tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [OT] SecurityManager and Java Policy Files
Date Wed, 10 Nov 2010 21:42:32 GMT
Hash: SHA1


On 11/10/2010 4:29 PM, Mark Thomas wrote:
> On 10/11/2010 21:15, Christopher Schultz wrote:
>> Any help would be greatly appreciated.
> I don't recall ever finding anything that useful. What I can do is
> condense my limited knowledge into a few lines that may help.

Thanks for confirming that I've found thus far: good references are
difficult to find.

> For code to perform some actions (e.g. reading a file, exiting the JVM
> etc) it needs the associated permission when running under a security
> manager.
> The policy file handles mapping code to permissions.


> When code tries to perform a protected function then:
> - if no privileged block is present in the call stack then every class
> in the call stack must have the necessary permission

This is something that I've only recently realized. When I initially
tried to use a SecurityManaget, I found that I basically had to poke
holes in the policy for /everything/. What I wanted to do was restrict
certain code to, for instance, write to my log file(s) or to make a
connection to the database. Without a privileged block, I had to allow
just about all the code to make network connections because nearly any
code could call into a database routine which (of course), may create a
database connection on demand.

The privileged blocks appear to allow me to restrict the code that can
do that to a very specific set of classes -- ones that explicitly
attempt a privileged action using AccessController.

> - if a privileged block is present in the call stack then every class in
> the call stack from the class performing the action to the privileged
> block must have the necessary permission


> To take a specific example, consider the PersistentManager. It needs to
> read/write sessions from the file system, create objects, manipulate
> class loaders and a bunch of other stuff that requires permissions.
> Session loading/unloading can be triggered by a web application so it is
> possible for web app code to be in the call stack for a call to load().

A good parallel to my JDBC connection example from above: any part of my
webapp can try to use my database services, yet those "outside" classes
shouldn't be able to directly make a database connection.

> Web apps have minimal permissions that do not include the permissions
> needed by the load() method. The PersistentManager class does have the
> necessary permissions.
> The load() method uses a privileged block so web apps can call the
> load() method without having the necessary permissions. To be secure the
> load() method has to make sure web apps can't trick it into doing
> something it shouldn't.
> Does that help?

Yes, very much.

To be explicit, if I want a class (say, DbStuff) to be able to make a
database connection yet prevent other classes from doing so, I need to
do something like this:

public class DbStuff
  protected Connection getConnection()
    Connection conn = null;

    AccessController.doPrivileged(new PrivilegedAction<Connection>() {
        public Connection run()
          DataSource ds = // get from JNDI
          return ds.getConnection();

  public List<Person> getPeople()
    Connection conn = null;

    try {
      conn = getConnection();

      // SELECT * FROM people

      return people;

public class MyTest
  public static void main(String[] args)
    new DbStuff().getPeople();

So, if I give access to "connect", etc. in my policy file to the DbStuff
class, then DbStuff can use it's own getConnection method to obtain
database connections, but MyTest would be unable to, say, use
DriverManager to create a new connection to the database. Do I have that

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message