openwebbeans-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gernot <gern...@nurfuerspam.de>
Subject Re: PropertyPermission - Security Manager
Date Wed, 23 Nov 2011 09:54:41 GMT
Thank you for answering.

Why don't you use System.getProperty()? - and everthing works fine with
"read" permission.
I do not see any need to iterate over all possible properties set in the
JVM in OWB.

We've enabled SecurityManager for 10 years and we are running internally
built applications but also lots of externally built applications (about 50
tomcats, with up to 20 applications each). So we have the need to separate
application. And all libraries we used supports SecurityManager stuff well.
If you only deploy own applications - do you really now them all exactly?
;-) - it is at least another boundary for intruders and a additional
limitation of configurations errors.

Gernot

2011/11/22 Mark Struberg <struberg@yahoo.de>

>
>
> Hi Gernot!
>
> I fear there is nothing we can do against this in OWB. The Javadoc of
> System#getProperties says that checkPropertiesAccess is used [1].
>
> > This method is used by the getProperties and
> > setProperties methods of class System.
> > This method calls checkPermission with the
> > PropertyPermission("*", "read,write") permission.
>
>
> Btw, if you don't plan to execute foreign wars on your box, then enabling
> the SecurityManager will just cause unnecessary pain and performance
> decrease. This stuff originally got invented solely for sandboxing Java
> applets in browsers and later got abused for EE Server security in big data
> centers to keep externally built applications under control But i's really
> not of much use if you know the software you like to run on your boxes.
>
>
> LieGrue,
> strub
>
> [1]
> http://download.oracle.com/javase/1.4.2/docs/api/java/lang/SecurityManager.html#checkPropertiesAccess%28%29
>
>
>
> >________________________________
> > From: Gernot <gernot_@nurfuerspam.de>
> >To: user@openwebbeans.apache.org
> >Sent: Tuesday, November 22, 2011 5:10 PM
> >Subject: PropertyPermission - Security Manager
> >
> >
> >I like to run my JSF2/CODI/OWB app in Tomcat 7 with security manager
> enabled, then I get an error (stacktrace see below) that
> java.util.PropertyPermission * read,write is missing. "read" permission is
> OK, but I'm wondering OWB needs WRITE permission?!
> >
> >Why? What does it write?
> >
> >In my opinion it seems not to be ok that webapplications require property
> write permissions, because this will have side effects to other
> applications installed in the same tomcat!!
> >
> >How can I prevent OWB to force property write permissions.
> >
> >Thx
> >gernot
> >
> >
> >org.apache.catalina.core.StandardContext listenerStart
> >SEVERE: Error configuring application listener of class
> org.apache.webbeans.servlet.WebBeansConfigurationListener
> >java.security.AccessControlException: access denied
> (java.util.PropertyPermission * read,write)
> >    at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> >    at
> java.security.AccessController.checkPermission(AccessController.java:546)
> >    at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> >    at
> java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1252)
> >    at java.lang.System.getProperties(System.java:580)
> >    at
> org.apache.webbeans.config.OpenWebBeansConfiguration$1.run(OpenWebBeansConfiguration.java:235)
> >    at
> org.apache.webbeans.config.OpenWebBeansConfiguration$1.run(OpenWebBeansConfiguration.java:231)
> >    at java.security.AccessController.doPrivileged(Native Method)
> >    at
> org.apache.webbeans.config.OpenWebBeansConfiguration.doPrivilegedGetSystemProperties(OpenWebBeansConfiguration.java:229)
> >    at
> org.apache.webbeans.config.OpenWebBeansConfiguration.loadFromSystemProperties(OpenWebBeansConfiguration.java:167)
> >    at
> org.apache.webbeans.config.OpenWebBeansConfiguration.<init>(OpenWebBeansConfiguration.java:156)
> >    at
> org.apache.webbeans.config.WebBeansContext.<init>(WebBeansContext.java:98)
> >    at
> org.apache.webbeans.corespi.DefaultSingletonService.get(DefaultSingletonService.java:58)
> >    at
> org.apache.webbeans.corespi.DefaultSingletonService.get(DefaultSingletonService.java:30)
> >    at
> org.apache.webbeans.config.WebBeansFinder.getSingletonInstance(WebBeansFinder.java:51)
> >    at
> org.apache.webbeans.config.WebBeansContext.getInstance(WebBeansContext.java:163)
> >    at
> org.apache.webbeans.servlet.WebBeansConfigurationListener.<init>(WebBeansConfigurationListener.java:69)
> >
> >
> >
>

Mime
View raw message