Permission classes are used to define what Permissions a class loaded by Tomcat will have. There are a number of Permission classes that are a standard part of the JDK, and you can create your own Permission class for use in your own web applications. Both techniques are used in Tomcat.
Standard Permissions
This is just a short summary of the standard system SecurityManager Permission classes applicable to Tomcat.
java.util.PropertyPermission – Controls read/write access to JVM properties such as java.home.
java.lang.RuntimePermission – Controls use of some System/Runtime functions like exit() and exec(). Also control the package access/definition.
java.io.FilePermission – Controls read/write/execute access to files and directories.
java.net.SocketPermission – Controls use of network sockets.
java.net.NetPermission – Controls use of multicast network connections.
java.lang.reflect.ReflectPermission – Controls use of reflection to do class introspection.
java.security.SecurityPermission – Controls access to Security methods.
java.security.AllPermission – Allows access to all permissions, just as if you were running Tomcat without a SecurityManager.
Tomcat Custom Permissions
Tomcat utilizes a custom permission class called org.apache.naming.JndiPermission. This permission controls read access to JNDI named file based resources. The permission name is the JNDI name and there are no actions. A trailing “*” can be used to do wild card matching for a JNDI named file resource when granting permission. For example, you might include the following in your policy file:
permission org.apache.naming.JndiPermission “jndi://localhost/examples/*”;
A Permission entry like this is generated dynamically for each web application that is deployed, to allow it to read its own static resources but disallow it from using file access to read any other files (unless permissions for those files are explicitly granted).
Also, Tomcat always dynamically creates the following file permissions:
permission java.io.FilePermission “** your application context**”, “read”;
permission java.io.FilePermission
“** application working directory**”, “read,write”;
permission java.io.FilePermission
“** application working directory**/-“, “read,write,delete”;
Where **your application context** equals the folder (or WAR file) under which your application has been deployed and **application working directory** is the temporary directory provided to your application as required by the Servlet Specification.
