openwebbeans-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gernot <gern...@nurfuerspam.de>
Subject Re: PropertyPermission - Security Manager
Date Wed, 23 Nov 2011 15:47:57 GMT
(a) Isn't it the same, if you use 'System.getProperty("x")' or
'p=System.getProperties();p.get("x")' ?

(b) application runs after adding a new protection domain
grant codeBase "file:${catalina.base}/work/Catalina/localhost/xxxxx/WEB-INF/lib/openwebbeans-impl-1.1.1.jar"
{
    permission java.util.PropertyPermission "*", "read,write";
};

gernot

2011/11/23 Mark Struberg <struberg@yahoo.de>
>
> We use System.getProperties because we do a lot of lookups.
> Couldn't you just check if the getProperties is being called from within OpenWebBeansConfiguration
and allow read/write for it?
>
>
> And from my personal experience with the Java SystemManager: I know 2 banks which used
all this crap in the early 2000s. Then came .NET which was faster. Then they dropped the SecurityManager
and realized that they gained 3-times the performance from just doing that...
>
> But there are certainly scenarios where it is useful (3rd party WAR hosting).
>
>
> LieGrue,
> strub
>
> >________________________________
> > From: Gernot <gernot_@nurfuerspam.de>
> >To: user@openwebbeans.apache.org
> >Sent: Wednesday, November 23, 2011 10:54 AM
> >Subject: Re: PropertyPermission - Security Manager
> >
> >
> >Thank you for answering.
> >
> >Why don't you use System.getProperty()? - and everthing works fine with "read" permission.
> >I do not see any need to iterate over all possible properties set in the JVM in OWB.
> >
> >We've enabled SecurityManager for 10 years and we are running internally built applications
but also lots of externally built applications (about 50 tomcats, with up to 20 applications
each). So we have the need to separate application. And all libraries we used supports SecurityManager
stuff well.
> >If you only deploy own applications - do you really now them all exactly? ;-) - it
is at least another boundary for intruders and a additional limitation of configurations errors.
> >
> >Gernot
> >
> >
> >2011/11/22 Mark Struberg <struberg@yahoo.de>
> >
> >
> >>
> >>Hi Gernot!
> >>
> >>I fear there is nothing we can do against this in OWB. The Javadoc of System#getProperties
says that checkPropertiesAccess is used [1].
> >>
> >>> This method is used by the getProperties and
> >>> setProperties methods of class System.
> >>> This method calls checkPermission with the
> >>> PropertyPermission("*", "read,write") permission.
> >>
> >>
> >>Btw, if you don't plan to execute foreign wars on your box, then enabling the
SecurityManager will just cause unnecessary pain and performance decrease. This stuff originally
got invented solely for sandboxing Java applets in browsers and later got abused for EE Server
security in big data centers to keep externally built applications under control But i's really
not of much use if you know the software you like to run on your boxes.
> >>
> >>
> >>LieGrue,
> >>strub
> >>
> >>[1] http://download.oracle.com/javase/1.4.2/docs/api/java/lang/SecurityManager.html#checkPropertiesAccess%28%29
> >>
> >>
> >>
> >>>________________________________
> >>> From: Gernot <gernot_@nurfuerspam.de>
> >>>To: user@openwebbeans.apache.org
> >>>Sent: Tuesday, November 22, 2011 5:10 PM
> >>>Subject: PropertyPermission - Security Manager
> >>>
> >>>
> >>>I like to run my JSF2/CODI/OWB app in Tomcat 7 with security manager enabled,
then I get an error (stacktrace see below) that java.util.PropertyPermission * read,write
is missing. "read" permission is OK, but I'm wondering OWB needs WRITE permission?!
> >>>
> >>>Why? What does it write?
> >>>
> >>>In my opinion it seems not to be ok that webapplications require property
write permissions, because this will have side effects to other applications installed in
the same tomcat!!
> >>>
> >>>How can I prevent OWB to force property write permissions.
> >>>
> >>>Thx
> >>>gernot
> >>>
> >>>
> >>>org.apache.catalina.core.StandardContext listenerStart
> >>>SEVERE: Error configuring application listener of class org.apache.webbeans.servlet.WebBeansConfigurationListener
> >>>java.security.AccessControlException: access denied (java.util.PropertyPermission
* read,write)
> >>>    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> >>>    at java.security.AccessController.checkPermission(AccessController.java:546)
> >>>    at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> >>>    at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1252)
> >>>    at java.lang.System.getProperties(System.java:580)
> >>>    at org.apache.webbeans.config.OpenWebBeansConfiguration$1.run(OpenWebBeansConfiguration.java:235)
> >>>    at org.apache.webbeans.config.OpenWebBeansConfiguration$1.run(OpenWebBeansConfiguration.java:231)
> >>>    at java.security.AccessController.doPrivileged(Native Method)
> >>>    at org.apache.webbeans.config.OpenWebBeansConfiguration.doPrivilegedGetSystemProperties(OpenWebBeansConfiguration.java:229)
> >>>    at org.apache.webbeans.config.OpenWebBeansConfiguration.loadFromSystemProperties(OpenWebBeansConfiguration.java:167)
> >>>    at org.apache.webbeans.config.OpenWebBeansConfiguration.<init>(OpenWebBeansConfiguration.java:156)
> >>>    at org.apache.webbeans.config.WebBeansContext.<init>(WebBeansContext.java:98)
> >>>    at org.apache.webbeans.corespi.DefaultSingletonService.get(DefaultSingletonService.java:58)
> >>>    at org.apache.webbeans.corespi.DefaultSingletonService.get(DefaultSingletonService.java:30)
> >>>    at org.apache.webbeans.config.WebBeansFinder.getSingletonInstance(WebBeansFinder.java:51)
> >>>    at org.apache.webbeans.config.WebBeansContext.getInstance(WebBeansContext.java:163)
> >>>    at org.apache.webbeans.servlet.WebBeansConfigurationListener.<init>(WebBeansConfigurationListener.java:69)
> >>>
> >>>
> >>>
> >>
> >
> >
> >

Mime
View raw message