红帽全球峰会此内容没有您所选择的语言版本。
Chapter 14. Java Security Manager
- Java Security Manager
- The Java Security Manager is a class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM. When the Java Security Manager is activated the Java API checks with the security manager for approval before executing a wide range of potentially unsafe operations.
The Security Manager uses a security policy to determine whether a given action will be permitted or denied.
- Security Policy
- A set of defined permissions for different classes of code. The Java Security Manager compares actions requested by applications against the security policy. If an action is allowed by the policy, the Security Manager will permit that action to take place. If the action is not allowed by the policy, the Security Manager will deny that action. The security policy can define permissions based on the location of code or on the code's signature.
The Security Manager and the security policy used are configured using the Java Virtual Machine options
java.security.manager and java.security.policy .
Security Manager-related options
- java.security.manager
- Use a security manager, optionally specifying which security manager to use. If no argument is supplied with this option the default JDK security manager,
java.lang.SecurityManager, is used. To use another security manager implementation, supply the fully qualified classname of a subclass ofjava.lang.SecurityManagerwith this option. - java.security.policy
- Specifies a policy file to augment or replace the default security policy for the VM. This option takes two forms:
-
java.security.policy=policyFileURL - The policy file referenced by policyFileURL will augment the default security policy configured by the VM.
-
java.security.policy==policyFileURL - The policy file referenced by policyFileURL will replace the default security policy configured by the VM.
The policyFileURL value can be a URL or a file path. -
JBoss Enterprise Application Platform does not activate the Java Security Manager by default. To configure the Platform to use the Security Manager, refer to Section 14.1, “Using the Security Manager” .
14.1. Using the Security Manager
复制链接链接已复制到粘贴板!
JBoss Enterprise Application Platform can use the JDK default Security Manager or a custom security manager. For details on selecting a custom Security Manager, refer to Security Manager-related options .
When the Platform is configured to use a security manager, a security policy file must be specified. A security policy file,
jboss-as/bin/server.policy.cert is included as a starting point.
For information on writing security policy, refer to Section 14.3, “Writing Security Policy for JBoss Enterprise Application Platform” .
Configuration File
The file run.conf (Linux) or run.conf.bat (Windows) is used to configure the Security Manager and security policy. This file is found in the jboss-as/bin directory.
This file is used to configure server-level options, and applies to all server profiles. Configuring the Security Manager and security policy involves profile-specific configuration. You may elect to copy the global
run.conf or run.conf.bat file from jboss-as/bin/ to the server profile (for example: jboss-as/server/production/run.conf ), and make the configuration changes there. A configuration file in the server profile takes precedence over the global run.conf / run.conf.bat file when the server profile is started.
Procedure 14.1. Activate the Security Manager
This procedure configures JBoss Enterprise Application Platform to start with the Java Security Manager activated.
The file editing actions in this procedure refer to the file
run.conf (Linux), or run.conf.bat (Windows) in the server profile directory, if one exists there, or in jboss-as/bin . Refer to Configuration File for details on the location of this file.
Specify the JBoss home directory
Edit the filerun.conf(Linux), orrun.conf.bat(Windows). Add thejboss.home.diroption, specifying the path to thejboss-asdirectory of your installation.LinuxJAVA_OPTS="$JAVA_OPTS -Djboss.home.dir=/path/to/jboss-eap-5.1/jboss-as"
JAVA_OPTS="$JAVA_OPTS -Djboss.home.dir=/path/to/jboss-eap-5.1/jboss-as"Copy to Clipboard Copied! Toggle word wrap Toggle overflow WindowsJAVA_OPTS="%JAVA_OPTS% -Djboss.home.dir=c:\path\jboss-eap-5.1\jboss-as"
JAVA_OPTS="%JAVA_OPTS% -Djboss.home.dir=c:\path\jboss-eap-5.1\jboss-as"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Specify the server home directory
Add thejboss.server.home.diroption, specifying the path to your server profile.LinuxJAVA_OPTS="$JAVA_OPTS -Djboss.server.home.dir=path/to/jboss-eap-5.1/jboss-as/server/production"
JAVA_OPTS="$JAVA_OPTS -Djboss.server.home.dir=path/to/jboss-eap-5.1/jboss-as/server/production"Copy to Clipboard Copied! Toggle word wrap Toggle overflow WindowsJAVA_OPTS="%JAVA_OPTS% -Djboss.server.home.dir=c:\path\to\jboss-eap-5.1\jboss-as\server\production"
JAVA_OPTS="%JAVA_OPTS% -Djboss.server.home.dir=c:\path\to\jboss-eap-5.1\jboss-as\server\production"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Specify the Protocol Handler
Add thejava.protocol.handler.pkgsoption, specifying the JBoss stub handler.LinuxJAVA_OPTS="$JAVA_OPTS -Djava.protocol.handler.pkgs=org.jboss.handlers.stub"
JAVA_OPTS="$JAVA_OPTS -Djava.protocol.handler.pkgs=org.jboss.handlers.stub"Copy to Clipboard Copied! Toggle word wrap Toggle overflow WindowsJAVA_OPTS="%JAVA_OPTS% -Djava.protocol.handler.pkgs=org.jboss.handlers.stub"
JAVA_OPTS="%JAVA_OPTS% -Djava.protocol.handler.pkgs=org.jboss.handlers.stub"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Specify the security policy to use
Add the$POLICYvariable, specifying the security policy to use. Add the variable definition before the line that activates the Security Manager.Example 14.1. Use the Platform's included security policy
POLICY="server.policy.cert"
POLICY="server.policy.cert"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Activate the Security Manager
Uncomment the following line by removing the initial#:Linux#JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=$POLICY"
#JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=$POLICY"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Windows#JAVA_OPTS="%JAVA_OPTS% -Djava.security.manager -Djava.security.policy=%POLICY%"
#JAVA_OPTS="%JAVA_OPTS% -Djava.security.manager -Djava.security.policy=%POLICY%"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Result:JBoss Enterprise Application Platform is now configured to start with the Security Manager activated.
Optional: Import Red Hat's JBoss signing key
The included security policy grants permissions to JBoss-signed code. If you use the included policy you must import the JBoss signing key to the JDKcacertskey store.The following command assumes that the environment variableJAVA_HOMEis set to the location of a JDK supported by JBoss Enterprise Application Platform 5. You configureJAVA_HOMEwhen you first install JBoss Enterprise Application Platform 5. Refer to the Installation Guide for further information.Note
To ensure the correct JVM is selected, you can use thealternativescommand to select from JDKs installed on your Linux system. Refer to Appendix A, Setting the default JDK with the/usr/sbin/alternativesUtility .Execute the following command in a terminal:Linuxsudo $JBOSS_HOME/bin/keytool -import -alias jboss -file JBossPublicKey.RSA \ -keystore $JAVA_HOME/lib/security/cacerts
[~]$ sudo $JBOSS_HOME/bin/keytool -import -alias jboss -file JBossPublicKey.RSA \ -keystore $JAVA_HOME/lib/security/cacertsCopy to Clipboard Copied! Toggle word wrap Toggle overflow WindowsC:> $JBOSS_HOME\bin\keytool -import -alias jboss -file JBossPublicKey.RSA -keystore $JAVA_HOME\lib\security\cacerts
C:> $JBOSS_HOME\bin\keytool -import -alias jboss -file JBossPublicKey.RSA -keystore $JAVA_HOME\lib\security\cacertsCopy to Clipboard Copied! Toggle word wrap Toggle overflow Although broken across two lines in this documentation, the commands above should be entered on one single line in a terminal.Note
The default password for the cacerts key store ischangeit.Result:The key used to the sign the JBoss Enterprise Application Platform code is now installed.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}