Java Security Manager Reloaded 
Josef Cacek 
Senior Quality Engineer 
Red Hat / JBoss 
#Devoxx #jsm-reloaded @jckwart
Agenda 
● Java Security Manager 
– quickstart 
– issues 
● Reloaded 
– there is an easier way 
– pro-grade library 
#Devox...
Do you run 
? 
#Devoxx #jsm-reloaded @jckwart
Do you run 
apps with Java Security Manager 
? 
#Devoxx #jsm-reloaded @jckwart
You should be affraid 
You are treatened! 
#Devoxx #jsm-reloaded @jckwart
Threats 
● bugs in libraries 
– lazy programmers 
● hidden features 
– evil programmers 
● man-in-the-middle 
– The Hacker...
Java has a solution 
#Devoxx #jsm-reloaded @jckwart
Java Security Manager (JSM) 
checks if the caller has permissions 
to run protected actions. 
#Devoxx #jsm-reloaded @jckwa...
Terminology 
Sensitive code calls extends java.lang.SecurityManager 
Security Manager 
enforces 
Policy 
Permissions 
exte...
Example: Sensitive code calling JSM 
SecurityManager sm = System.getSecurityManager(); 
if (sm != null) 
sm.checkPermissio...
Example: Sensitive code calling JSM 
AccessControl 
SecurityManager sm = System.getSecurityManager(); 
if (sm != null) 
sm...
Policy 
● keeps which protected actions are allowed 
– No action by default 
● defined in policy file 
● grant entries ass...
Example: Policy file 
keystore "/opt/redhat.keystore"; 
grant { 
permission java.io.FilePermission "/tmp/-", "read,write";...
Example: Policy file 
keystore "/opt/redhat.keystore"; 
grant { 
permission java.io.FilePermission "/tmp/-", "read,write";...
Example: Policy file 
keystore "/opt/redhat.keystore"; 
grant { 
permission java.io.FilePermission "/tmp/-", "read,write";...
Example: Policy file 
keystore "/opt/redhat.keystore"; 
grant { 
permission java.io.FilePermission "/tmp/-", "read,write";...
Permission 
● represents access right to a protected action 
● has a type and target 
● may have actions 
● java.lang.AllP...
Example: Read a file 
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 
#Devoxx #jsm-reloaded @jckwart
Example: Read a file 
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 
Exception in thread "main" java.se...
Example: Read a file 
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 
Exception in thread "main" java.se...
Example: Read a file 
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 
Exception in thread "main" java.se...
Example: Read a file 
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 
Exception in thread "main" java.se...
JSM quickstart 
● set java.security.manager system property 
– no value → default implementation 
– class name → custom Se...
Example: Run Application with JSM enabled 
java  
-Djava.security.manager  
-Djava.security.policy=/opt/jEdit/jEdit.policy...
Protect your systems 
Use Java Security Manager! 
#Devoxx #jsm-reloaded @jckwart
However ... 
#Devoxx #jsm-reloaded @jckwart
JSM issues - #1 performance 
#Devoxx #jsm-reloaded @jckwart
JSM issues - #2 policy file tooling 
#Devoxx #jsm-reloaded @jckwart
JSM Reloaded 
pro-grade library 
Set of SecurityManager 
and Policy implementations. 
#Devoxx #jsm-reloaded @jckwart
pro-grade library 
● Java Security Manager made easy(ier) 
● authors 
– Ondřej Lukáš 
– Josef Cacek 
● Apache License 
htt...
pro-grade components 
#1 policy with deny entries 
#2 policy file generator 
#3 missing permissions debugger 
#Devoxx #jsm...
#1 pro-grade policy with deny rules 
● “subtracting” permissions from the granted ones 
● helps to decrease count of mappe...
#1 pro-grade policy with deny rules 
● “subtracting” permissions from the granted ones 
● helps to decrease count of mappe...
#2 pro-grade policy file generator 
● policytool on (a)steroids 
● No GUI is better than any GUI! 
● doesn't throw the 
Ac...
#3 pro-grade permissions debugger 
● prints info about missing permissions to error stream without 
stopping application 
...
Demo 
Security policy for Java EE server 
in 3 minutes. 
#Devoxx #jsm-reloaded @jckwart
Use Java Security Manager! 
#Devoxx #jsm-reloaded @jckwart
Use Java Security Manager! 
#Devoxx #jsm-reloaded @jckwart
Use Java Security Manager! 
Make it easy with pro-grade 
#Devoxx #jsm-reloaded @jckwart
pro-grade fighting JSM issues 
● performance 
→ deny rules helps 
● policy file tooling 
→ generator – fully automated 
→ ...
Thank you. Questions? 
josef.cacek@gmail.com 
@jckwart 
http://javlog.cacek.cz 
http://pro-grade.sourceforge.net 
http://g...
Credits 
public domain images – pixabay.com 
public domain drawings – openclipart.org 
#Devoxx #jsm-reloaded @jckwart
Upcoming SlideShare
Loading in …5
×

Java Security Manager Reloaded - Devoxx 2014

1,555 views

Published on

Slides for my Devoxx tools-in-action speech. Basics of Java Security Manager are covered there. A new library called pro-grade which helps to keep your life with java security easy is introduced.

Published in: Software
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,555
On SlideShare
0
From Embeds
0
Number of Embeds
39
Actions
Shares
0
Downloads
19
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Java Security Manager Reloaded - Devoxx 2014

  1. 1. Java Security Manager Reloaded Josef Cacek Senior Quality Engineer Red Hat / JBoss #Devoxx #jsm-reloaded @jckwart
  2. 2. Agenda ● Java Security Manager – quickstart – issues ● Reloaded – there is an easier way – pro-grade library #Devoxx #jsm-reloaded @jckwart
  3. 3. Do you run ? #Devoxx #jsm-reloaded @jckwart
  4. 4. Do you run apps with Java Security Manager ? #Devoxx #jsm-reloaded @jckwart
  5. 5. You should be affraid You are treatened! #Devoxx #jsm-reloaded @jckwart
  6. 6. Threats ● bugs in libraries – lazy programmers ● hidden features – evil programmers ● man-in-the-middle – The Hackers #Devoxx #jsm-reloaded @jckwart
  7. 7. Java has a solution #Devoxx #jsm-reloaded @jckwart
  8. 8. Java Security Manager (JSM) checks if the caller has permissions to run protected actions. #Devoxx #jsm-reloaded @jckwart
  9. 9. Terminology Sensitive code calls extends java.lang.SecurityManager Security Manager enforces Policy Permissions extends java.security.Policy extends java.security.Permission #Devoxx #jsm-reloaded @jckwart
  10. 10. Example: Sensitive code calling JSM SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache")); #Devoxx #jsm-reloaded @jckwart
  11. 11. Example: Sensitive code calling JSM AccessControl SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( Exception new org.jboss.SimplePermission("getCache")); #Devoxx #jsm-reloaded @jckwart
  12. 12. Policy ● keeps which protected actions are allowed – No action by default ● defined in policy file ● grant entries assigns Permissions to – code path [codeBase] – signed classes [signedBy] – authenticated user [principal] #Devoxx #jsm-reloaded @jckwart
  13. 13. Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
  14. 14. Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
  15. 15. Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
  16. 16. Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
  17. 17. Permission ● represents access right to a protected action ● has a type and target ● may have actions ● java.lang.AllPermission – unrestricted access to all resources – automatically granted to system classes #Devoxx #jsm-reloaded @jckwart
  18. 18. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) #Devoxx #jsm-reloaded @jckwart
  19. 19. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
  20. 20. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
  21. 21. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
  22. 22. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
  23. 23. JSM quickstart ● set java.security.manager system property – no value → default implementation – class name → custom SecurityManager implementation ● set java.security.policy system property – path to text file with permission mappings ● set java.security.debug system property (optional) #Devoxx #jsm-reloaded @jckwart
  24. 24. Example: Run Application with JSM enabled java -Djava.security.manager -Djava.security.policy=/opt/jEdit/jEdit.policy -Djava.security.debug=access:failure -jar /opt/jEdit/jedit.jar /etc/passwd #Devoxx #jsm-reloaded @jckwart
  25. 25. Protect your systems Use Java Security Manager! #Devoxx #jsm-reloaded @jckwart
  26. 26. However ... #Devoxx #jsm-reloaded @jckwart
  27. 27. JSM issues - #1 performance #Devoxx #jsm-reloaded @jckwart
  28. 28. JSM issues - #2 policy file tooling #Devoxx #jsm-reloaded @jckwart
  29. 29. JSM Reloaded pro-grade library Set of SecurityManager and Policy implementations. #Devoxx #jsm-reloaded @jckwart
  30. 30. pro-grade library ● Java Security Manager made easy(ier) ● authors – Ondřej Lukáš – Josef Cacek ● Apache License http://pro-grade.sourceforge.net/ #Devoxx #jsm-reloaded @jckwart
  31. 31. pro-grade components #1 policy with deny entries #2 policy file generator #3 missing permissions debugger #Devoxx #jsm-reloaded @jckwart
  32. 32. #1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions Policy Rules Of Granting And DEnying GRANT DENY #Devoxx #jsm-reloaded @jckwart
  33. 33. #1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions // grant full access to /tmp folder grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; // deny write access to the static subfolder of /tmp deny { permission java.io.FilePermission "/tmp/static/-", "write"; }; #Devoxx #jsm-reloaded @jckwart
  34. 34. #2 pro-grade policy file generator ● policytool on (a)steroids ● No GUI is better than any GUI! ● doesn't throw the AccessControlException #Devoxx #jsm-reloaded @jckwart
  35. 35. #3 pro-grade permissions debugger ● prints info about missing permissions to error stream without stopping application >> Denied permission java.io.FilePermission "/etc/passwd", "read"; >>> CodeSource: (file:/tmp/app-lib.jar <no signer certificates>) #Devoxx #jsm-reloaded @jckwart
  36. 36. Demo Security policy for Java EE server in 3 minutes. #Devoxx #jsm-reloaded @jckwart
  37. 37. Use Java Security Manager! #Devoxx #jsm-reloaded @jckwart
  38. 38. Use Java Security Manager! #Devoxx #jsm-reloaded @jckwart
  39. 39. Use Java Security Manager! Make it easy with pro-grade #Devoxx #jsm-reloaded @jckwart
  40. 40. pro-grade fighting JSM issues ● performance → deny rules helps ● policy file tooling → generator – fully automated → debugger – quick check what's missing #Devoxx #jsm-reloaded @jckwart
  41. 41. Thank you. Questions? josef.cacek@gmail.com @jckwart http://javlog.cacek.cz http://pro-grade.sourceforge.net http://github.com/pro-grade/pro-grade #Devoxx #jsm-reloaded @jckwart
  42. 42. Credits public domain images – pixabay.com public domain drawings – openclipart.org #Devoxx #jsm-reloaded @jckwart

×