geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "hbaxmann" <hol...@bitwind.org>
Subject AW: [proactive] AW: secure pot for geronimo JVM
Date Wed, 02 Jun 2004 15:28:26 GMT

> First, sorry for the delay, I was very busy these last days.
> 

Thanks a lot, Arnaud, for your frankly answer. 

> About the StartSecureNode script and associated classes:
>   they were used for tests during pre-release, they should have been 
>   removed in the release but the script was not removed ...
> 

Have had hoped this would not be true ..

> The actual, full fledged, way to use security features is 
> through deployment 
> descriptor (in XML):
>   A secure node can only be created whitin java code, but not 
> with a script
>   in the current realease.
> 

Ok. Usual way.

> Remainders of the main ProActive concepts for deployment:
>   - a JVM with a ProActive runtime is called:  a ProActive 
> RunTime (PaRT)
>   - a PaRT can have its own security policy
>   - a PaRT can host several Nodes at execution
>   - each Node can also have its own security policy (of 
> course hierarchically
>     linked to its PaRT).
> 
> We are not exactly sure about what you need. We believe there 
> are 2 cases:
> 
> 1. You want to launch a secured JVM with a given application 
> or container
>    in it:
>    just write a Java class that uses a ProActive XML descriptor to 
>    specify the security policy you want. Then start your own code.
> 

Not at the very moment.

> 2. You want to launch an empty secured JVM, for latter on 
> starting dynamically
>    and securely applications in it:
>    This cannot be done directly in the current release, we 
> are working on 
>    it. 

Yes. Not neccessarily empty, but if we could run Geronimo - it will be
sufficient ;-)

>    (Currently, it can be achieved but with a small ProActive program 
>    in the supposed to be empty PaRT.)
>    

This seems to contradictonary to me. I do not understand this. Are there
examples elsewhere? You could start a JVM which is then secured (back in
time) by a loaded class? The snake biting its tail.

What I mean is: how could we handle:

java -Djava.security.manager -jar server.jar

with all consequences, you know ?

> Let us know some details about your plans and expectations, so we can 
> provide effective support.
> 

Because of the default (boring) java.policy and the accompanying:

grant {
	permission java.security.AllPermission;
};

in many, many *.policy files (have fun with your 'grep' :) implementations.
There is at least the who-not-be-named I know of.

I am looking for an diametrical implementation.

A) The above means: "All is allowed, what not explicitely verboten is."
(Microsoft approach in the good old days of networking, the democratic way
;-)

B) Java's default is (and crippelt by the above statement in *.policy): "All
is verboten , what not explicitly allowed is." (Novell approach wrt the
above, the secure way)

I know it is necessary to have a concept and management in place to handle
B), but A) is even harder to secure, because everything may happen and one
may do not even know about. IMHO: it is more work _in_the_long_run_ to
prevent 1000 single things and their dependencies, then to make them
impossible once and track the trials and allow them.

So I am on the way to find a implementation of the bunches of millions of
papers about the java.security.manager usage and the arising (dynamic ?)
java.security permissions.

hopeless

bax

> Regards
> Arnaud
> 
> hbaxmann wrote:
> 
> >> Ok, let's do it the TOFU way  ;-)
> >> 
> >> Sorry for beeing so stupid not answering all ...
> >> 
> >> The security reminds me on the good old e-speak days and the PSE
> >> (PersonalSecureEnvironment) of HP. This stuff is kind of 
> alive still 
> >> on the web at http://bazaar.sis.pitt.edu/. Could be an alternative 
> >> for the subject, if everything else fails ...
> >> 
> >> thanks a lot
> >> 
> >> bax
> >> 
> >> 
> >
> >>>>Got it  :-)
> >>>>
> >>>>The class referenced by the StartSecureNode script is
> >>>>missing. 
> >>>>
> >>>>I CC the proactive list to make sure they see your
> >>>>post.
> >>>>
> >>>>thanks,
> >>>>Christophe
> >>>>
> >>>>
> >>
> >>>>>>-----Original Message-----
> >>>>>>From: hbaxmann [mailto:holger@bitwind.org]
> >>>>>>Sent: mardi 1 juin 2004 21:27
> >>>>>>To: dev@geronimo.apache.org
> >>>>>>Subject: AW: secure pot for geronimo JVM
> >>>>>>
> >>>>>>
> >>>>>>Hi Christophe,
> >>>>>>
> >>>>>>
> >>>
> >>>>>>>>Holger,
> >>>>>>>>
> >>>>>>>>ProActive is an open source project from the  
> INRIA/OASIS lab, 
> >>>>>>>>the source is available in the download. It is very high
tech 
> >>>>>>>>project that resulted research work conducted by the
OASIS 
> >>>>>>>>group, but the code base has been broadly deployed, and
the 
> >>>>>>>>software is now quite mature (see project docs)
> >>>>>>>>
> >>>
> >>>>>>
> >>>>>>It is ... as far as I could see ... beautifull  :)
> >>>>>>
> >>>>>>
> >>>
> >>>>>>>>As you can imagine, this kind of project is really driven
by a
> >>>>>>>>single team and CVS was not very  attrative to them 
> as they were 
> >>>>>>>>refactoring quite a lot. SVN is what they need, so we
are 
> >>
> >>>>
> >>>>setting it
> >>>>
> >>
> >>>>>>>>up  (does this ring any bell?  :-)  )
> >>>>>>>>
> >>>
> >>>>>>
> >>>>>>All of them.
> >>>>>>What is the URL?
> >>>>>>
> >>>>>>
> >>>
> >>>>>>>>Looking at security, ObjectWeb would be very happy to
set-up 
> >>>>>>>>collaboration on Security with Apache, and we should

> be able to 
> >>>>>>>>accomodate licensing for the parts that are of common

> interest 
> >>>>>>>>(change to BSD is what we have already  been able to

> achieve for 
> >>>>>>>>ASM and JOTM).
> >>>>>>>>
> >>>
> >>>>>>
> >>>>>>This does not solve my
> >>>>>>can-not-found-StartSecureNode-in-source-download
> >>>>>>problem, or does I not got it.
> >>>>>>
> >>>>>>I am one of these germans, you know.
> >>>>>>
> >>>>>>bax
> >>>>>>
> >>>>>>
> >>>
> >>>>>>>>Thanks,
> >>>>>>>>Christophe
> >>>>>>>>
> >>>>>>>>Christophe Ney
> >>>>>>>>Executive Director
> >>>>>>>>ObjectWeb Consortium
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>
> >>>>>>>>>>-----Original Message-----
> >>>>>>>>>>From: Holger Baxmann [mailto:baxmann@mac.com]
> >>>>>>>>>>Sent: lundi 31 mai 2004 23:31
> >>>>>>>>>>To: dev@geronimo.apache.org
> >>>>>>>>>>Subject: secure pot for geronimo JVM
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>Is anybody aware of the ProActive project?
> >>>>>>>>>>
> >>>>>>>>>>http://www-sop.inria.fr/oasis/ProActive/
> >>>>>>>>>>
> >>>>>>>>>>
> >>
> >>>>
> >>>>http://www-sop.inria.fr/oasis/ProActive/doc/api/org/objectweb/proa
> >>>>
> >>
> >>>>>>>>ctive/doc-
> >>>>>>>>files/Security.html
> >>>>>>>>
> >>>>>>>>I am on the way to evaluate it for having a secure, signed,

> >>>>>>>>non-vandalising wrapper to have a either paranoid 
> >>>>>>>>SecurityManager environment or the default open-door
startup 
> >>>>>>>>environment for gero.
> >>>>>>>>
> >>>>>>>>Especially StartSecureNode could not be find by me in
the
> >>>>>>>>(LGPLed) source downloads. AFAIK anonymous cvs is not

> available.
> >>>>>>>>
> >>>>>>>>Package names start with org.objectweb - so i was thinking
...
> >>>>>>>>
> >>>>>>>>thanks alot
> >>>>>>>>
> >>>>>>>>bax
> >>>>>>>>
> >>>>>>>>
> >>>
> >>>>>>
> >>>>>>
> >
> >> 
> >> 
> >> 
> >> 
> ---------------------------------------------------------------------
> >> ---
> >> 
> >> 
> 
> 
> 
> -- 
> 
> --------------------------------------------------------------------
> Arnaud CONTES - Projet OASIS: joint project CNRS-UNSA-INRIA
> PhD Student
> Arnaud.Contes@sophia.inria.fr      | INRIA Sophia-Antipolis
> Tel    +33 4 92 38 71 62           | 2004, Route des Lucioles
> Fax    +33 4 92 38 76 44           | BP 93
>                                    | FR-06902 Sophia-Antipolis Cedex
> --------------------------------------------------------------------
> 


Mime
View raw message