[jboss-as7-dev] [JNDI] Secure the access to (local) JNDI tree through java permissions?

Lukas Krejci lkrejci at redhat.com
Thu Nov 1 12:37:13 EDT 2012 

Hi,

we're in the middle of porting RHQ/JBoss ON from JBoss AS 4.2.3 to JBoss AS 
7.1.1.

Among many other things we offer the ability to run user scripts (using a 
javax.script.ScriptEngine) inside the server. The scripts can access our APIs 
to perform various functions. But since they're essentially 3rd party, we want 
to execute them in a secured fashion. For that we run RHQ with a security 
manager (allowing all permissions by default) and when executing a script we 
do that in a separate access control context that limits what the code being 
executed can do (like it cannot shutdown the server using System.exit(), etc).

Among other things, we don't want the scripts to access our local EJBs because 
that would mean they would be able to access unsupported and possibly insecure 
APIs.

When RHQ ran on AS4, we solved the above problem by having our own 
IntialContextFactoryBuilder that essentially wrapped any javax.naming.Context 
in a wrapper that would check for a certain java Permission on lookup. All the 
"normal" code would have it, but the access control context the scripts run in 
would NOT have it. This would stop any attempt to do a (local) JNDI lookup 
with a SecurityException unless the JNDI lookup was performed using our 
"gateway" (that "published" only secure remote APIs and called them in a 
privileged action).

Now with AS7 I don't think the above is possible anymore. There is a 
org.jboss.as.naming.JndiPermission that would be ideal for our purposes but it 
is not being enforced when doing JNDI lookups of EJBs (as far as I could debug 
this is due to using ServiceBasedNamingStore for looking up EJBs, which 
doesn't do the check for the JndiPermission).

How would you go about implementing something like above? Would it even be a 
viable approach to take in AS7?

(One of the obvious solutions would be to implement the security check as an 
interceptor on the EJB calls but we tried to avoid that because that would be 
done on EVERY ejb call all the time, while the security check during the JNDI 
lookup phase would be done only once).

Thanks,

Lukas

More information about the jboss-as7-dev mailing list