Should we create a build profile to run the security enable build in
the Continuum environment ?
I can help with that, just want to check if we can point to a policy
file from our svn or relative to sca checkout, as we won't have easy
access to place/update the policy file in the JDK/JRE installed in
continuum.
On Thu, Sep 18, 2008 at 3:01 PM, Dhaval Chauhan
<[EMAIL PROTECTED]> wrote:
> Hi Dan,
>
> Thank you for your response.
>
> It worked.... :)
>
> It was unable to find the tuscany.policy file. There was an issue with the
> JAVA_HOME environment variable.
> I was pointing it to my JDK installation and in this case it was expecting
> JRE because default location for the tuscany.policy file is
> {java.home}/lib/security...!!
>
> Thanks,
> Dhaval
>
>
>
>
>
>
> ________________________________
>> Date: Thu, 18 Sep 2008 11:18:37 -0500
>> From: [EMAIL PROTECTED]
>> To: [email protected]
>> Subject: Re: Question regarding Tuscany Policy file
>>
>> A followup. Dhaval, I did see the Maven Surefire security exception
>> below when I ran Tuscany with the security profile ("mvn -P security").
>> However, when I used the following tuscany.policy in
>> ${java.home}/lib/security, I was able to run all the vtests and itests
>> with security on.
>>
>> It seems like either your codebase is off, or perhaps you are not
>> picking up the tuscany.policy file. Any indications in the trace/debug
>> statements that it finds or misses tuscany.policy?
>>
>> (My environment, IBM JVM 1.5, Windows XP)
>>
>> // Contents of tuscany.ploicy
>> grant codeBase "file:/e:/t/java/sca/-" {
>> permission java.security.AllPermission;
>> };
>>
>> grant codeBase "file:/e:/g/m2/-" {
>> permission java.security.AllPermission;
>> };
>>
>> Dhaval Chauhan wrote:
>> > Hi,
>> >
>> > I tried running the full build with security on.
>> >
>> > Initially, I granted AllPermission to the code base.
>> > Following is my tuscany.policy file:
>> >
>> > grant codeBase
>> > "file:/home/dchauhan/Documents/Tuscany/java_09122008/sca/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:/home/dchauhan/Documents/Tools/eclipse/eclipse/-" {
>> > permission java.net.SocketPermission "127.0.0.1:*",
>> > "connect,accept,resolve";
>> > permission java.io.FilePermission "<<ALL FILES>>", "read";
>> > permission java.util.PropertyPermission "*", "read";
>> > };
>> > grant codeBase "file:/home/dchauhan/.m2/repository/-" {
>> > permission java.security.AllPermission;
>> > };
>> >
>> > This policy file is residing in ${java.home}/lib/security directory.
>> >
>> > I am getting following exception when I run "mvn -P security" from the
>> > terminal:
>> >
>> > ......
>> > policy: granting (java.util.PropertyPermission java.vm.vendor read)
>> > policy: granting (java.util.PropertyPermission java.vm.name read)
>> > java.security.AccessControlException: access denied
>> > (java.io.FilePermission /tmp/surefire39246tmp read)
>> > at
>> > java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
>> > at
>> > java.security.AccessController.checkPermission(AccessController.java:427)
>> > at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>> > at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
>> > at java.io.File.exists(File.java:700)
>> > at
>> > org.apache.maven.surefire.booter.SurefireBooter.loadProperties(SurefireBooter.java:697)
>> > at
>> > org.apache.maven.surefire.booter.SurefireBooter.setSystemProperties(SurefireBooter.java:716)
>> > at
>> > org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:793)
>> > [INFO]
>> > ------------------------------------------------------------------------
>> > [ERROR] BUILD FAILURE
>> > [INFO]
>> > ------------------------------------------------------------------------
>> > [INFO] There are test failures.
>> >
>> > Please refer to
>> > /home/dchauhan/Documents/Tuscany/java_09122008/sca/itest/bpel/helloworld/target/surefire-reports
>> > for the individual test results.
>> > .......
>> >
>> > Does anybody have any idea about this issue?
>> >
>> > -- Dhaval
>> >
>> >
>> >
>> >> Date: Tue, 9 Sep 2008 07:49:14 -0500
>> >> From: [EMAIL PROTECTED]
>> >> To: [email protected]
>> >> Subject: Re: Question regarding Tuscany Policy file
>> >>
>> >> Hi Dhaval,
>> >>
>> >> I think the general answer to your question is a matter of degree. You
>> >> need enough permission to run the Tuscany code base with security on,
>> >> yet not enough permission that a malicious user could hijack a public
>> >> API and use it to load or run malicious code.
>> >>
>> >> One method to achieve this is run your tests with security on and no
>> >> permissions granted to the Tuscany code base. Then, as you run into
>> >> security exceptions, add permissions to that location of the Tuscany
>> >> tree to make the exception go away. Keep merging similar code bases to
>> >> keep your policy file simple. For example you might consider merging
>> >> code bases a.b.c.d and a.b.c.e into a.b.c.
>> >>
>> >> Be careful with granting privilege to Tuscany APIs such at
>> >> "deleteFileSystem" (I am hyperbolically speaking here). You don't want
>> >> to allow a malicious person to access this API.
>> >>
>> >>
>> >> Dhaval Chauhan wrote:
>> >>> I am investigating TUSCANY-2492
>> >>> (https://issues.apache.org/jira/browse/TUSCANY-2492) which is about
>> >>> running the Tuscany daily build with Java 2 Security on.
>> >>> I went through the following documentation for 'Running Tuscany with
>> >>> Java 2 Security Enabled'.
>> >>>
>> >>> http://tuscany.apache.org/running-tuscany-with-java-2-security-enabled.html
>> >>>
>> >>> From this, I figured out that there needs to be policy file(s)
>> >>> containing grants/permissions for different artifacts. I also found a
>> >>> sample snippet for the policy file that grants all permissions to the
>> >>> Tuscan code.
>> >>>
>> >>> I would like to know that what level of security are we expecting in
>> >>> context with the above mentioned JIRA (TUSCANY-2492).
>> >>> In other words, what grants and permissions are required to fulfill
>> >>> the
>> >>> requirement of this JIRA?
>> >> --
>> >> Thanks, Dan Becker
>> >
>> > _________________________________________________________________
>> > See how Windows connects the people, information, and fun that are part
>> > of your life.
>> > http://clk.atdmt.com/MRT/go/msnnkwxp1020093175mrt/direct/01/
>>
>>
>> --
>> Thanks, Dan Becker
>
> ________________________________
> Want to do more with Windows Live? Learn "10 hidden secrets" from Jamie.
> Learn Now
--
Luciano Resende
Apache Tuscany, Apache PhotArk
http://people.apache.org/~lresende
http://lresende.blogspot.com/
