>
+ <li>Netscape will execute our jk_service extension. The extension collects
the request
+ parameters and forwards them to the appropriate worker using the ajp12
protocol (the
+ worker="ajp12" parameter in jk_service inform it that the worker
for this
+ request is named ajp12).</li>
+ <li>The extension collects the response from the worker and returns it to
the browser.</li>
+</ol>
+
+<h2>Advanced Context Configuration</h2>
+
+<p>Sometimes it is better to have Netscape serve the static pages (html, gif,
jpeg etc.)
+even if these files are part of a context served by Tomcat. For example,
consider the html
+and gif files in the examples context, there is no need to serve them from the
Tomcat
+process, Netscape will suffice.</p>
+
+<p>Making Netscape serve static files that are part of the Tomcat contexts
requires the
+following:
+
+<ol>
+ <li>Configuring Netscape to know about the Tomcat contexts</li>
+ <li>Make sure that the WEB-INF directory is protected from access.</li>
+ <li>Configuring Netscape to assign the NSAPI redirector only specific
requests that requires
+ JSP/Servlet handling.</li>
+</ol>
+
+<p>Adding a Tomcat context to Netscape requires the addition of a new Netscape
+virtual directory that covers the Tomcat context. For example, adding a
+/example Netscape virtual directory that covers the
c:\jakarta-tomcat\webapps\examples
+directory.
+
+To add a new virtual directory add the following line to your obj.conf:</p>
+
+<p><tt>NameTrans fn=pfx2dir from=/examples
dir="c:/jakarta-tomcat/webapps/examples"</tt></p>
+
+<p>WEB-INF protection requires some explanation; Each servlet application
(context) has a
+special directory named WEB-INF, this directory contains sensitive
configurations data and
+Java classes and must be kept hidden from web users. WEB-INF can be protected
by adding
+the following line to the PathCheck section in the default configuration
object:</p>
+
+<p><tt>PathCheck fn="deny-existence"
path="*/WEB-INF/*"</tt></p>
+
+<p>This line instructs the Netscape server to reject any request with a URL
that contain
+the path /WEB-INF/.</p>
+
+<p>Configuring Netscape to assign the NSAPI redirector only specific requests
is somewhat
+harder, you will need to specify the exact URL-Path pattern(s) that you want
Tomcat to
+handle (usually only JSP files and servlets). This requires a change to
NemaTrans portion
+of obj.conf. For the examples context it requires to replace the following
line:</p>
+
+<p><tt>NameTrans fn="assign-name" from="/examples/*"
+name="servlet"</tt> </p>
+
+<p>with the following two lines:</p>
+
+<p><tt>NameTrans fn="assign-name"
from="/examples/jsp/*.jsp"
+name="servlet"<br>
+NameTrans fn="assign-name" from="/examples/servlet/*"
+name="servlet" </tt></p>
+
+<p>As you can see the second configuration is more explicit, it actually
instructs
+Netscape to assign the redirector with only requests to resources under
<tt>/examples/servlet/</tt>
+and resources under <tt>/examples/ </tt>whose name ends with <tt>.jsp</tt>.
This is
+similar to what is automically written to the <tt>obj.conf-auto</tt> file for
+each context.</p>
+
+<p>You can be even more explicit and provide lines such as:</p>
+
+<p><tt>NameTrans fn="assign-name"
from="/examples/servletname"
+name="servlet"</tt></p>
+
+<p>that instructs Netscape to assign the redirector request whose URL-Path
equals <tt>/example/servletname</tt>.</p>
+
+<h2>Advanced Worker Configuration</h2>
+
+<p>Sometimes you want to serve different contexts with different Tomcat
processes (for
+example to spread the load among different machines). To achieve such goal you
will need
+to define several workers and assign each context with its own worker.</p>
+
+<p>Defining workers is done in workers.properties, this file includes two
types of entries:
+
+<ol>
+ <li>An entry that lists all the workers defined. For example:<br>
+ <tt>worker.list=ajp12, ajp12second</tt></li>
+ <li>Entries that define the host and port associated with these workers. For
example:<br>
+ <tt>worker.ajp12.host=localhost<br>
+ worker.ajp12.port=8007<br>
+ worker.ajp12second.host=otherhost<br>
+ worker.ajp12second.port=8007</tt></li>
+</ol>
+
+<p>The above examples defined two workers, now we can use these workers to
serve two
+different contexts each with it’s own worker. Submitting requests to
different
+workers is accomplished by using multiple Service directives in the servlet
configuration
+Object, each with a different path pattern parameter. For example, if we want
to submit
+the /servlet context to a worker named ajp12 and the /examples context to a
worker named
+ajp12second we should use the following configuration:</p>
+
+<p><tt><Object name=servlet><br>
+ObjectType fn=force-type type=text/plain<br>
+Service fn="jk_service" worker="ajp12"
path="/servlet/*"<br>
+Service fn="jk_service" worker="ajp12second"
+path="/examples/*"<br>
+Service fn="jk_service" worker="ajp12"<br>
+</Object></tt></p>
+
+<h2>Feedback</h2>
+
+<p>Please send feedback, bug report or any additional information to
+<tt>tomcat-u...@jakarta.apache.org</tt>.
+</p>
+</body>
+</html>
Propchange: tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-netscape-howto.html
------------------------------------------------------------------------------
svn:eol-style = native
Added: tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-ssl-howto.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-ssl-howto.html?rev=1305109&view=auto
==============================================================================
--- tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-ssl-howto.html (added)
+++ tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-ssl-howto.html Sun Mar 25
19:52:05 2012
@@ -0,0 +1,323 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+ <!-- $Id $ -->
+ <!-- Copyright 1999, Apache Software Foundation -->
+
+ <meta http-equiv=Content-Type content="text/html">
+ <link rel="stylesheet" href="uguide/style.css">
+ <style type="text/css">
+ .inlinetd {
+ background-color: #E0E0E0;
+ vertical-align: text-top;
+ border-top: thick black;
+ border-right: thick black;
+ border-bottom: thick black;
+ border-left: thick black;
+ }
+ .inlineth {
+ background-color: #d0d0d0;
+ border-top: thick black;
+ border-right: thick black;
+ border-bottom: thick black;
+ border-left: thick black;
+ }
+ .inlinetable {
+ width: 75%;
+ border: thick;
+ background-color: #000000;
+ }
+ .subsection { margin:20pt; }
+ .note { margin:20pt; padding:5pt; background-color:#e0e0ff; }
+
+ </style>
+
+<title>Tomcat and SSL</title>
+</head>
+
+<body>
+<!-- Banner element, all hail the Project! -->
+<table border="0" width="100%" cellspacing="0" cellpadding="0">
+ <tr>
+ <td width="50%" align="left"> <a
href="http://jakarta.apache.org/index.html";>
+ <img src="uguide/images/banner.gif" width="350" height="100" alt="The
Jakarta Project" border="0">
+ </a> </td>
+ <td width="50%" align="right"> <img border="0"
src="uguide/images/tomcat.gif" width="100" height="71" alt="The mighty Tomcat -
Meow!">
+ </td>
+ </tr>
+</table>
+
+<h1>Tomcat and SSL</h1>
+
+<p>By Gomez Henri <tt><<a
href="mailto:hgo...@slib.fr";>hgo...@slib.fr</a>></tt></p>
+
+<h2>Table of Contents</h2>
+
+<ul>
+ <li><a href="#s2">Tomcat and SSL</a></li>
+ <li><a href="#s3">Building tomcat with SSL support</a></li>
+ <li><a href="#s4">Tomcat with Apache and mod_jk</a></li>
+ <li><a href="#s5">SSL via Apache</a></li>
+ <li><a href="#s6">Direct SSL</a></li>
+ <li><a href="#s7">Credits</a></li>
+</ul>
+
+<hr>
+
+<h2><a name=s2>Tomcat and SSL</a></h2>
+
+<p>Tomcat can use SSL directly (via an HTTP connector supporting SSL) or via
+ an SSL-capable Apache (<a
+ href="http://www.apache-ssl.org";>Apache-SSL</a> or <a
+ href="http://www.modssl.org";>apache+mod_ssl</a>)
+ with the mod_jk connector.</p>
+
+<hr>
+
+<h2><a name=s3>Building tomcat with SSL support</a></h2>
+
+<p>If you want to rebuild tomcat with SSL, be careful of your
+ CLASSPATH. I used to clear the CLASSPATH environment variable to avoid
+ conflict in jar. A common cause of conflict is XML parsers (xerces
+ & jaxp). Tomcat needs a recent XML parser like the Apache Group's
+ xerces 1.1.2 or Sun's jaxp 1.0.1.</p>
+<p>At build time, (via ant), tomcat will check for some libs and will
+ then include various options, possibly including SSL support. If you
+ have the JSSE 1.0.2 jars in your CLASSPATH, tomcat will be built with
+ SSL (SSLSocketFactory). Tomcat will use the JSSE jars (jcert.jar,
+ jsse.jar, jnet.jar). This software COULDN'T BE INCLUDED in tomcat.
+ You'll have to go to the <a
+ href="http://java.sun.com/products/jsse/";>jsse home page</a> and
+ download the domestic (US/Canada) or global archive from there. Then
+ copy the 3 jars into tomcat's runtime classpath lib
+ ($TOMCAT_HOME/lib).</p>
+
+<hr>
+
+<h2><a name=s4>Tomcat with Apache and mod_jk</a></h2>
+
+<p>If you use Apache with SSL (Apache-SSL or apache+mod_ssl) and the
+ JkExtractSSL directive in httpd.conf, the apache connector
+ mod_jk will be able to pass some SSL information to tomcat.</p>
+<p>This information is:</p>
+
+<table width="75%" border="1">
+ <tr>
+ <td>HTTPS</td>
+ <td>apache redirect to tomcat from an SSL area</td>
+ </tr>
+ <tr>
+ <td>SSL_SESSION_ID</td>
+ <td>SSL session ID</td>
+ </tr>
+ <tr>
+ <td>SSL_CIPHER</td>
+ <td>SSL CIPHER used</td>
+ </tr>
+ <tr>
+ <td>SSL_CLIENT_CERT</td>
+ <td>SSL Certificate of client</td>
+ </tr>
+</table>
+
+<p>Since Apache-SSL and apache+mod_ssl use different environment variables,
you
+ can set SSL variables from the following JK variables</p>
+
+<ul>
+ <li>JkExtractSSL</li>
+ <li>JkHTTPSIndicator</li>
+ <li>JkSESSIONIndicator</li>
+ <li>JkCIPHERIndicator</li>
+ <li>JkCERTSIndicator: </li>
+</ul>
+
+<p>here is an example of directives to include in httpd.conf for use with
+ mod_ssl:</p>
+
+<pre># Should mod_jk send SSL information to Tomcat (default is On)
+JkExtractSSL On
+# What is the indicator for SSL (default is HTTPS)
+JkHTTPSIndicator HTTPS
+# What is the indicator for SSL session (default is SSL_SESSION_ID)
+JkSESSIONIndicator SSL_SESSION_ID
+# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
+JkCIPHERIndicator SSL_CIPHER
+# What is the indicator for the client SSL certificated (default is
SSL_CLIENT_CERT)
+JkCERTSIndicator SSL_CLIENT_CERT
+</pre>
+
+<p>When using mod_jk with Apache & mod_ssl it is essential to specify
+ "SSLOptions +StdEnvVars +ExportCertData" in the httpd.conf file.<br>
+ Otherwise mod_ssl will not produce the necessary environment variables for
+ mod_jk. (Tilo Christ <tilo.chr...@med.siemens.de>)</p>
+<p>Warning: Even if mod_jk supports both ajp12 (the old version from
+ Apache JServ) and ajp13, only ajp13 can forward SSL information to
+ tomcat.</p>
+
+<hr>
+
+<h2><a name=s5>SSL via Apache</a></h2>
+
+<p>mod_jk seems to support the VirtualHost directive of Apache. It's
especially
+ useful when using apache+mod_ssl with tomcat.<br>
+ This config will easily secure your webapps via Apache SSL support. Just
take
+ care of setting these JK variables outside VirtualHost directives:</p>
+
+<pre>JkWorkersFile /etc/httpd/conf/workers.properties
+JkLogFile /var/log/httpd/mod_jk.log
+JkLogLevel warn
+</pre>
+
+<p>The JK redirect stuff could be set in virtual hosts: <virtualhost
+ _default_:443></p>
+
+<pre><VirtualHost _default_:443>
+SSLEngine on
+SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+# other SSL stuff
+Alias /alesia "/var/tomcat/webapps/alesia"
+
+<Directory "/var/tomcat/webapps/alesia">
+ <Directory "/var/tomcat/webapps/alesia"></Directory>
+ <Directory "/var/tomcat/webapps/alesia">Options Indexes FollowSymLinks
</Directory>
+</Directory>
+
+JkMount /alesia/servlet/* ajp13
+JkMount /alesia/*.jsp ajp13
+
+<Location "/alesia/WEB-INF/">
+</Location>
+
+<Location "/alesia/WEB-INF/">
+ AllowOverride None
+ Deny from all
+</Location>
+
+</VirtualHost>
+<!--
+
+<virtualhost _default_:443></virtualhost>
+-->
+</pre>
+
+<hr>
+
+<h2><a name=s6>Direct SSL</a></h2>
+
+<p>If you want tomcat to serve HTTP/SSL (https) directly, you need to
+ create a SSL certificate. For more information about SSL and
+ certificates, I suggest you could take a look at <a
+ href="http://www.openssl.org";>OpenSSL</a> (Open Source SSL
+ implementation) and <a href="http://www.modssl.org";>mod_ssl</a> (SSL
+ support for Apache)</p>
+
+<h3><a name=s61><font size="+1">Verify tomcat server.xml configuration
+ file</font></a></h3>
+
+<blockquote>
+ <p> To use the HTTP with SSL connector in tomcat, verify that it is
activated
+ in server.xml</p>
+
+<pre><Connector className="org.apache.tomcat.service.PoolTcpConnector">
+<Parameter name="handler"
value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
+<Parameter name="port" value="8443"/>
+<Parameter name="socketFactory"
value="org.apache.tomcat.net.SSLSocketFactory"/>
+<Parameter name="keystore" value="/var/tomcat/conf/keystore" />
+<Parameter name="keypass" value="changeit"/>
+<Parameter name="clientAuth" value="true"/>
+</Connector>
+</pre>
+
+<p>In this example we indicate the keystore is file
+ <strong>/var/tomcat/conf/keystore</strong>.
+ The keystore password is <strong>changeit</strong> and we want
+ clients to authentificate.</p>
+</blockquote>
+
+<h3><a name=s62>Generate a SSL certificate (RSA) for tomcat</a></h3>
+
+<blockquote>
+ <p>I succeed (at least) with my IBM JDK 1.3 after:</p>
+</blockquote>
+
+<ul>
+ <li>jsse jars <strong>MUST BE IN BOTH CLASSPATH</strong> and
+ <strong>$JAVA_HOME/jre/lib/ext
+ (JAVA > 1.2)</strong>
+ </li>
+ <li>from server.xml doc.You _need_ to set up a server certificate if you
want
+ this to work, and you need JSSE.
+ <ul>
+ <li>Add JSSE jars to CLASSPATH</li>
+ <li>Edit $JAVA_HOME/jre/lib/security/java.security<br>
+ Add: security.provider.2=com.sun.net.ssl.internal.ssl.Provider</li>
+ <li>Do: <code>keytool -genkey -alias tomcat -keyalg RSA</code><br>
+ RSA is essential to work with Netscape
+ and IIS. Use "changeit" as password (or add keypass attribute). You
+ don't need to sign the certificate. You can set parameter keystore and
+ keypass if you want to change the default
+ ($HOME/.keystore with changeit)</li>
+ </ul>
+ </li>
+ <li>I suggest you install jcert.jar, jnet.jar and jsse.jar in
+ $JAVA_HOME/jre/lib/ext
+ and then add them to your CLASSPATH export <br>
+ <br>
+
+<pre>CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH
+export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH
+export CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATH
+</pre>
+
+ You could also copy the 3 jars into $TOMCAT_HOME/lib/ so they are
+ under the existing CLASSPATH at tomcat startup (tomcat.sh).</li>
+</ul>
+
+<h3><a name=s63>Importing SSL certificates</a></h3>
+
+<p>It's possible to import certificates generated with <a
+ href="http://www.openssl.org";>OpenSSL</a>. Here are the steps needed
+ to generate such certs with OpenSSL:</p>
+
+<ul>
+ <li>To generate a new request and a new key<br>
+ <code>openssl req -new -out REQ.pem -keyout KEY.pem</code></li>
+ <li>To generate a self signed x509 certificate from a certificate request
using
+ a supplied key, and see the text form of the output certificate
+ (which we will put into the file selfSign.pem<br>
+ <code>openssl req -x509 -in REQ.pem -key KEY.pem -out
+ CERT.pem</code></li>
+ <li>Verify that the signature is correct on a certificate request.<br>
+ <code>openssl req -verify -in REQ.pem</code></li>
+ <li>Verify that the signature was made using a specified public key<br>
+ <code>openssl req -verify -in REQ.pem -key KEY.pem</code></li>
+ <li>Print the contents of a certificate request<br>
+ <code>openssl req -text -in REQ.pem</code></li>
+ <li>To import the CERT in keystore, just:<br>
+ <code>keytool -import -v -trustcacerts -alias tomcat -file
+ CERT.pem</code></li>
+</ul>
+
+<hr>
+
+<h2><a name=s7>Credits</a></h2>
+
+<p>This document was created by <a href="mailto:hgo...@slib.fr";>Gomez
Henri</a>.
+ Thanks to hgo...@cmcltd.com for import info. Feel free to contact me for
more
+ updates.</p>
+
+<table width="100%" border="0" cellpadding="10" cellspacing="0">
+ <tr>
+ <td>
+ <p class="fineprint"> Copyright ©1999-2000 The Apache Software
Foundation<br>
+ <a href="http://jakarta.apache.org/legal.html";>Legal Stuff They Make
Us
+ Say</a><br>
+ <a href="http://jakarta.apache.org/contact.html";>Contact
Information</a>
+ </p>
+ </td>
+ </tr>
+</table>
+
+</body>
+</html>
+
Propchange: tomcat/site/trunk/docs/tomcat-3.2-doc/tomcat-ssl-howto.html
------------------------------------------------------------------------------
svn:eol-style = native
Added: tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/images/banner.gif
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/images/banner.gif?rev=1305109&view=auto
==============================================================================
Binary file - no diff available.
Propchange: tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/images/banner.gif
------------------------------------------------------------------------------
svn:mime-type = image/gif
Added: tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/images/tomcat.gif
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/images/tomcat.gif?rev=1305109&view=auto
==============================================================================
Binary file - no diff available.
Propchange: tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/images/tomcat.gif
------------------------------------------------------------------------------
svn:mime-type = image/gif
Added: tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/style.css
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/style.css?rev=1305109&view=auto
==============================================================================
--- tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/style.css (added)
+++ tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/style.css Sun Mar 25 19:52:05
2012
@@ -0,0 +1,57 @@
+body {
+ font-family: "Times New Roman", Times, serif;
+ font-style: normal;
+ color: #000000;
+ background-color: #FFFFFF;
+}
+
+h1 {
+ font-family: Arial, Helvetica, sans-serif;
+ color: #0033CC
+}
+
+h2 {
+ font-family: Arial, Helvetica, sans-serif;
+ color: #0033CC
+}
+
+h3 {
+ font-family: Arial, Helvetica, sans-serif;
+ color: #0033CC
+}
+
+b {
+ font-weight: bold;
+}
+
+.code {
+ font-family: Courier, mono;
+}
+
+.codeblock {
+ font-family: Courier, mono;
+}
+
+.navheading {
+ font-family: Arial, Helvetica, sans-serif;
+ font-weight: bold;
+ color: #0033CC
+}
+
+.navitem {
+ font-family: "Times New Roman", Times, serif;
+ margin-left: 10pt;
+ color: #000000
+}
+
+.itemdef {
+ font-family: "Times New Roman", Times, serif;
+ font-size: smaller;
+ color: #000000
+}
+
+.fineprint {
+ font-family: Arial, Helvetica, sans-serif;
+ font-size: smaller;
+ color: #000000
+}
Propchange: tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/style.css
------------------------------------------------------------------------------
svn:eol-style = native
Added: tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/tomcat-security-unix.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/tomcat-security-unix.html?rev=1305109&view=auto
==============================================================================
--- tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/tomcat-security-unix.html
(added)
+++ tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/tomcat-security-unix.html Sun
Mar 25 19:52:05 2012
@@ -0,0 +1,197 @@
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+<head>
+ <title>Tomcat SecurityManager setup with Unix</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+ <meta name="GENERATOR" content="Mozilla/4.7 [en] (X11; I; SunOS 5.7 i86pc)
[Netscape]">
+</head>
+<body text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#FF0000"
alink="#000088">
+
+<h1>
+Tomcat SecurityManager setup with Unix</h1>
+<ul>
+<li>
+<a href="#config">Configuring Tomcat for use with a SecurityManager</a></li>
+
+<li>
+<a href="#start">Starting Tomcat with a SecurityManager</a></li>
+
+<li>
+<a href="#trouble">Trouble shooting tomcat.policy configuration and Security
+Violations</a></li>
+</ul>
+
+<h3>
+<a NAME="config"></a>Configuring Tomcat for use with a SecurityManager</h3>
+<b>tomcat.policy</b>
+<p>The security policies implemented by the Java SecurityManager are configured
+in the <code>tomcat.policy</code> file located in the tomcat <code>conf</code>
directory.
+The <code>tomcat.policy</code> file replaces any system
<code>java.policy</code> file. The
+<code>tomcat.policy</code> file can be edited by hand or you can use the
+<a
href="http://java.sun.com/products/jdk/1.2/docs/tooldocs/solaris/policytool.html";>policytool</a>
+</b>application
+that comes with Java 1.2.
+<p>Entries in the <code>tomcat.policy</code> file use the standard
<code>java.policy</code> file
+format as follows:
+<table BORDER=0 cellpadding=8 width="95%" bgcolor="#eeeeee">
+<tr>
+<td>
+<pre>// Example policy file entry
+
+grant [signedBy <signer> [,codeBase <code source>] {
+ permission <class> [<name> [, <action list>]];
+};</pre>
+</td>
+</tr>
+</table>
+The <b>signedBy</b> and <b>codeBase </b>entries are optional when granting
+permissions. Comment lines begin with <code>//</code> and end at a new line.
+<p>The codeBase is in the form of a URL and for a file URL can use the
+${java.home} and ${tomcat.home} properties which are expanded out to the
+directory paths defined for them.
+<p>Default tomcat.policy file
+<table BORDER=0 cellpadding=8 width="95%" bgcolor="#eeeeee">
+<tr>
+<td>
+<pre>
+// Permissions for tomcat.
+
+// javac
+grant codeBase "file:${java.home}/../lib/-" {
+ permission java.security.AllPermission;
+};
+
+// Tomcat gets all permissions
+grant codeBase "file:${tomcat.home}/lib/-" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${tomcat.home}/classes/-" {
+ permission java.security.AllPermission;
+};
+
+// Example webapp policy
+// By default Tomcat grants read access on webapp dir and read of the
+// line.separator, path.separator, and file.separator PropertyPermissions.
+// Any permissions you grant here are in addition to the default.
+grant codeBase "file:${tomcat.home}/webapps/examples" {
+ // Allow the example web application to read all java properties
+ permission java.util.ProperyPermission "*", "read";
+};
+</pre>
+</td>
+</tr>
+</table>
+
+<p>Here is an example where in addition to the default permissions, we want to
grant
+the examples web application the ability to connect to the localhost smtp
+port so that it can send mail.
+<table BORDER=0 cellpadding=8 width="95%" bgcolor="#eeeeee">
+<tr>
+<td>
+<pre>grant codeBase "file:${tomcat.home}/webapps/examples" {
+ // Allow examples web application to use localhost smtp port
+ permission java.net.SocketPermission "localhost:25","connect";
+};</pre>
+</td>
+</tr>
+</table>
+<p>If you want to set a default policy for all web applications you
+can use a <b>grant</b> entry without a URL.
+If we wanted to give all web applications not configured by their own
+grant entry some default permissions in addition to what Tomcat assigns
+we could do the following.
+<table BORDER=0 cellpadding=8 width="95%" bgcolor="#eeeeee">
+<tr>
+<td>
+<pre>grant {
+ // Allow all web applications to read all java properties
+ permission java.util.ProperyPermission "*", "read";
+};</pre>
+</td>
+</tr>
+</table>
+<p>
+Finally, a more complex tomcat.policy file. In this case we are using
+Tomcat as an app server for a number of remote web servers. We want
+to limit what remote web servers can connect to Tomcat by using the Java
+SecurityManager.
+<br>
+<table BORDER=0 cellpadding=8 width="95%" bgcolor="#eeeeee">
+<tr>
+<td>
+<pre>// Permissions for tomcat.
+// javac needs this
+grant codeBase "file:${java.home}/lib/-" {
+ permission java.security.AllPermission;
+};
+
+// Tomcat with IP filtering
+grant codeBase "file:${tomcat.home}/lib/-" {
+ // Tomcat should be able to read/write all properties
+ permission java.util.PropertyPermission "*","read,write";
+ // Tomcat needs to be able to read files in its own directory
+ permission java.io.FilePermission "${tomcat.home}/-","read";
+ // Tomcat has to be able to write its logs
+ permission java.io.FilePermission "${tomcat.home}/logs/-","read,write";
+ // Tomcat has to be able to write to the conf directory
+ permission java.io.FilePermission "${tomcat.home}/conf/-","read,write";
+ // Tomcat has to be able to write to the webapps directory
+ permission java.io.FilePermission
"${tomcat.home}/webapps/-","read,write";
+ // Tomcat has to be able to compile JSP's
+ permission java.io.FilePermission
"${tomcat.home}/work/-","read,write,delete";
+ // Tomcat needs all the RuntimePermission's
+ permission java.lang.RuntimePermission "*";
+ // Needed so Tomcat can set security policy for a Context
+ permission java.security.SecurityPermission "*";
+ // Needed so that Tomcat will accept connections from a remote web
server
+ // Replace XXX.XXX.XXX.XXX with the IP address of the remote web server
+ permission java.net.SocketPermission
"XXX.XXX.XXX.XXX:1024-","accept,listen,resolve";
+ // Tomcat has to be able to use its port on the localhost
+ permission java.net.SocketPermission
"localhost:1024-","connect,accept,listen,resolve";
+};
+
+// Example webapp policy
+// By default we grant read access on webapp dir
+// and read of the line.separator PropertyPermission
+grant codeBase "file:${tomcat.home}/webapps/examples" {
+ permission java.net.SocketPermission "localhost:1024-","listen";
+ permission java.util.PropertyPermission "*","read";
+};</pre>
+</td>
+</tr>
+</table>
+
+<p><b>server.xml</b>
+<p>Uncomment out the entry in server.xml for the ContextInterceptor which
+defines the class named PolicyInterceptor.
+<br>
+<h3>
+<a NAME="start"></a>Starting Tomcat with a SecurityManager</h3>
+Once you have configured the tomcat.policy and server.xml files for use
+with a SecurityManager, Tomcat can be started with the SecurityManager
+in place by using the "-security" option to bin/startup.sh.
+<br>
+<h2>
+<a NAME="trouble"></a>Trouble shooting tomcat.policy configuration and
+Security Violations</h2>
+You can turn on Java SecurityManager debug logging by settting the
+environmental variable <code>TOMCAT_OPTS=-Djava.security.debug=all</code>.
+You will find the debug output in your <code>tomcat.log</code>.
+<p>
+<b>JSP Compile using JVM internal javac fails with AccessControlException
+for RuntimePermission accessClassInPackage sun.tools.javac.</b>
+<p>Check your JAVA_HOME/jre/lib/security/java.security file
configuration.
+Comment out the line "package.access=sun.".
+<p><b>JSP Compile using JVM internal javac fails with
AccessControlException
+for FilePermission read of tomcat work directory.</b>
+<p>Try defining an absolute path for the codeBase needed in the policy
+grant for java itself instead of the ${java.home} property.
+<p>
+<pre>// javac needs this
+grant codeBase "file:/usr/java/lib/-" {
+ permission java.security.AllPermission;
+};</pre>
+<br>
+</body>
+</html>
Propchange:
tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/tomcat-security-unix.html
------------------------------------------------------------------------------
svn:eol-style = native
Added: tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/tomcat-security.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/tomcat-security.html?rev=1305109&view=auto
==============================================================================
--- tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/tomcat-security.html (added)
+++ tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/tomcat-security.html Sun Mar
25 19:52:05 2012
@@ -0,0 +1,105 @@
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+<head>
+ <title>Using the Java SecurityManager with Tomcat</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+ <meta name="GENERATOR" content="Mozilla/4.7 [en] (X11; I; SunOS 5.7 i86pc)
[Netscape]">
+</head>
+<body text="#000000" bgcolor="#FFFFFF" link="#0000FF" vlink="#FF0000"
alink="#000088">
+
+<h1>
+Using the Java SecurityManager with Tomcat</h1>
+
+<ul>
+<li>
+<a href="#why">Why use a SecurityManager?</a></li>
+
+<li>
+<a href="#requirements">System Requirements</a></li>
+
+<li>
+<a href="#precautions">Precautions</a></li>
+
+<li>
+<a href="#permissions">Types of Permissions</a></li>
+
+<li>
+<a href="tomcat-security-unix.html">Tomcat SecurityManager setup with
Unix</a></li>
+
+<li>
+<a href="#violation">What happens when the SecurityManager detects a Security
+violation?</a></li>
+</ul>
+
+<h3>
+<a NAME="why"></a>Why use a SecurityManager?</h3>
+The Java SecurityManager is what allows a web browser to run an applet
+in its own sandbox to prevent untrusted code from accessing files on the
+local system, connecting to a host other than the one the applet was loaded
+from, etc.
+<p>In the same way the SecurityManager protects you from an untrusted applet
+running in your browser, use of a SecurityManager while running Tomcat
+can protect your server from trojan servlets, JSP's, JSP beans, and tag
+libraries. Or even inadvertent mistakes.
+<p>Imagine if someone who is authorized to publish JSP's on your site
invadvertently
+included the following in their JSP:
+<blockquote>
+<pre><% System.exit(1); %></pre>
+</blockquote>
+
+<p><br>Every time that JSP was executed by Tomcat, Tomcat would exit.
+<p>Using the Java SecurityManager is just one more line of defense a system
+administrator can use to keep the server secure and reliable.
+<h3>
+<a NAME="requirements"></a>System Requirements</h3>
+Use of the SecurityManager requires a JVM that supports JDK 1.2.
+<br>
+<h3>
+<a NAME="precautions"></a>Precautions</h3>
+Implementation of a SecurityManager in Tomcat has not been fully tested
+to ensure the security of Tomcat. No special Permissions have been
+created to prevent access to internal Tomcat classes by JSP's, web
applications,
+servlets, beans, or tag libraries. Make sure that you are satisfied with
+your SecurityManager configuration before allowing untrusted users to publish
+web applications, JSP's, servlets, beans, or tag libraries.
+<p>Still, running with a SecurityManager is definitely better than running
+without one.
+<br>
+<h3>
+<a NAME="permissions"></a>Types of Permissions</h3>
+Permission classes are used to define what Permissions a class loaded by
+Tomcat will have. There are a number of Permission classes as part
+of the JDK and you can even create your own Permission class for use in
+your own web applications.
+<p>This is just a short summary of the System SecurityManager Permission
+classes applicable to Tomcat. Please refer to the JDK documentation
+for more information on using the below Permissions.
+<p><b>java.util.PropertyPermission</b>
+<br> Controls read/write access to JVM properties such
+as java.home.
+<p><b>java.lang.RuntimePermission</b>
+<br> Controls use of some System/Runtime functions like
+exit() and exec().
+<p><b>java.io.FilePermission</b>
+<br> Controls read/write/execute access to files and
+directories.
+<p><b>java.net.SocketPermission</b>
+<br> Controls use of network sockets.
+<p><b>java.net.NetPermission</b>
+<br> Controls use of multicast network connections.
+<p><b>java.lang.reflect.ReflectPermission</b>
+<br> Controls use of reflection to do class introspection.
+<p><b>java.security.SecurityPermission</b>
+<br> Controls access to Security methods.
+<p><b>java.security.AllPermission</b>
+<br> Allows access to all permissions, just as if you
+were running Tomcat without a SecurityManager.
+<br>
+<h3>
+<a NAME="violation"></a>What happens when the SecurityManager detects a
+Security violation?</h3>
+The JVM will throw an AccessControlException or a SecurityException when
+the SecurityManager detects a security policy violation.
+<br>
+</body>
+</html>
Propchange: tomcat/site/trunk/docs/tomcat-3.2-doc/uguide/tomcat-security.html
------------------------------------------------------------------------------
svn:eol-style = native
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
![http://jakarta.apache.org/images/jakarta-logo.gif"](http://jakarta.apache.org/images/jakarta-logo.gif"){kind=link}
