What are the challenges writing secure java policy files?

  1. Determining a set of minimal permissions that code requires to
     execute, not only for local code but for proxy's too.
  2. Figuring out which Principal / CodeSource / Certificate,
     permission grant combinations to add to policy files.
  3. Maintaining policy files in a distributed environment.

Partial answer:

There's now a com.sun.jini.tools.ProfilingSecurityManager, it allows code to execute and prints out the permissions required for each codebase. This can be run prior to deployment to assist in figuring out the implications of granting each permission and to whom they should be granted.

The ProfilingSecurityManager can also be used to determine the permission requirements of Proxy codebases.

I've got some plans to include a permissions requirement file in each proxy jar, in fact this could be done for all jar files. This enables an easy runtime determination of the security requirements of each jar codebase.

A possible solution:

We could add a method to net.jini.security.Security to parse jar files for META-INF/permissions.perms declared permissions.

public CodeSource jarPermissions(CodeSource cs);

The returned class could be an overriding implementation of CodeSource, which overrides toString.

Now if we do this for all CodeSource's included in ProtectionDomain, when we get a SecurityException, the cause for each ProtectionDomain will include the list of Permission's required by the CodeSource along with those assigned to the ProtectionDomain's in the current context, then if we wrap thrown SecurityException's in a RemoteException for services, we know exactly why the SecurityException was caused.

When the SecurityException is thrown, the ProtectionDomain that fails prints out it's CodeSource, Principals and Permissions granted to it (including any from the policy), we'll just be adding a list of required permissions, so all the information is in one place.

This will make it easy for an administrator to quickly determine and add the missing permission to a user's profile, when required, using RemotePolicy.

That's all I'm going to discuss for now, so you can chew it over, I'll continue the thread later.

Cheers,

Peter.



Reply via email to