Configuring Minimal File Access Permissions
This topic includes information about configuring file permissions in relation to Oxygen XML WebApp Component.
The Oxygen XML WebApp Component requires access to the following file resources:
- READ access to the directory where the Oxygen XML WebApp Component is deployed.
- READ and WRITE access to the application's working directory.
- READ and WRITE access to JVM's temporary directory.
It is a good security practice to allow a component to access only the information and
resources that are necessary for its purpose. In an environment that uses Apache Tomcat, you
can enforce these rules following these steps:
-
Start the Apache Tomcat server using the
-securityflag. -
Edit the catalina.policy file and add the following snippet:
grant codeBase "file:${catalina.base}/webapps/oxygen-webapp/-" { // Oxygen uses System properties for various configuration purposes. permission java.util.PropertyPermission "*", "read,write"; // Oxygen custom protocols need access to network. permission java.net.NetPermission "*"; permission java.net.SocketPermission "*", "accept,connect,listen,resolve"; // The web framework used by Oxygen Webapp uses reflection and classloaders. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.security.SecurityPermission "*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "*"; // Oxygen requires these permissions to connect to a URL. permission java.net.URLPermission "http:*", "*"; permission java.net.URLPermission "https:*", "*"; permission java.net.URLPermission "file:*", "*"; // Oxygen should be allowed to read JVM jars permission java.io.FilePermission "${java.home}/-", "read"; // Oxygen uses the JVM's java.io.tempdir for various file handling tasks. permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete"; permission java.io.FilePermission "${java.io.tmpdir}", "read,write,delete"; // Folder used by oXygen to deploy the plugins to. permission java.io.FilePermission "${oxygen.data.dir}/-", "read,write,delete"; permission java.io.FilePermission "${oxygen.data.dir}", "read,write,delete"; }; // The jar that contains sandboxing code. grant codeBase "jar:file:${catalina.base}/webapps/oxygen-webapp/WEB-INF/lib/oxygen-sandbox.jar!/-" { permission java.security.AllPermission; }; // Give all permissions to the plugins code unless otherwise instructed by the plugin vendor. grant codeBase "file:${oxygen.data.dir}/plugins-v18.0/-" { permission java.security.AllPermission; }; // Give all permissions to the frameworks code unless otherwise instructed by the plugin vendor. grant codeBase "file:${oxygen.data.dir}/frameworks-v18.0/-" { permission java.security.AllPermission; };Note: In the previous example, in the first line, replaceoxygen-webappwith the name of your deployment of the Oxygen XML WebApp Component.
Configuring File Permissions to Custom Locations
There are cases when the Oxygen XML WebApp Component needs to access files system resources, but due to security reasons, you want to prevent your users from opening them directly in the Oxygen XML WebApp Component editing page using the file:// protocol.
You can do this by following these steps:
- Edit the catalina.policy file and add a line such
as:
permission java.io.FilePermission "path/to/yourSecretDir/-", "read,write,delete"; permission java.io.FilePermission "path/to/yourSecretDir", "read,write,delete"; - Use the following system property when starting the Tomcat
server:
-Dfile.protocol.blacklist=/path/to/yourSecretDirNote: Use the value ofpath.separatorsystem property to separate more directories. For example, under Linux, the value ofpath.separatorproperty is a colon punctuation character:.