[wildfly-dev] my 2 cents on Security Manager discussion

[Jason Greene]

On Apr 23, 2014, at 9:08 AM, arjan tijms <arjan.tijms at gmail.com> wrote:

> Hi,
> 
> On Wed, Apr 23, 2014 at 3:38 PM, Bill Burke <bburke at redhat.com> wrote:
> As much as we like to think the app server is an operating system, it
> isn't.  The app server isn't a place where untrusted apps run.
> 
> I'm a big fan of this view. I know that originally the AS may have been seen as a kind of OS for server apps, but in practice this just hasn't worked out. The protection model of the OS with its isolating processes is just much more powerful.
> 
> Running a single app per AS gives you better protection, even more if each AS runs inside its own virtual server (which makes it even easier to limit the CPU usage of individual apps). Additionally, a lot of problems associated with updating either the JVM, the entire AS, or one or more libraries of the AS just go away in the one-app-per-AS setup. Adam Bien wrote a good article about this: http://adam-bien.com/roller/abien/entry/why_not_one_application_per
> 
> I think Red Hat/JBoss shares the same belief. I mean, why else would OpenShift use SELinux to isolate apps and not just run a bunch of them on a single JBoss AS?

Yes that is our recommended security model, and yes thats precisely what we do on OpenShift because otherwise one customer could potentially access another’s data, which would be very very bad :)

We do hope that one day a multi-tenant JVM will come around, since it would reduce the memory cost of multiple JVMs (base JVM heap + class code memory which ideally you could share but can’t currently). Although this is only really a problem when you have thousands of instances on a box (you are running a PAAS).

--
Jason T. Greene
WildFly Lead / JBoss EAP Platform Architect
JBoss, a division of Red Hat