Red Hat SummitChapter 5. Java security manager
By defining a Java security policy you can configure the Java Security Manager to manage the external boundary of the Java Virtual Machine (JVM).
5.1. About the Java security manager
The Java Security Manager is a class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM. When the Java Security Manager is activated, the Java API checks with the security manager for approval before executing a wide range of potentially unsafe operations. The Java Security Manager uses a security policy to determine whether a given action will be allowed or denied.
5.2. About Java security policy
A Java security policy is a set of defined permissions for different classes of code. The Java Security Manager compares actions requested by applications against the security policy. If an action is allowed by the policy, the Security Manager will permit that action to take place. If the action is not allowed by the policy, the Security Manager will deny that action.
Previous versions of JBoss EAP defined policies using an external file, e.g. EAP_HOME/bin/server.policy. JBoss EAP 7 defines Java Security Policies in two ways: the security-manager subsystem and through XML files in the individual deployments. The security-manager subsystem defines minimum and maximum permission for ALL deployments, while the XML files specify the permissions requested by the individual deployment.
5.2.1. About defining policies in the security manager subsystem
The security-manager subsystem allows you do define shared or common permissions for all deployments. This is accomplished by defining minimum and maximum permission sets. All deployments will be granted at the least all permissions defined in the minimum permission. The deployment process fails for a deployment if it requests a permission that exceeds the ones defined in the maximum permission set.
Example: Management CLI command for updating minimum permission set
/subsystem=security-manager/deployment-permissions=default:write-attribute(name=minimum-permissions, value=[{class="java.util.PropertyPermission", actions="read", name="*"}])Example: Management CLI command for updating maximum permission set
/subsystem=security-manager/deployment-permissions=default:write-attribute(name=maximum-permissions, value=[{class="java.util.PropertyPermission", actions="read,write", name="*"}, {class="java.io.FilePermission", actions="read,write", name="/-"}])
If the maximum permission set is not defined, its value defaults to java.security.AllPermission.
5.2.2. About defining policies in the deployment
In JBoss EAP 7, you can add a META-INF/permissions.xml to your deployment. This file allows you to specify the permissions needed by the deployment.
If a minimum permissions set is defined in the security-manager subsystem and a META-INF/permissions.xml is added to your deployment, then the union of those permissions is granted. If the permissions requested in the permissions.xml exceed the maximum policies defined in the security-manager subsystem, its deployment will not succeed. If both META-INF/permissions.xml and META-INF/jboss-permissions.xml are present in the deployment, then only the permissions requested in the META-INF/jboss-permissions.xml are granted.
The specification dictates that permissions.xml cover the entire application or top-level deployment module. In cases where you wish to define specific permissions for a subdeployment, you can use the JBoss EAP-specific META-INF/jboss-permissions.xml. It follows the same exact format as permissions.xml and will apply only to the deployment module in which it is declared.
Example: Sample permissions.xml
<permissions version="7">
<permission>
<class-name>java.util.PropertyPermission</class-name>
<name>*</name>
<actions>read</actions>
</permission>
</permissions>5.2.3. About defining policies in modules
You can restrict the permissions of a module by adding a <permissions> element to the module.xml file. The <permissions> element contains zero or more <grant> elements, which define the permission to grant to the module. Each <grant> element contains the following attributes:
- permission
- The qualified class name of the permission to grant.
- name
- The permission name to provide to the permission class constructor.
- actions
- The (optional) list of actions, required by some permission types.
Example: module.xml with Defined Policies
<module xmlns="urn:jboss:module:1.5" name="org.jboss.test.example">
<permissions>
<grant permission="java.util.PropertyPermission" name="*" actions="read,write" />
<grant permission="java.io.FilePermission" name="/etc/-" actions="read" />
</permissions>
...
</module>
If the <permissions> element is present, the module will be restricted to only the permissions you have listed. If the <permissions> element is not present, there will be no restrictions on the module.
5.3. Run JBoss EAP with the Java security manager
You can run JBoss EAP with the Java Security Manager in two different ways. There are two ways to run the Java Security Manager:
-
Using the
-secmgrflag with startup configuration script. - Using the Startup Configuration File.
Previous version of JBoss EAP allowed for the use of the -Djava.security.manager Java system property as well as custom security managers. Neither of these are supported in JBoss EAP 7. In addition, the Java Security Manager policies are now defined within the security-manager subsystem, meaning external policy files and the -Djava.security.policy Java system property are not supported JBoss EAP 7.
Before starting JBoss EAP with the Java Security Manager enabled, you need make sure all security policies are defined in the security-manager subsystem.
5.3.1. Using the -secmgr flag with startup configuration script.
You can run JBoss EAP with the Java Security Manager. To do this, use the secmgr option during startup.
Procedure
Include the
-secmgrflag when starting up your JBoss EAP instance.Example of how to include the
-secmgrflag./standalone.sh -secmgr
5.3.2. Using the startup configuration file
You can run JBoss EAP with the Java Security Manager. To do this, you have to modify the startup configuration file.
The domain or standalone server must be completely stopped before you edit any configuration files.
If you are using JBoss EAP in a managed domain, you must perform the following procedure on each physical host or instance in your domain.
Procedure
Enable the Java Security Manager using the startup configuration file, you need to edit either the
standalone.confordomain.conffile, depending if you are running a standalone instance or managed domain. If running in Windows, thestandalone.conf.batordomain.conf.batfiles are used instead.Uncomment the
SECMGR="true"line in the configuration file:Example standalone.conf or domain.conf
# Uncomment this to run with a security manager enabled SECMGR="true"Example standalone.conf.bat or domain.conf.bat
rem # Uncomment this to run with a security manager enabled set "SECMGR=true"
5.4. Considerations before moving from previous versions
When moving applications from a previous version of JBoss EAP to JBoss EAP 7 running with the Java Security Manager enabled, you need to be aware of the changes in how policies are defined as well as the necessary configuration needed with both the JBoss EAP configuration and the deployment. Here are the changes that you should be aware of:
-
In previous versions of JBoss EAP, policies were defined in an external configuration file. In JBoss EAP 7, policies are defined using the
security-managersubsystem and withpermissions.xmlorjboss-permissions.xmlcontained in the deployment. -
You could use
-Djava.security.managerand-Djava.security.policyJava system properties during JBoss EAP startup In previous versions of JBoss EAP. These are no longer supported and thesecmgrflag should be used instead to enable JBoss EAP to run with the Java Security Manager. - Custom security managers are not supported in JBoss EAP 7.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}