[jboss-dev-forums] [PicketBox Development] - JBoss AS7: Security : Running under a Java Security Manager
Anil Saldhana
do-not-reply at jboss.com
Wed Dec 21 13:59:39 EST 2011
Anil Saldhana [http://community.jboss.org/people/anil.saldhana] created the document:
"JBoss AS7: Security : Running under a Java Security Manager"
To view the document, visit: http://community.jboss.org/docs/DOC-17431
--------------------------------------------------------------
This article will discuss ways by which you can run a JBoss AS 7.1 instance under the Java Security Manager.
h2. Prerequisites
A general understanding about configuring security permissions in a Java Security Manager policy file.
h2.
h2. Configuration
We need the following two mandatory system properties
1. -Djava.security.manager
2. -Djava.security.policy
The following is what I have at the end of the standalone.conf file
JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$PWD/.. -Djava.security.policy==$PWD/server.policy -Djava.security.debug=failure"
Note here that I pass in the java.security.policy property a server.policy file that is in the bin directory. (I created the server.policy file)
h2.
h2. server.policy file
// ***************************************
// Trusted core Java code
//***************************************
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/*" {
permission java.security.AllPermission;
};
// For java.home pointing to the JDK jre directory
grant codeBase "file:${java.home}/../lib/*" {
permission java.security.AllPermission;
};
//********************************************
// Trusted core JBoss code
//********************************************
grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" {
permission java.security.AllPermission;
};
//********************************************
// Trusted JBoss AS Modules
//********************************************
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/jmx/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/server/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/process-controller/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/controller/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/controller-client/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/connector/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/clustering/infinispan/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/deployment-repository/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/remoting/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/platform-mbean/main/-" {
permission java.security.AllPermission;
};
//********************************************
// Trusted JBoss Modules
//********************************************
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/logmanager/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/logmanager/log4j/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/logging/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/stdio/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/msc/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/threads/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/vfs/main/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/staxmapper/main/-" {
permission java.security.AllPermission;
};
//********************************************
// Trusted 3rd Party Modules
//********************************************
grant codeBase "file:${jboss.home.dir}/modules/org/apache/log4j/main/-" {
permission java.security.AllPermission;
};
h2.
h2. Troubleshooting
h3.
h3. I do not know how to debug the permission problems.
Add extra parameters to the -Djava.security.debug system property as shown below
JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$PWD/.. -Djava.security.policy==$PWD/server.policy -Djava.security.debug=failure,access,policy"
When this happens, you will see errors such as following:
)
12:46:33,368 ERROR [stderr] policy: evaluation (codesource) failed
12:46:33,368 ERROR [stderr] access: domain that failed ProtectionDomain (jar:file:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules/org/jboss/as/clustering/infinispan/main/jboss-as-clustering-infinispan-7.1.0.CR1-SNAPSHOT.jar!/ <no signer certificates>)
12:46:33,368 ERROR [stderr] ModuleClassLoader for Module "org.jboss.as.clustering.infinispan:main" from local module loader @3e89c3 (roots: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules)
12:46:33,368 ERROR [stderr] <no principals>
12:46:33,368 ERROR [stderr] java.security.Permissions at 1f07597 (
12:46:33,368 ERROR [stderr] )
12:46:33,368 ERROR [stderr]
....
Caused by: java.security.AccessControlException: access denied (java.io.FilePermission /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules/org/apache/commons/pool/main/module.xml read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) [:1.6.0_23]
at java.security.AccessController.checkPermission(AccessController.java:546) [:1.6.0_23]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) [:1.6.0_23]
at java.lang.SecurityManager.checkRead(SecurityManager.java:871) [:1.6.0_23]
at java.io.File.exists(File.java:731) [:1.6.0_23]
at org.jboss.modules.LocalModuleLoader.findModule(LocalModuleLoader.java:121) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.ModuleLoader.loadModuleLocal(ModuleLoader.java:265) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.ModuleLoader.preloadModule(ModuleLoader.java:212) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.LocalModuleLoader.preloadModule(LocalModuleLoader.java:94) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.Module.addPaths(Module.java:790) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.Module.link(Module.java:997) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.Module.getPaths(Module.java:971) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.Module.getPathsUnchecked(Module.java:982) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.Module.loadModuleClass(Module.java:495) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:182) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:485) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:444) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:421) [jboss-modules.jar:1.1.0.CR4]
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:143) [jboss-modules.jar:1.1.0.CR4]
at java.lang.ClassLoader.defineClass1(Native Method) [:1.6.0_23]
at java.lang.ClassLoader.defineClassCond(ClassLoader.java:632) [:1.6.0_23]
Here you have a security exception. The key is to look for the protection domain that failed.
In this example, the line that matters is:
access: domain that failed ProtectionDomain (jar:file:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules/org/jboss/as/clustering/infinispan/main/jboss-as-clustering-infinispan-7.1.0.CR1-SNAPSHOT.jar!/ <no signer certificates>)
12:46:33,376 ERROR [stderr] ModuleClassLoader for Module "org.jboss.as.clustering.infinispan:main" from local module loader @3e89c3 (roots: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules)
12:46:33,376 ERROR [stderr] <no principals>
12:46:33,376 ERROR [stderr] java.security.Permissions at 1b8119a (
12:46:33,376 ERROR [stderr] )
So basically we are looking at
jar:file:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules/org/jboss/as/clustering/infinispan/main/jboss-as-clustering-infinispan-7.1.0.CR1-SNAPSHOT.jar!/
For this reason, I added the following into the server.policy file:
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/clustering/infinispan/main/-" {
permission java.security.AllPermission;
};
This statement block gives all permissions to the jars that exist in the main directory of the module "org.jboss.as.clustering.infinispan"
In an ideal world, you would like to qualify the statement block with permissions such as SocketPermission, RuntimePermission etc rather than a AllPermission.
--------------------------------------------------------------
Comment by going to Community
[http://community.jboss.org/docs/DOC-17431]
Create a new document in PicketBox Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=102&containerType=14&container=2088]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20111221/5555dccf/attachment.html
More information about the jboss-dev-forums
mailing list