[wildfly-dev] my 2 cents on Security Manager discussion

Anil Saldhana Anil.Saldhana at redhat.com
Mon Apr 21 14:29:09 EDT 2014


On 04/19/2014 12:43 PM, arjan tijms wrote:
> Hi,
>
> Just wondering, but what is the primary use case for a security 
> manager server side?
>
> While the model obviously makes sense for Applets and Webstart where 
> untrusted code is executed on the user's machine, I found it to be 
> extremely rare for a server to run untrusted code. In fact, I don't 
> think I've ever seen this situation.
I agree with what you are saying. Unfortunately there are a handful of 
users/developers/sys-admins who are required to run the JVM under the 
JSM. Might be corporate policy or compliance etc.
Luckily they are a minority. They always pinpoint if there are any 
particular permission failing under the JSM.

The JSM was really invented around the applet era and has really not 
seen any major adaptation/overhaul for the s/w industry growth.

>
> There's maybe a case to prevent privilege escalation in case of a 
> legitimate app being hacked, but in practice it doesn't look like a 
> security manager is really being used a lot for that, is it? Instead 
> the default thing to do there seems to be to run the AS under a user 
> with limited rights on the host OS and/or use things like SELinix or 
> Virtual Servers (e.g. XEN) to isolate the complete AS.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
>
> On Sat, Apr 19, 2014 at 1:53 AM, Jason T. Greene <jgreene at redhat.com 
> <mailto:jgreene at redhat.com>> wrote:
>
>
>
>     Sent from my iPhone
>
>     > On Apr 18, 2014, at 5:50 PM, Stuart Douglas
>     <stuart.w.douglas at gmail.com <mailto:stuart.w.douglas at gmail.com>>
>     wrote:
>     >
>     >
>     > Enabling the security manager by default is a terrible idea.
>
>     +1000
>     ___________
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20140421/693bafc9/attachment.html 


More information about the wildfly-dev mailing list