Re: [OT] SecurityManager and Java Policy Files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 All, I'm resurrecting this thread because I'd like to return my attention to running my webapp under a SecurityManager. On 3/25/2010 4:03 PM, Christopher Schultz wrote: This is off-topic in that it doesn't really have anything to do specifically with Tomcat, but I would be willing to bet that readers would be interested in the answer. Besides, the pool of brain cells available to this list is rather deep and I'd love an explanation of policies. I recently tried to set up Tomcat 6.x running under a SecurityManager. As I fell down the rabbit hole, I saw that lots of things needed to be granted to my code, which all makes sense in general. What I don't quite get is the hierarchy of checks that are done. Can anyone recommend any literature for understanding the Zen of Java's SecurityManager and, more specifically, how to properly write your application to operate under one? I'm looking for references that explain the interaction between the SecurityManager itself, the policy, signed code, and the use of AccessController/PrivilegedAction. Online resources and articles as well as dead trees would be fine. My Google-fu just isn't turning up anything relevant. I get either horribly technical specifications of things or trifles that just say run under a SecurityManager and everything will be secure!. Any help would be greatly appreciated. Thanks, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkzbC3gACgkQ9CaO5/Lv0PASFwCeLUDSfK0n+jFbli4sqRRWPGEf avYAn0oksVC/YT1Gai/w936m2h7sp6eM =IPIw -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] SecurityManager and Java Policy Files
On 10/11/2010 21:15, Christopher Schultz wrote: I'm looking for references that explain the interaction between the SecurityManager itself, the policy, signed code, and the use of AccessController/PrivilegedAction. Online resources and articles as well as dead trees would be fine. My Google-fu just isn't turning up anything relevant. I get either horribly technical specifications of things or trifles that just say run under a SecurityManager and everything will be secure!. Any help would be greatly appreciated. I don't recall ever finding anything that useful. What I can do is condense my limited knowledge into a few lines that may help. For code to perform some actions (e.g. reading a file, exiting the JVM etc) it needs the associated permission when running under a security manager. The policy file handles mapping code to permissions. When code tries to perform a protected function then: - if no privileged block is present in the call stack then every class in the call stack must have the necessary permission - if a privileged block is present in the call stack then every class in the call stack from the class performing the action to the privileged block must have the necessary permission To take a specific example, consider the PersistentManager. It needs to read/write sessions from the file system, create objects, manipulate class loaders and a bunch of other stuff that requires permissions. Session loading/unloading can be triggered by a web application so it is possible for web app code to be in the call stack for a call to load(). Web apps have minimal permissions that do not include the permissions needed by the load() method. The PersistentManager class does have the necessary permissions. The load() method uses a privileged block so web apps can call the load() method without having the necessary permissions. To be secure the load() method has to make sure web apps can't trick it into doing something it shouldn't. Does that help? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] SecurityManager and Java Policy Files
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mark,
On 11/10/2010 4:29 PM, Mark Thomas wrote:
On 10/11/2010 21:15, Christopher Schultz wrote:
Any help would be greatly appreciated.
I don't recall ever finding anything that useful. What I can do is
condense my limited knowledge into a few lines that may help.
Thanks for confirming that I've found thus far: good references are
difficult to find.
For code to perform some actions (e.g. reading a file, exiting the JVM
etc) it needs the associated permission when running under a security
manager.
The policy file handles mapping code to permissions.
Check.
When code tries to perform a protected function then:
- if no privileged block is present in the call stack then every class
in the call stack must have the necessary permission
This is something that I've only recently realized. When I initially
tried to use a SecurityManaget, I found that I basically had to poke
holes in the policy for /everything/. What I wanted to do was restrict
certain code to, for instance, write to my log file(s) or to make a
connection to the database. Without a privileged block, I had to allow
just about all the code to make network connections because nearly any
code could call into a database routine which (of course), may create a
database connection on demand.
The privileged blocks appear to allow me to restrict the code that can
do that to a very specific set of classes -- ones that explicitly
attempt a privileged action using AccessController.
- if a privileged block is present in the call stack then every class in
the call stack from the class performing the action to the privileged
block must have the necessary permission
Gotcha.
To take a specific example, consider the PersistentManager. It needs to
read/write sessions from the file system, create objects, manipulate
class loaders and a bunch of other stuff that requires permissions.
Session loading/unloading can be triggered by a web application so it is
possible for web app code to be in the call stack for a call to load().
A good parallel to my JDBC connection example from above: any part of my
webapp can try to use my database services, yet those outside classes
shouldn't be able to directly make a database connection.
Web apps have minimal permissions that do not include the permissions
needed by the load() method. The PersistentManager class does have the
necessary permissions.
The load() method uses a privileged block so web apps can call the
load() method without having the necessary permissions. To be secure the
load() method has to make sure web apps can't trick it into doing
something it shouldn't.
Does that help?
Yes, very much.
To be explicit, if I want a class (say, DbStuff) to be able to make a
database connection yet prevent other classes from doing so, I need to
do something like this:
public class DbStuff
{
protected Connection getConnection()
{
Connection conn = null;
AccessController.doPrivileged(new PrivilegedActionConnection() {
public Connection run()
{
DataSource ds = // get from JNDI
return ds.getConnection();
}
});
}
public ListPerson getPeople()
{
Connection conn = null;
try {
conn = getConnection();
// SELECT * FROM people
return people;
}
}
}
public class MyTest
{
public static void main(String[] args)
{
new DbStuff().getPeople();
}
}
So, if I give access to connect, etc. in my policy file to the DbStuff
class, then DbStuff can use it's own getConnection method to obtain
database connections, but MyTest would be unable to, say, use
DriverManager to create a new connection to the database. Do I have that
right?
Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkzbEccACgkQ9CaO5/Lv0PDWjACfeLTFxPEbfW0uTrMEy8Iq5hQG
7i8An0wOcfuRTC9jAdOe0ZzL8UZHiAR9
=H6e3
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] SecurityManager and Java Policy Files
For debugging purposes, this http://blogs.sun.com/xuelei/entry/fine_granularity_diagnosis_on_security might be useful. And once you succeeded there's always room for improvement, e.g. http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html ;) Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] SecurityManager and Java Policy Files
On 10/11/2010 21:42, Christopher Schultz wrote:
To be explicit, if I want a class (say, DbStuff) to be able to make a
database connection yet prevent other classes from doing so, I need to
do something like this:
public class DbStuff
{
protected Connection getConnection()
{
Connection conn = null;
AccessController.doPrivileged(new PrivilegedActionConnection() {
public Connection run()
{
DataSource ds = // get from JNDI
return ds.getConnection();
}
});
}
public ListPerson getPeople()
{
Connection conn = null;
try {
conn = getConnection();
// SELECT * FROM people
return people;
}
}
}
public class MyTest
{
public static void main(String[] args)
{
new DbStuff().getPeople();
}
}
So, if I give access to connect, etc. in my policy file to the DbStuff
class, then DbStuff can use it's own getConnection method to obtain
database connections, but MyTest would be unable to, say, use
DriverManager to create a new connection to the database. Do I have that
right?
You do, but...
The way DbStuff is written I could extend it and call the protected
getConnection() method directly. You should probably make that method
private.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] SecurityManager and Java Policy Files
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Konstantin,
On 3/29/2010 7:56 PM, Konstantin Kolinko wrote:
2010/3/25 Christopher Schultz ch...@christopherschultz.net:
I will try to be brief in my answers below, so please excuse some
apparent harshness.
(...)
In the Tomcat SecurityManager docs
(http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html),
most of the grants in the policy file do not have a codeBase.
Why are you looking there? The policy file cited there is
conf/catalina.policy. I would prefer the live copy over the paper.
(Though the doc should match the file).
It does, but I've found it's better to give list readers something to
click on instead of saying hey, get the latest Tomcat tarball and look
at the policy file included. I suppose I could have gotten the link
from svnweb, but, well, that takes a while, too.
By the way, I /have/ read
http://java.sun.com/j2se/1.5.0/docs/guide/security/PolicyFiles.html but
some things are still unclear.
Java 6 docs are below from here:
http://java.sun.com/javase/6/docs/technotes/guides/security/index.html
See also the following document there
http://java.sun.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc.html
http://java.sun.com/javase/6/docs/technotes/guides/security/spec/security-specTOC.fm.html
I'll take a look at all of those. Thanks for the references.
it appears that the SecurityManager is enforcing
permissions along with the call chain...
It is documented in those specifications by Sun. It looks the call
chain up to the nearest AccessController.doPrivileged().
My question was this: is the immediate caller before the
AcessController.doPrivileged() the one checked, or is the /entire call
chain/ checked recursively? The small amount of evidence I've collected
leads me to that conclusion, and I'd like to be sure so that I can write
policy files without completely losing my sanity.
Third: doesn't this make performance really suck?
As with any performance question: test it yourself and for your own
application/environment. Only that will give you numbers.
Fair enough.
It may be that impact of those security checks is small compared to
other bottlenecks in one's application. Though, personally, I do not
like when a computer performs useless work.
This is what I was getting at, though in my current position, it pays to
have as many layers of (reasonable) security as possible. We do have
control over all the code, but I'd also like to make sure that a rogue
programmer/library or careless mistake doesn't really foul things up.
such as granting AllPermission to things like bootstrap.jar
That is determined by the task that this protection performs.
In general, the idea is that what is installed by administrator is
controlled and thus trusted, but the web applications themselves are
not trusted by default.
This was my real question here: is the codebase-less grant and the
granting of AllPermission just basically laziness on the part of the
policy writer? Or is there a real reason to grant /all/ privileges to
Tomcat.
Here's what's in the policy file (I refer you to the catalina.policy
file that ships with Tomcat 6.0.26 :) regarding the JDBC driver privileges:
// The permission granted to your JDBC driver
// grant codeBase
jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/- {
// permission java.net.SocketPermission
dbhost.mycompany.com:5432, connect;
// };
That shows the codebase of the driver's JAR being given a
SocketPermission. If my web application tried to create a JDBC
connection directly (that is, by not using Tomcat's connection pool),
would it fail? My experience with the logging framework suggests that it
would fail.
If I need to create a JDBC connection from within my webapp, do I have
to do something like this:
grant codeBase .../my-jdbc.jar { permission ... }
grant codeBase .../my-service.jar { permission ...}
grant codeBase webapps/mywebapp/WEB-INF/classes/- { permission ... }
all with the same permission so that this will work? If I want to get
really anal retentive, can I specify exactly which classes are allowed
to make new JDBC connections by setting this SocketPermission for each
one of them? That gives me great flexibility at the cost of a PITA when
writing my policy file... which is why I suspect people just say screw
it and do something like this:
grant {
permission SocketPermission ..., resolve, connect;
}
Thanks,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuyceAACgkQ9CaO5/Lv0PAsvACdFJPEZRrT3ghZ+PbSGCJR6CIO
1q0An2nRvylFW++7ZOOvyuJbENRAnh4C
=gPID
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] SecurityManager and Java Policy Files
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Anyone?
On 3/25/2010 4:03 PM, Christopher Schultz wrote:
All,
This is off-topic in that it doesn't really have anything to do
specifically with Tomcat, but I would be willing to bet that readers
would be interested in the answer. Besides, the pool of brain cells
available to this list is rather deep and I'd love an explanation of
policies.
I recently tried to set up Tomcat 6.x running under a SecurityManager.
As I fell down the rabbit hole, I saw that lots of things needed to be
granted to my code, which all makes sense in general. What I don't quite
get is the hierarchy of checks that are done.
In the Tomcat SecurityManager docs
(http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html),
most of the grants in the policy file do not have a codeBase. Some of
them do, such as granting AllPermission to things like bootstrap.jar,
which presumably means that any class in bootstrap.jar can do anything
it wants.
By the way, I /have/ read
http://java.sun.com/j2se/1.5.0/docs/guide/security/PolicyFiles.html but
some things are still unclear.
Since I didn't feel like granting permission to, say, write to my
application log file, to the entire webapp, I chose to grant that
privilege only to my log4j.jar file and the classes therein:
grant codeBase jar:file:@app-dir@/WEB-INF/lib/log4j-1.2.15.jar!/- {
permission java.io.FilePermission @app-log-dir@/log4j.log, write;
permission java.util.PropertyPermission log4j.*, read;
};
(Don't worry about all that @app-dir@ junk: it points to the right place
eventually, and I didn't feel like replacing it with something plausible
for publication).
Anyhow, this would seem to work great, except that I also configure
commons-logging to use the log4j logger, and the commons-logging library
tries to initialize the log4j logger at some point, which throws
permission errors. Hmm. So, I tried adding this, too:
grant codeBase
jar:file:@app-dir@/WEB-INF/lib/commons-logging-1.1.1.jar!/- {
permission java.io.FilePermission @app-log-dir@/log4j.log, write;
permission java.util.PropertyPermission
org.apache.commons.logging.*, read;
permission java.util.PropertyPermission log4j.*, read;
};
That seemed to get me further through the process but then my own
application code was failing because... guess what? My code wasn't
allowed to call code that /was/ allowed to write to log4j.log. :(
Okay, fine:
grant codeBase file:@app-dir@/WEB-INF/classes/- {
permission java.io.FilePermission @app-log-dir@/log4j.log, write;
permission java.util.PropertyPermission
org.apache.commons.logging.*, read;
permission java.util.PropertyPermission log4j.*, read;
};
This seemed to make things happy again, as far as the log file was
concerned. There are other issues for me to deal with, but this example
is illustrative: it appears that the SecurityManager is enforcing
permissions along with the call chain, not just with the finest-grained
code being checked for its permissions.
First: do I have this right? The JVM makes sure that permissions are in
place for every class on the call stack when such permissions are
checked? I suppose that would make sense, because then you could say
well, my JDBC driver does the actual connecting to the database, but I
certainly don't want some rogue code in my webapp to create such a
connection... only allow Tomcat to create connections on my behalf.
Second - as a corollary to the first - is this why most examples of
policy grants simply say grant { whatever } to allow all code running
in the JVM to have that permission? Because the alternative is so
onerous that nobody wants to do it? Well, I kinda want to do it, so I
just want to know what the rules are.
Third: doesn't this make performance really suck?
Anyone who could shed some light on my understanding would certainly be
appreciated. I'm happy to read any references posted as well.
Thanks,
-chris
- -
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkuws9AACgkQ9CaO5/Lv0PAOwQCgj7lfQLwbrtTjWZtnDi3wlgDD
BHgAn27/t9LOKS3e/2oHRXYHOv3NcTvH
=vE96
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] SecurityManager and Java Policy Files
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: [OT] SecurityManager and Java Policy Files Anyone? Sorry, no time to chase it down. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: [OT] SecurityManager and Java Policy Files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chuck, On 3/29/2010 10:08 AM, Caldarale, Charles R wrote: From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: [OT] SecurityManager and Java Policy Files Anyone? Sorry, no time to chase it down. I was counting on you, Chuck! ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkuw7RUACgkQ9CaO5/Lv0PAwIACfWLvi+J42eE8cAra8dEaIoo84 vWQAnAgKCglPWmQ4SAhb5sAJbdMX4dg5 =7G3M -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [OT] SecurityManager and Java Policy Files
From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: [OT] SecurityManager and Java Policy Files I was counting on you, Chuck! ;) I've kept the message, and would like to research it for my own edification. We're about done with a release cycle here, so I'm hoping time will free up Real Soon Now. (Having to replace two tires and straighten two rims due to bloody Minnesota potholes isn't helping the time situation. At least it's not flooding.) - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
RE: [OT] SecurityManager and Java Policy Files
Hi, Chris- I don't remember the question exactly but in my experience I've had to grant permissions to all relevant jars that are not within a webapp and to the webapp. (Hopefully, this is at least in the right ballpark for your question.) -Terence Subject: RE: [OT] SecurityManager and Java Policy Files From: Caldarale, Charles R chuck.caldar...@unisys.com Date: Mon, 29 Mar 2010 09:08:39 -0500 To: Tomcat Users List users@tomcat.apache.org To: Tomcat Users List users@tomcat.apache.org From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: [OT] SecurityManager and Java Policy Files Anyone? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] SecurityManager and Java Policy Files
2010/3/25 Christopher Schultz ch...@christopherschultz.net: I will try to be brief in my answers below, so please excuse some apparent harshness. (...) In the Tomcat SecurityManager docs (http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html), most of the grants in the policy file do not have a codeBase. Why are you looking there? The policy file cited there is conf/catalina.policy. I would prefer the live copy over the paper. (Though the doc should match the file). most of the What you mean by most? Are you counting AllPermission as one versus all those in the by default grant block as many? By the way, I /have/ read http://java.sun.com/j2se/1.5.0/docs/guide/security/PolicyFiles.html but some things are still unclear. Java 6 docs are below from here: http://java.sun.com/javase/6/docs/technotes/guides/security/index.html See also the following document there http://java.sun.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc.html http://java.sun.com/javase/6/docs/technotes/guides/security/spec/security-specTOC.fm.html it appears that the SecurityManager is enforcing permissions along with the call chain... It is documented in those specifications by Sun. It looks the call chain up to the nearest AccessController.doPrivileged(). http://java.sun.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc4.html#24646 http://java.sun.com/javase/6/docs/api/java/security/AccessController.html Third: doesn't this make performance really suck? As with any performance question: test it yourself and for your own application/environment. Only that will give you numbers. It may be that impact of those security checks is small compared to other bottlenecks in one's application. Though, personally, I do not like when a computer performs useless work. such as granting AllPermission to things like bootstrap.jar That is determined by the task that this protection performs. In general, the idea is that what is installed by administrator is controlled and thus trusted, but the web applications themselves are not trusted by default. Also if the web applications are not trusted, it would make sense to limit their control over Tomcat settings, by setting deployXML=false on a Host. By the way, Mark's presentations from recent ApacheCons are here: http://people.apache.org/~markt/presentations/ Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
