From 83c25cd053c3644f71cbcc324f57d3fd1443220320177cc424dd9059a97b8a4f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Wed, 17 Sep 2014 08:38:34 +0000
Subject: [PATCH] Accepting request 249896 from
 home:dmacvicar:branches:Java:packages

- Fixed Security Manager policies, which makes unable properly
  run webapps by default. (bnc#891264)
  Added: tomcat-7.0-sle.catalina.policy.patch

- Missing security manager policy file prevents Tomcat to start
  with systemd. (bnc#890995)

- Tomcat 7.0.55 requires ecj 4.4.0

OBS-URL: https://build.opensuse.org/request/show/249896
OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=60
---
 tomcat-7.0-sle.catalina.policy.patch | 50 ++++++++++++++++++++++++++++
 tomcat-7.0-tomcat-sysd               |  4 ++-
 tomcat.changes                       | 18 ++++++++++
 tomcat.spec                          |  8 +++--
 4 files changed, 77 insertions(+), 3 deletions(-)
 create mode 100644 tomcat-7.0-sle.catalina.policy.patch

diff --git a/tomcat-7.0-sle.catalina.policy.patch b/tomcat-7.0-sle.catalina.policy.patch
new file mode 100644
index 0000000..0fe36fa
--- /dev/null
+++ b/tomcat-7.0-sle.catalina.policy.patch
@@ -0,0 +1,50 @@
+diff -Naur apache-tomcat-7.0.55-src/conf/catalina.policy apache-tomcat-7.0.55-src.new/conf/catalina.policy
+--- apache-tomcat-7.0.55-src/conf/catalina.policy	2014-07-18 16:49:04.000000000 +0200
++++ apache-tomcat-7.0.55-src.new/conf/catalina.policy	2014-09-16 17:49:07.963129705 +0200
+@@ -95,6 +95,7 @@
+         //  ${file.separator}classes${file.separator}logging.properties", "read";
+ };
+ 
++
+ // These permissions apply to the server startup code
+ grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
+         permission java.security.AllPermission;
+@@ -107,7 +108,6 @@
+         permission java.security.AllPermission;
+ };
+ 
+-
+ // If using a per instance lib directory, i.e. ${catalina.base}/lib,
+ // then the following permission will need to be uncommented
+ // grant codeBase "file:${catalina.base}/lib/-" {
+@@ -162,6 +162,9 @@
+     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
+ 
+     // Precompiled JSPs need access to these packages.
++    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper";
++    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.servlet";
++    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.compiler";
+     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
+     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
+     permission java.lang.RuntimePermission
+@@ -214,6 +217,15 @@
+     permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
+ };
+ 
++// Additional basic permissions for web applications.
++grant codeBase "file:/usr/share/java/tomcat-servlet-api.jar" {
++	permission java.security.AllPermission;
++};
++
++grant codeBase "file:/usr/share/java/tomcat-el-api.jar" {
++        permission java.security.AllPermission;
++};
++
+ // You can assign additional permissions to particular web applications by
+ // adding additional "grant" entries here, based on the code base for that
+ // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
+@@ -245,4 +257,3 @@
+ // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
+ //      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+ // };
+-
diff --git a/tomcat-7.0-tomcat-sysd b/tomcat-7.0-tomcat-sysd
index 901106e..871cf38 100644
--- a/tomcat-7.0-tomcat-sysd
+++ b/tomcat-7.0-tomcat-sysd
@@ -60,8 +60,10 @@ function start() {
 
     if [[ "$SECURITY_MANAGER" = "true" ]]; then
         DSECURITY_MANAGER="-Djava.security.manager"
+        DSECURITY_POLICY="-Djava.security.policy=${CATALINA_BASE}/conf/catalina.policy"
     else
         unset DSECURITY_MANAGER
+        unset DSECURITY_POLICY
     fi
 
     if ${USE_JSVC}; then
@@ -76,7 +78,7 @@ function start() {
         -Dcatalina.base="$CATALINA_BASE" \
         -Dcatalina.home="$CATALINA_HOME" \
         -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" \
-        -Djava.io.tmpdir="$CATALINA_TMPDIR" ${DSECURITY_MANAGER} \
+        -Djava.io.tmpdir="$CATALINA_TMPDIR" ${DSECURITY_MANAGER} ${DSECURITY_POLICY} \
         -Djava.util.logging.config.file="${CATALINA_BASE}/conf/logging.properties" \
         -Djava.util.logging.manager="org.apache.juli.ClassLoaderLogManager" \
         org.apache.catalina.startup.Bootstrap start
diff --git a/tomcat.changes b/tomcat.changes
index 7eb9018..877b407 100644
--- a/tomcat.changes
+++ b/tomcat.changes
@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Tue Sep 16 16:09:59 UTC 2014 - bmaryniuk@suse.com
+
+- Fixed Security Manager policies, which makes unable properly
+  run webapps by default. (bnc#891264)
+  Added: tomcat-7.0-sle.catalina.policy.patch
+
+-------------------------------------------------------------------
+Tue Sep 16 14:13:20 UTC 2014 - bmaryniuk@suse.com
+
+- Missing security manager policy file prevents Tomcat to start
+  with systemd. (bnc#890995)
+
+-------------------------------------------------------------------
+Mon Sep 15 13:02:02 UTC 2014 - dmacvicar@suse.de
+
+- Tomcat 7.0.55 requires ecj 4.4.0
+
 -------------------------------------------------------------------
 Mon Sep  8 09:01:13 UTC 2014 - dmacvicar@suse.de
 
diff --git a/tomcat.spec b/tomcat.spec
index d1c35dd..da063a5 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -72,9 +72,11 @@ Patch1:         %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.pa
 Patch2:         tomcat-7.0.52-property-build.windows.patch
 # PATCH-FIX-UPSTREAM: https://issues.apache.org/bugzilla/show_bug.cgi?id=56373
 Patch3:         tomcat-7.0.53-JDTCompiler-java.patch
+# PATCH-FIX-SLE: Change security manager default policies bnc#891264
+Patch4:         tomcat-7.0-sle.catalina.policy.patch
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
-BuildRequires:  ecj >= 4.2.1
+BuildRequires:  ecj >= 4.4.0
 BuildRequires:  fdupes
 BuildRequires:  findutils
 BuildRequires:  geronimo-jaf-1_0_2-api
@@ -205,7 +207,7 @@ Group:          Productivity/Networking/Web/Servers
 Requires:       %{name}-el-%{elspec}-api = %{version}-%{release}
 Requires:       %{name}-jsp-%{jspspec}-api = %{version}-%{release}
 Requires:       %{name}-servlet-%{servletspec}-api = %{version}-%{release}
-Requires(post): ecj >= 4.2.1
+Requires(post): ecj >= 4.4
 Requires(post): jakarta-commons-pool-tomcat5
 Requires(preun): %{_bindir}/rm
 Provides:       jakarta-commons-dbcp-tomcat5 = 1.4
@@ -249,6 +251,8 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch1 -p1
 %patch2 -p1
 %patch3
+%patch4 -p1
+
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl