A security manager is a class that is or extends java.lang.SecurityManager, and which checks certain application actions for permissibility during runtime. Once under the control of a security manager, the application can only perform actions that are specifically allowed by an associated security policy. By default that policy is specified in a plaintext policy file. The actions in question include writing files to specific directories, writing system properties, and making network connections to specific hosts, to name only a few. It takes no more than a simple JVM command line option to force a Java application to run under a security manager, and the policy file is easily created with any text editor. While editing such a security policy file and adding the various rules of interest is not difficult, getting the policy right can be more challenging. And although no one can get that policy right for us, we can use tools to help us understand what that policy should be. Developing and using such a tool is what we are about to undertake. And once we have the broad, fine-grained policy it discovers, we can use it as a starting point in developing a production runtime policy or simply study it to better understand and appreciate our application's security needs.By using the profiling security manager and a simple perl script presented in the article, developers can run a Java application, and then use the generated policy file to modify the production security policy in such a way that the code is "safe." This isn't a guarantee, of course - if the policy generation phase does some intrinsically insecure things, then the generated policy file might allow those same insecure elements in production - hardly a desirable outcome. However, it highlights something that can help with some slight human intervention, and given how many toolkits modify classes at runtime (and violate the normal security policies in the process) a tool like this is much welcomed.
OnJava has published Mark Petrovic's "Discovering a Java Application's Security Requirements," an article that presents a security manager that tracks security requests in development mode, to make writing security policies easier for a production server. Considering how many sites turn off security due to the difficulty of getting the policies right, this is a needed article.
- Posted by: Joseph Ottinger
- Posted on: January 04 2007 10:15 EST
- Re: Discovering a Java Application's Security Requirements by Marius Danciu on January 05 2007 04:41 EST
This profiling probably won't work if the program in using AccessController.checkPermission() ... instead of SecurityManager. After all SecurityManager check permission just calls AccessController.checkPermission.
It's a good article - anything that throws some light on the 'black box' of JVM security is good. Most developers only come across the security manager when their classloading fails, and even then it is to turn off the security checks. Paul , Technology in Plain English