java security manager reloaded - devoxx 2014
DESCRIPTION
Slides for my Devoxx tools-in-action speech. Basics of Java Security Manager are covered there. A new library called pro-grade which helps to keep your life with java security easy is introduced.TRANSCRIPT
![Page 1: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/1.jpg)
#Devoxx #jsm-reloaded @jckwart
Java Security Manager Reloaded
Josef CacekSenior Quality EngineerRed Hat / JBoss
![Page 2: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/2.jpg)
#Devoxx #jsm-reloaded @jckwart
Agenda
● Java Security Manager– quickstart
– issues
● Reloaded– there is an easier way
– pro-grade library
![Page 3: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/3.jpg)
#Devoxx #jsm-reloaded @jckwart
Do you run
?
![Page 4: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/4.jpg)
#Devoxx #jsm-reloaded @jckwart
Do you run
apps with Java Security Manager
?
![Page 5: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/5.jpg)
#Devoxx #jsm-reloaded @jckwart
You should be affraid
You are treatened!
![Page 6: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/6.jpg)
#Devoxx #jsm-reloaded @jckwart
Threats
● bugs in libraries– lazy programmers
● hidden features– evil programmers
● man-in-the-middle– The Hackers
![Page 7: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/7.jpg)
#Devoxx #jsm-reloaded @jckwart
Java has a solution
![Page 8: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/8.jpg)
#Devoxx #jsm-reloaded @jckwart
Java Security Manager (JSM)
checks if the caller has permissionsto run protected actions.
![Page 9: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/9.jpg)
#Devoxx #jsm-reloaded @jckwart
Terminology
Security Manager
Policy
Permissions
enforces
Sensitive code calls extends java.lang.SecurityManager
extends java.security.Policy
extends java.security.Permission
![Page 10: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/10.jpg)
#Devoxx #jsm-reloaded @jckwart
SecurityManager sm = System.getSecurityManager();
if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache"));
Example: Sensitive code calling JSM
![Page 11: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/11.jpg)
#Devoxx #jsm-reloaded @jckwart
SecurityManager sm = System.getSecurityManager();
if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache"));
Example: Sensitive code calling JSM
AccessControl
Exception
![Page 12: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/12.jpg)
#Devoxx #jsm-reloaded @jckwart
Policy
● keeps which protected actions are allowed – No action by default
● defined in policy file
● grant entries assigns Permissions to
– code path [codeBase]
– signed classes [signedBy]
– authenticated user [principal]
![Page 13: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/13.jpg)
#Devoxx #jsm-reloaded @jckwart
keystore "/opt/redhat.keystore";
grant { permission java.io.FilePermission "/tmp/-", "read,write";};
grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write";};
grant signedBy "jboss" { permission java.security.AllPermission;};
Example: Policy file
![Page 14: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/14.jpg)
#Devoxx #jsm-reloaded @jckwart
keystore "/opt/redhat.keystore";
grant { permission java.io.FilePermission "/tmp/-", "read,write";};
grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write";};
grant signedBy "jboss" { permission java.security.AllPermission;};
Example: Policy file
![Page 15: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/15.jpg)
#Devoxx #jsm-reloaded @jckwart
keystore "/opt/redhat.keystore";
grant { permission java.io.FilePermission "/tmp/-", "read,write";};
grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write";};
grant signedBy "jboss" { permission java.security.AllPermission;};
Example: Policy file
![Page 16: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/16.jpg)
#Devoxx #jsm-reloaded @jckwart
keystore "/opt/redhat.keystore";
grant { permission java.io.FilePermission "/tmp/-", "read,write";};
grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write";};
grant signedBy "jboss" { permission java.security.AllPermission;};
Example: Policy file
![Page 17: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/17.jpg)
#Devoxx #jsm-reloaded @jckwart
Permission
● represents access right to a protected action● has a type and target● may have actions
● java.lang.AllPermission – unrestricted access to all resources
– automatically granted to system classes
![Page 18: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/18.jpg)
#Devoxx #jsm-reloaded @jckwart
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”)
Example: Read a file
![Page 19: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/19.jpg)
#Devoxx #jsm-reloaded @jckwart
Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28)
Example: Read a file
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”)
system classes
app-lib.jar
app.jar
![Page 20: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/20.jpg)
#Devoxx #jsm-reloaded @jckwart
Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28)
Example: Read a file
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”)
system classes
app-lib.jar
app.jar
![Page 21: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/21.jpg)
#Devoxx #jsm-reloaded @jckwart
Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28)
Example: Read a file
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”)
system classes
app-lib.jar
app.jar
![Page 22: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/22.jpg)
#Devoxx #jsm-reloaded @jckwart
Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28)
Example: Read a file
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”)
system classes
app-lib.jar
app.jar
![Page 23: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/23.jpg)
#Devoxx #jsm-reloaded @jckwart
JSM quickstart
● set java.security.manager system property– no value → default implementation
– class name → custom SecurityManager implementation
● set java.security.policy system property– path to text file with permission mappings
● set java.security.debug system property (optional)
![Page 24: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/24.jpg)
#Devoxx #jsm-reloaded @jckwart
java \ -Djava.security.manager \ -Djava.security.policy=/opt/jEdit/jEdit.policy \ -Djava.security.debug=access:failure \ -jar /opt/jEdit/jedit.jar /etc/passwd
Example: Run Application with JSM enabled
![Page 25: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/25.jpg)
#Devoxx #jsm-reloaded @jckwart
Protect your systems
Use Java Security Manager!
![Page 26: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/26.jpg)
#Devoxx #jsm-reloaded @jckwart
However ...
![Page 27: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/27.jpg)
#Devoxx #jsm-reloaded @jckwart
JSM issues - #1 performance
![Page 28: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/28.jpg)
#Devoxx #jsm-reloaded @jckwart
JSM issues - #2 policy file tooling
![Page 29: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/29.jpg)
#Devoxx #jsm-reloaded @jckwart
JSM Reloaded
pro-grade library
Set of SecurityManager and Policy implementations.
![Page 30: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/30.jpg)
#Devoxx #jsm-reloaded @jckwart
pro-grade library
● Java Security Manager made easy(ier)● authors
– Ondřej Lukáš
– Josef Cacek
● Apache License
http://pro-grade.sourceforge.net/
![Page 31: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/31.jpg)
#Devoxx #jsm-reloaded @jckwart
pro-grade components
#1 policy with deny entries
#2 policy file generator
#3 missing permissions debugger
![Page 32: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/32.jpg)
#Devoxx #jsm-reloaded @jckwart
#1 pro-grade policy with deny rules
● “subtracting” permissions from the granted ones● helps to decrease count of mapped permissions
Policy Rules Of Granting And DEnying
GRANT
DENY
![Page 33: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/33.jpg)
#Devoxx #jsm-reloaded @jckwart
// grant full access to /tmp foldergrant { permission java.io.FilePermission "/tmp/-", "read,write";};
// deny write access to the static subfolder of /tmpdeny { permission java.io.FilePermission "/tmp/static/-", "write";};
#1 pro-grade policy with deny rules
● “subtracting” permissions from the granted ones● helps to decrease count of mapped permissions
![Page 34: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/34.jpg)
#Devoxx #jsm-reloaded @jckwart
#2 pro-grade policy file generator
● policytool on (a)steroids ● No GUI is better than any GUI!
● doesn't throw theAccessControlException
![Page 35: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/35.jpg)
#Devoxx #jsm-reloaded @jckwart
#3 pro-grade permissions debugger
● prints info about missing permissions to error stream without stopping application
>> Denied permission java.io.FilePermission "/etc/passwd", "read";>>> CodeSource: (file:/tmp/app-lib.jar <no signer certificates>)
![Page 36: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/36.jpg)
#Devoxx #jsm-reloaded @jckwart
DemoSecurity policy for Java EE server
in 3 minutes.
![Page 37: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/37.jpg)
#Devoxx #jsm-reloaded @jckwart
Use Java Security Manager!
![Page 38: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/38.jpg)
#Devoxx #jsm-reloaded @jckwart
Use Java Security Manager!
![Page 39: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/39.jpg)
#Devoxx #jsm-reloaded @jckwart
Use Java Security Manager!
Make it easy with pro-grade
![Page 40: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/40.jpg)
#Devoxx #jsm-reloaded @jckwart
pro-grade fighting JSM issues
● performance→ deny rules helps
● policy file tooling → generator – fully automated→ debugger – quick check what's missing
![Page 41: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/41.jpg)
#Devoxx #jsm-reloaded @jckwart
Thank you. Questions?
@jckwart
http://javlog.cacek.cz
http://pro-grade.sourceforge.net
http://github.com/pro-grade/pro-grade
![Page 42: Java Security Manager Reloaded - Devoxx 2014](https://reader034.vdocument.in/reader034/viewer/2022052508/5598f4d81a28ab6e278b457d/html5/thumbnails/42.jpg)
#Devoxx #jsm-reloaded @jckwart
Credits
public domain images – pixabay.com
public domain drawings – openclipart.org