Configuring Package Protection in Tomcat

Starting with Tomcat 5, it is now possible to configure which Tomcat internal package are protected against package definition and access.

The Default Properties File

The default $CATALINA_BASE/conf/catalina.properties file looks like this:

#

# List of comma-separated packages that start with or equal this string

# will cause a security exception to be thrown when

# passed to checkPackageAccess unless the

# corresponding RuntimePermission (“accessClassInPackage.”+package) has

# been granted.

package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,

org.apache.jasper.

#

# List of comma-separated packages that start with or equal this string

# will cause a security exception to be thrown when

# passed to checkPackageDefinition unless the

# corresponding RuntimePermission (“defineClassInPackage.”+package) has

# been granted.

#

# by default, no packages are restricted for definition, and none of

# the class loaders supplied with the JDK call checkPackageDefinition.

#

package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,

org.apache.tomcat.,org.apache.jasper.

Once you have configured the catalina.properties file for use with a SecurityManager, remember to re-start Tomcat.

Configuring Tomcat With A SecurityManager
Troubleshooting

Get industry recognized certification – Contact us

keyboard_arrow_up
Open chat
Need help?
Hello 👋
Can we help you?