Wednesday, November 19, 2008

Use Security Manager to Control Java Web Application Behavior

In a Java web application server like Tomcat, we have the Tomcat container and multiple web applications running in the same JVM. It is thus very important to cut the unexpected interactions between applications and between applications and Tomcat. Ideally it is expected the behavior of one web application should not affect the behavior of other applications as well as Tomcat, in a bad way.

One of such unexpected interactions is caused by modifying shared classes and objects, for instance, changing system properties, changing system classes' behavior.

Tomcat 5.5's class loaders
are organised as:
      Bootstrap
|
System
|
Common
/ \
Catalina Shared
/ \
Webapp1 Webapp2 ...
Tomcat 6.0's class loaders are organised as:
      Bootstrap
|
System
|
Common
/ \
Webapp1 Webapp2 ...

In both cases, web applications and Tomcat share the classes managed by class loaders Bootstrap, System and Common.

Let's say one web application use the following code to tell Java runtime to use the XSLT implementation shipped with JDK.

System.setProperty("javax.xml.transform.TransformerFactory", "com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");

Other web applications may choose to use other XSLT implementations in a similar way. If a certain web application's correct behavior is depending on a particular XLST implementation, then we may get a problem, because System.setProperty("javax.xml.transform.TransformerFactory", ...) will change the JVM-wide XSLT implementation.

Therefore it is advisable to use Java security manager to control the permissions granted to web application code.

Note $CATALINA_HOME/bin/startup.sh does not start up a Tomcat with the security manager. To enable the security manager, use $CATALINA_HOME/bin/startup.sh -security. It will append "-Djava.security.manager -Djava.security.policy=..." to the JVM arguments.

A simple Java program testing security manager and policy file

public class SecurityManagerTest {
public static void main(String[] args) throws Exception {
System.setProperty("greeting", "hello world!");
System.out.println(System.getProperty("greeting"));
}
}

Run this program, you will see "hello world!" printed out.

Prepare a policy file called lab.policy:

grant {
permission java.util.PropertyPermission "*", "read";
};

It says any code can only read system properties, but not write.

By the way, the policy file can be created using policytool.

Then run the program like this:

java -Djava.security.manager -Djava.security.policy=lab.policy SecurityManagerTest

You will see an excpetion pop up:

Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission greeting write)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.System.setProperty(System.java:727)
at SecurityManagerTest.main(SecurityManagerTest.java:11)

See the security manager is working. It is important to give the right location for the policy file. Because when the security manager is enabled, by default no permission is granted. So any permission will be denied except those defined in the policy file. In case the policy file cannot be found, then the code is given no permission at all.

2 comments:

martinezbraceslv said...


Lets have a look at a recent news item that is quite
entertainmentbee.com
themoviesbio.com
petrefine.com

bmbstitch said...

Jean Muggli :- Jean Muggli came to popularity as the former wife of Michael Strahan, a retired professional American football player



Courtney Thorne-Smith :- Courtney Thorne-Smith is an American actress known for her multiple roles in some of the popular television series of all time.


Brooke Daniells :- Brooke Daniells is a popular and professional photographer from the United States of America


Simeon Panda :- Simeon Panda is a true role model for anyone who wishes to achieve success in the field of bodybuilding.

Faye Chrisley :- Faye Chrisley is an American reality TV star. She is well-known for playing Nanny in the American TV series Chrisley Knows Best.

Christi Pirro :- Christi Pirro is a lawyer and a law clerk. She is well-known as Jeanine Pirro’s daughter. Jeannie, her mother, is a TV broadcaster and writer.

Pokimane :- Pokimane is a famous Canadian twitch streamer and YouTuber. However, she is famous for her streaming on games. So, she mostly played two games