Josef Cacek, profile picture
Uploaded byJosef Cacek
PDF, PPTX2,500 views

Java Security Manager Reloaded - Devoxx 2014

The document discusses Java Security Manager (JSM) and how it can be used to enforce security policies in Java applications. However, JSM has issues with performance and managing policy files. The Pro-Grade library aims to address these issues by providing components like a policy file generator and permissions debugger to make working with JSM easier. The presentation concludes by demonstrating how to generate a security policy for a Java EE server in just 3 minutes using Pro-Grade.

Embed presentation

Download as PDF, PPTX
Java Security Manager Reloaded Josef Cacek Senior Quality Engineer Red Hat / JBoss #Devoxx #jsm-reloaded @jckwart
Agenda ● Java Security Manager – quickstart – issues ● Reloaded – there is an easier way – pro-grade library #Devoxx #jsm-reloaded @jckwart
Do you run ? #Devoxx #jsm-reloaded @jckwart
Do you run apps with Java Security Manager ? #Devoxx #jsm-reloaded @jckwart
You should be affraid You are treatened! #Devoxx #jsm-reloaded @jckwart
Threats ● bugs in libraries – lazy programmers ● hidden features – evil programmers ● man-in-the-middle – The Hackers #Devoxx #jsm-reloaded @jckwart
Java has a solution #Devoxx #jsm-reloaded @jckwart
Java Security Manager (JSM) checks if the caller has permissions to run protected actions. #Devoxx #jsm-reloaded @jckwart
Terminology Sensitive code calls extends java.lang.SecurityManager Security Manager enforces Policy Permissions extends java.security.Policy extends java.security.Permission #Devoxx #jsm-reloaded @jckwart
Example: Sensitive code calling JSM SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache")); #Devoxx #jsm-reloaded @jckwart
Example: Sensitive code calling JSM AccessControl SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( Exception new org.jboss.SimplePermission("getCache")); #Devoxx #jsm-reloaded @jckwart
Policy ● keeps which protected actions are allowed – No action by default ● defined in policy file ● grant entries assigns Permissions to – code path [codeBase] – signed classes [signedBy] – authenticated user [principal] #Devoxx #jsm-reloaded @jckwart
Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
Permission ● represents access right to a protected action ● has a type and target ● may have actions ● java.lang.AllPermission – unrestricted access to all resources – automatically granted to system classes #Devoxx #jsm-reloaded @jckwart
Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) #Devoxx #jsm-reloaded @jckwart
Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
JSM quickstart ● set java.security.manager system property – no value → default implementation – class name → custom SecurityManager implementation ● set java.security.policy system property – path to text file with permission mappings ● set java.security.debug system property (optional) #Devoxx #jsm-reloaded @jckwart
Example: Run Application with JSM enabled java -Djava.security.manager -Djava.security.policy=/opt/jEdit/jEdit.policy -Djava.security.debug=access:failure -jar /opt/jEdit/jedit.jar /etc/passwd #Devoxx #jsm-reloaded @jckwart
Protect your systems Use Java Security Manager! #Devoxx #jsm-reloaded @jckwart
However ... #Devoxx #jsm-reloaded @jckwart
JSM issues - #1 performance #Devoxx #jsm-reloaded @jckwart
JSM issues - #2 policy file tooling #Devoxx #jsm-reloaded @jckwart
JSM Reloaded pro-grade library Set of SecurityManager and Policy implementations. #Devoxx #jsm-reloaded @jckwart
pro-grade library ● Java Security Manager made easy(ier) ● authors – Ondřej Lukáš – Josef Cacek ● Apache License http://pro-grade.sourceforge.net/ #Devoxx #jsm-reloaded @jckwart
pro-grade components #1 policy with deny entries #2 policy file generator #3 missing permissions debugger #Devoxx #jsm-reloaded @jckwart
#1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions Policy Rules Of Granting And DEnying GRANT DENY #Devoxx #jsm-reloaded @jckwart
#1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions // grant full access to /tmp folder grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; // deny write access to the static subfolder of /tmp deny { permission java.io.FilePermission "/tmp/static/-", "write"; }; #Devoxx #jsm-reloaded @jckwart
#2 pro-grade policy file generator ● policytool on (a)steroids ● No GUI is better than any GUI! ● doesn't throw the AccessControlException #Devoxx #jsm-reloaded @jckwart
#3 pro-grade permissions debugger ● prints info about missing permissions to error stream without stopping application >> Denied permission java.io.FilePermission "/etc/passwd", "read"; >>> CodeSource: (file:/tmp/app-lib.jar <no signer certificates>) #Devoxx #jsm-reloaded @jckwart
Demo Security policy for Java EE server in 3 minutes. #Devoxx #jsm-reloaded @jckwart
Use Java Security Manager! #Devoxx #jsm-reloaded @jckwart
Use Java Security Manager! #Devoxx #jsm-reloaded @jckwart
Use Java Security Manager! Make it easy with pro-grade #Devoxx #jsm-reloaded @jckwart
pro-grade fighting JSM issues ● performance → deny rules helps ● policy file tooling → generator – fully automated → debugger – quick check what's missing #Devoxx #jsm-reloaded @jckwart
Thank you. Questions? josef.cacek@gmail.com @jckwart http://javlog.cacek.cz http://pro-grade.sourceforge.net http://github.com/pro-grade/pro-grade #Devoxx #jsm-reloaded @jckwart
Credits public domain images – pixabay.com public domain drawings – openclipart.org #Devoxx #jsm-reloaded @jckwart

More Related Content

PPTX
Deep dive into Java security architecture
byPrabath Siriwardena
 
PDF
Safety LAMP: data security & agile languages
byPostgreSQL Experts, Inc.
 
PPTX
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
byMartin Toshev
 
PPTX
Java Secure Coding Practices
byOWASPKerala
 
PPTX
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
byMartin Toshev
 
PDF
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
bynyccamp
 
PPTX
Oracle Database 12c Attack Vectors
byMartin Toshev
 
PDF
Java Security Manager Reloaded - jOpenSpace Lightning Talk
byJosef Cacek
 
Deep dive into Java security architecture
byPrabath Siriwardena
 
Safety LAMP: data security & agile languages
byPostgreSQL Experts, Inc.
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
byMartin Toshev
 
Java Secure Coding Practices
byOWASPKerala
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
byMartin Toshev
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
bynyccamp
 
Oracle Database 12c Attack Vectors
byMartin Toshev
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
byJosef Cacek
 

What's hot

PDF
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
PDF
Dear Hacker: Infrastructure Security Reality Check
byPaula Januszkiewicz
 
PDF
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
byLucidworks
 
PDF
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
byRootedCON
 
PDF
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
byLucidworks
 
PDF
A Threat Hunter Himself
bySergey Soldatov
 
PPTX
Securing Hadoop with OSSEC
byVic Hargrave
 
PDF
CQURE_BHAsia19_Paula_Januszkiewicz_slides
byZuzannaKornecka
 
PPTX
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
byPaula Januszkiewicz
 
PDF
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
byFedir RYKHTIK
 
PPTX
Security Аrchitecture of Тhe Java Platform
byMartin Toshev
 
PDF
Whatever it takes - Fixing SQLIA and XSS in the process
byguest3379bd
 
PDF
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
byOWASP Russia
 
PPTX
WordPress Security Fundamentals - WordCamp Biratnagar 2018
byAbul Khayer
 
ODP
Drupal Security Hardening
byGerald Villorente
 
PDF
Apache2 BootCamp : Restricting Access
byWildan Maulana
 
PPTX
Maven basics (Android & IntelliJ)
byHussain Mansoor
 
PDF
Drupal Security Basics for the DrupalJax January Meetup
byChris Hales
 
PPT
Securing Drupal 7: Do not get Hacked or Spammed to death!
byAdelle Frank
 
PDF
Hack Proof Your Drupal Site
byNaveen Valecha
 
Hunting for Credentials Dumping in Windows Environment
byTeymur Kheirkhabarov
 
Dear Hacker: Infrastructure Security Reality Check
byPaula Januszkiewicz
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
byLucidworks
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
byRootedCON
 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
byLucidworks
 
A Threat Hunter Himself
bySergey Soldatov
 
Securing Hadoop with OSSEC
byVic Hargrave
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
byZuzannaKornecka
 
Adventures in Underland: Is encryption solid as a rock or a handful of dust?
byPaula Januszkiewicz
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
byFedir RYKHTIK
 
Security Аrchitecture of Тhe Java Platform
byMartin Toshev
 
Whatever it takes - Fixing SQLIA and XSS in the process
byguest3379bd
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
byOWASP Russia
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
byAbul Khayer
 
Drupal Security Hardening
byGerald Villorente
 
Apache2 BootCamp : Restricting Access
byWildan Maulana
 
Maven basics (Android & IntelliJ)
byHussain Mansoor
 
Drupal Security Basics for the DrupalJax January Meetup
byChris Hales
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
byAdelle Frank
 
Hack Proof Your Drupal Site
byNaveen Valecha
 

Viewers also liked

PDF
Spring Framework - Spring Security
byDzmitry Naskou
 
PDF
Spring Day | Identity Management with Spring Security | Dave Syer
byJAX London
 
PPSX
Election algorithms
byAnkush Kumar
 
PPTX
Java Security Framework's
byMohammed Fazuluddin
 
PPTX
Spring Security
byBoy Tech
 
PPT
Introduction to soft computing
byAnkush Kumar
 
PPTX
An Introduction to OAuth 2
byAaron Parecki
 
PPT
Java security
byAnkush Kumar
 
PDF
OAuth for your API - The Big Picture
byApigee | Google Cloud
 
PPT
Security via Java
byBahaa Zaid
 
PPTX
3. planning in situational calculas
byAnkush Kumar
 
PPTX
Spring Security
byManish Sharma
 
PPTX
Spring Security 3
byJason Ferguson
 
PPTX
Rest with Java EE 6 , Security , Backbone.js
byCarol McDonald
 
PDF
Java security in the real world (Ryan Sciampacone)
byChris Bailey
 
PPT
415212 415212
byAnkush Kumar
 
PDF
OAuth - Open API Authentication
byleahculver
 
PDF
The Present Future of OAuth
byMichael Bleigh
 
Spring Framework - Spring Security
byDzmitry Naskou
 
Spring Day | Identity Management with Spring Security | Dave Syer
byJAX London
 
Election algorithms
byAnkush Kumar
 
Java Security Framework's
byMohammed Fazuluddin
 
Spring Security
byBoy Tech
 
Introduction to soft computing
byAnkush Kumar
 
An Introduction to OAuth 2
byAaron Parecki
 
Java security
byAnkush Kumar
 
OAuth for your API - The Big Picture
byApigee | Google Cloud
 
Security via Java
byBahaa Zaid
 
3. planning in situational calculas
byAnkush Kumar
 
Spring Security
byManish Sharma
 
Spring Security 3
byJason Ferguson
 
Rest with Java EE 6 , Security , Backbone.js
byCarol McDonald
 
Java security in the real world (Ryan Sciampacone)
byChris Bailey
 
415212 415212
byAnkush Kumar
 
OAuth - Open API Authentication
byleahculver
 
The Present Future of OAuth
byMichael Bleigh
 

Similar to Java Security Manager Reloaded - Devoxx 2014

ODP
Tollas Ferenc - Java security
byveszpremimeetup
 
PPTX
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
byCodemotion
 
PPTX
Javantura - Securing the JVM
byNicolas Fränkel
 
PDF
Javantura v4 - Security architecture of the Java platform - Martin Toshev
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
PPTX
Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...
byNicolas Fränkel
 
PPTX
Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...
byNicolas Fränkel
 
PPTX
From java to android a security analysis
byPragati Rai
 
Tollas Ferenc - Java security
byveszpremimeetup
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
byCodemotion
 
Javantura - Securing the JVM
byNicolas Fränkel
 
Javantura v4 - Security architecture of the Java platform - Martin Toshev
byHUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Voxxed Days Athens - Securing the JVM - Neither for fun nor for profit, but d...
byNicolas Fränkel
 
Code Europe PL - Securing the JVM: Neither for fun nor for profit, but do you...
byNicolas Fränkel
 
From java to android a security analysis
byPragati Rai
 

Recently uploaded

PDF
Software Development Company in India.pdf
byitswssoftware
 
PDF
AI Development Services: MVP to Production Guide
byShiv Technolabs Pvt. Ltd.
 
PDF
GOOGLE_VERTEX_AI web development 1.pdf
bydavidjohansen1597
 
PDF
apidays Paris 2025 - What If GraphQL Knew Accessibility.pdf
byapidays
 
PDF
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
PPTX
Image to Text converts images into editable text - AI Image to Text
byAI Image to Text
 
PDF
DSD-INT 2025 Coupled modeling in Ribasim - Linking Water Availability and Qua...
byDeltares
 
PDF
Job Interview for Global Federal Government MD Panel Presentation
byafnupe09
 
PDF
apidays Paris 2025 | AI and APIs - Ensuring Platform Migration Reliability wi...
byapidays
 
PDF
Achieving App Stability through mobile performance testing
byAvekshaa Technologies
 
PDF
What Web Teams Need to Know About Building API-Powered Websites
byAlex Halsey
 
PPTX
Managing Multiple Projects from One ERP Dashboard - by biCanvas ERP
bybiCanvasERP
 
PDF
DSD-INT 2025 The National Hydrological Model of Denmark and its enhancements ...
byDeltares
 
PDF
End-to-End Web & Mobile App Development Roadmap for Modern Businesses.pdf
byNaestinn
 
PDF
Common CRM Implementation Mistakes & How to Avoid Them.pdf
byCRMLeaf
 
PDF
Best SaaS Growth Strategy for 2026: Referral Programs That Retain Better
byReferral Factory
 
PPTX
European Food Delivery Benchmarking – Wolt, Bolt Food, Foodora, TakeAway
byinfoactowizsolutions
 
PPT
Data Structure & Algorithm Lec- HeapSort.ppt
bypanhra1
 
PDF
erp software for trading business in india.pdf
byZipERP
 
PDF
Dues Collection Software Intelligent Revenue Management.pdf
byCollege Pro
 
Software Development Company in India.pdf
byitswssoftware
 
AI Development Services: MVP to Production Guide
byShiv Technolabs Pvt. Ltd.
 
GOOGLE_VERTEX_AI web development 1.pdf
bydavidjohansen1597
 
apidays Paris 2025 - What If GraphQL Knew Accessibility.pdf
byapidays
 
Mastering ROS 2 for Robotics Programming.pdf
byssuser4e6c051
 
Image to Text converts images into editable text - AI Image to Text
byAI Image to Text
 
DSD-INT 2025 Coupled modeling in Ribasim - Linking Water Availability and Qua...
byDeltares
 
Job Interview for Global Federal Government MD Panel Presentation
byafnupe09
 
apidays Paris 2025 | AI and APIs - Ensuring Platform Migration Reliability wi...
byapidays
 
Achieving App Stability through mobile performance testing
byAvekshaa Technologies
 
What Web Teams Need to Know About Building API-Powered Websites
byAlex Halsey
 
Managing Multiple Projects from One ERP Dashboard - by biCanvas ERP
bybiCanvasERP
 
DSD-INT 2025 The National Hydrological Model of Denmark and its enhancements ...
byDeltares
 
End-to-End Web & Mobile App Development Roadmap for Modern Businesses.pdf
byNaestinn
 
Common CRM Implementation Mistakes & How to Avoid Them.pdf
byCRMLeaf
 
Best SaaS Growth Strategy for 2026: Referral Programs That Retain Better
byReferral Factory
 
European Food Delivery Benchmarking – Wolt, Bolt Food, Foodora, TakeAway
byinfoactowizsolutions
 
Data Structure & Algorithm Lec- HeapSort.ppt
bypanhra1
 
erp software for trading business in india.pdf
byZipERP
 
Dues Collection Software Intelligent Revenue Management.pdf
byCollege Pro
 

Java Security Manager Reloaded - Devoxx 2014

  • 1.
    Java Security ManagerReloaded Josef Cacek Senior Quality Engineer Red Hat / JBoss #Devoxx #jsm-reloaded @jckwart
  • 2.
    Agenda ● JavaSecurity Manager – quickstart – issues ● Reloaded – there is an easier way – pro-grade library #Devoxx #jsm-reloaded @jckwart
  • 3.
    Do you run ? #Devoxx #jsm-reloaded @jckwart
  • 4.
    Do you run apps with Java Security Manager ? #Devoxx #jsm-reloaded @jckwart
  • 5.
    You should beaffraid You are treatened! #Devoxx #jsm-reloaded @jckwart
  • 6.
    Threats ● bugsin libraries – lazy programmers ● hidden features – evil programmers ● man-in-the-middle – The Hackers #Devoxx #jsm-reloaded @jckwart
  • 7.
    Java has asolution #Devoxx #jsm-reloaded @jckwart
  • 8.
    Java Security Manager(JSM) checks if the caller has permissions to run protected actions. #Devoxx #jsm-reloaded @jckwart
  • 9.
    Terminology Sensitive codecalls extends java.lang.SecurityManager Security Manager enforces Policy Permissions extends java.security.Policy extends java.security.Permission #Devoxx #jsm-reloaded @jckwart
  • 10.
    Example: Sensitive codecalling JSM SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache")); #Devoxx #jsm-reloaded @jckwart
  • 11.
    Example: Sensitive codecalling JSM AccessControl SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( Exception new org.jboss.SimplePermission("getCache")); #Devoxx #jsm-reloaded @jckwart
  • 12.
    Policy ● keepswhich protected actions are allowed – No action by default ● defined in policy file ● grant entries assigns Permissions to – code path [codeBase] – signed classes [signedBy] – authenticated user [principal] #Devoxx #jsm-reloaded @jckwart
  • 13.
    Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
  • 14.
    Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
  • 15.
    Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
  • 16.
    Example: Policy file keystore "/opt/redhat.keystore"; grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; }; #Devoxx #jsm-reloaded @jckwart
  • 17.
    Permission ● representsaccess right to a protected action ● has a type and target ● may have actions ● java.lang.AllPermission – unrestricted access to all resources – automatically granted to system classes #Devoxx #jsm-reloaded @jckwart
  • 18.
    Example: Read afile ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) #Devoxx #jsm-reloaded @jckwart
  • 19.
    Example: Read afile ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
  • 20.
    Example: Read afile ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
  • 21.
    Example: Read afile ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
  • 22.
    Example: Read afile ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/passwd" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.FileInputStream.<init>(FileInputStream.java:135) at java.io.FileInputStream.<init>(FileInputStream.java:101) at java.io.FileReader.<init>(FileReader.java:58) at org.jboss.shared.Utils.getUserListInternal(Utils.java:36) at org.jboss.shared.Utils.getUsersList(Utils.java:28) at org.jboss.test.App.run(App.java:35) at org.jboss.test.App.main(App.java:28) system classes app-lib.jar app.jar #Devoxx #jsm-reloaded @jckwart
  • 23.
    JSM quickstart ●set java.security.manager system property – no value → default implementation – class name → custom SecurityManager implementation ● set java.security.policy system property – path to text file with permission mappings ● set java.security.debug system property (optional) #Devoxx #jsm-reloaded @jckwart
  • 24.
    Example: Run Applicationwith JSM enabled java -Djava.security.manager -Djava.security.policy=/opt/jEdit/jEdit.policy -Djava.security.debug=access:failure -jar /opt/jEdit/jedit.jar /etc/passwd #Devoxx #jsm-reloaded @jckwart
  • 25.
    Protect your systems Use Java Security Manager! #Devoxx #jsm-reloaded @jckwart
  • 26.
    However ... #Devoxx#jsm-reloaded @jckwart
  • 27.
    JSM issues -#1 performance #Devoxx #jsm-reloaded @jckwart
  • 28.
    JSM issues -#2 policy file tooling #Devoxx #jsm-reloaded @jckwart
  • 29.
    JSM Reloaded pro-gradelibrary Set of SecurityManager and Policy implementations. #Devoxx #jsm-reloaded @jckwart
  • 30.
    pro-grade library ●Java Security Manager made easy(ier) ● authors – Ondřej Lukáš – Josef Cacek ● Apache License http://pro-grade.sourceforge.net/ #Devoxx #jsm-reloaded @jckwart
  • 31.
    pro-grade components #1policy with deny entries #2 policy file generator #3 missing permissions debugger #Devoxx #jsm-reloaded @jckwart
  • 32.
    #1 pro-grade policywith deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions Policy Rules Of Granting And DEnying GRANT DENY #Devoxx #jsm-reloaded @jckwart
  • 33.
    #1 pro-grade policywith deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions // grant full access to /tmp folder grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; // deny write access to the static subfolder of /tmp deny { permission java.io.FilePermission "/tmp/static/-", "write"; }; #Devoxx #jsm-reloaded @jckwart
  • 34.
    #2 pro-grade policyfile generator ● policytool on (a)steroids ● No GUI is better than any GUI! ● doesn't throw the AccessControlException #Devoxx #jsm-reloaded @jckwart
  • 35.
    #3 pro-grade permissionsdebugger ● prints info about missing permissions to error stream without stopping application >> Denied permission java.io.FilePermission "/etc/passwd", "read"; >>> CodeSource: (file:/tmp/app-lib.jar <no signer certificates>) #Devoxx #jsm-reloaded @jckwart
  • 36.
    Demo Security policyfor Java EE server in 3 minutes. #Devoxx #jsm-reloaded @jckwart
  • 37.
    Use Java SecurityManager! #Devoxx #jsm-reloaded @jckwart
  • 38.
    Use Java SecurityManager! #Devoxx #jsm-reloaded @jckwart
  • 39.
    Use Java SecurityManager! Make it easy with pro-grade #Devoxx #jsm-reloaded @jckwart
  • 40.
    pro-grade fighting JSMissues ● performance → deny rules helps ● policy file tooling → generator – fully automated → debugger – quick check what's missing #Devoxx #jsm-reloaded @jckwart
  • 41.
    Thank you. Questions? josef.cacek@gmail.com @jckwart http://javlog.cacek.cz http://pro-grade.sourceforge.net http://github.com/pro-grade/pro-grade #Devoxx #jsm-reloaded @jckwart
  • 42.
    Credits public domainimages – pixabay.com public domain drawings – openclipart.org #Devoxx #jsm-reloaded @jckwart