SlideShare a Scribd company logo

Java Security Manager Reloaded - jOpenSpace Lightning Talk

Josef Cacek
Josef Cacek

How to protect your systems with Java Security Manager and How to make it simple with pro-grade library

Software
1 of 39
Download to read offline
Java Security Manager Reloaded Josef Cacek Senior Quality Engineer Red Hat / JBoss
Agenda 2 ● Java Security Manager – quickstart – issues ● Reloaded – there is an easier way – pro-grade library
3 Do you run ?
4 Do you run Java Applications ?
YYoouu sshhoouulldd bbee aaffffrraaiidd YYoouu aarree ttrreeaatteenneedd!!
Threats 6 ● bugs in libraries – lazy programmers ● hidden features – evil programmers ● man-in-the-middle – The Hackers
JJaavvaa hhaass aa ssoolluuttiioonn
8 Java Security Manager (JSM) checks if the caller has permissions to run protected actions.
Terminology Sensitive code calls extends java.lang.SecurityManager 9 Security Manager enforces Policy Permissions extends java.security.Policy extends java.security.Permission
Example: Sensitive code calling JSM 10 SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache"));
Example: Sensitive code calling JSM 11 SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache"));
Policy ● keeps which protected actions are allowed 12 – No action by default ● defined in policy file ● grant entries assigns Permissions to – code path [codeBase] – signed classes [signedBy] – authenticated user [principal]
Example: Policy file keystore "/opt/redhat.keystore"; grant { 13 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
Example: Policy file keystore "/opt/redhat.keystore"; grant { 14 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
Example: Policy file keystore "/opt/redhat.keystore"; grant { 15 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
Example: Policy file keystore "/opt/redhat.keystore"; grant { 16 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
Permission ● represents access right to a protected action ● has a type and target ● may have actions ● java.lang.AllPermission 17 – unrestricted access to all resources – automatically granted to system classes
Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 18
Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 19
JSM quickstart ● set java.security.manager system property 20 – no value → default implementation – class name → custom SecurityManager implementation ● set java.security.policy system property – path to text file with permission mappings ● set java.security.debug system property (optional)
Example: Run Application with JSM enabled 21 java -Djava.security.manager -Djava.security.policy=/opt/jEdit/jEdit.policy -Djava.security.debug=access:failure -jar /opt/jEdit/jedit.jar /etc/passwd
22 Protect your systems Use Java Security Manager!
23 However ...
JSM issues - #1 performance 24
JSM issues - #2 policy file tooling 25
26 JSM Reloaded pro-grade library Set of SecurityManager and Policy implementations.
pro-grade library ● Java Security Manager made easy(ier) ● authors 27 – Ondřej Lukáš – Josef Cacek ● Apache License http://pro-grade.sourceforge.net/
pro-grade components #1 policy with deny entries #2 policy file generator #3 missing permissions debugger 28
#1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions 29 Policy Rules Of Granting And DEnying
#1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions // grant full access to /tmp folder grant { 30 permission java.io.FilePermission "/tmp/-", "read,write"; }; // deny write access to the static subfolder of /tmp deny { permission java.io.FilePermission "/tmp/static/-", "write"; };
#2 pro-grade policy file generator ● policytool on (a)steroids ● No GUI is better than any GUI! ● doesn't throw the AccessControlException 31
#3 pro-grade permissions debugger ● lightweigh alternative to java.security.debug ● info about missing permissions to error stream ● doesn't throw the AccessControlException >> Denied permission java.io.FilePermission "/etc/passwd", "read"; >>> CodeSource: (file:/tmp/app-lib.jar <no signer certificates>) 32
It's demo time! Security policy for Java EE server in 3 minutes.
34 Use Java Security Manager!
35 Use Java Security Manager!
36 Use Java Security Manager! Make it easy with pro-grade
pro-grade fighting JSM issues ● performance → deny rules helps ● policy file tooling → generator – fully automated → debugger – quick check what's missing 37
38 Josef Cacek @jckwart josef.cacek@gmail.com http://javlog.cacek.cz http://pro-grade.sourceforge.net http://github.com/pro-grade/pro-grade http://docs.oracle.com/javase/8/docs/technotes/guides/security/ Q & A
Credits ● public domain images 39 – pixabay.com ● public domain drawings – openclipart.org No pony was hurt in the preparation of this presentation.

Recommended

Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Martin Toshev
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Martin Toshev
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsMartin Toshev
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesPostgreSQL Experts, Inc.
 

Recommended

Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Security Architecture of the Java Platform (http://www.javaday.bg event - 14....
Security Architecture of the Java Platform (http://www.javaday.bg event - 14....Martin Toshev
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Martin Toshev
 
Oracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsOracle Database 12c Attack Vectors
Oracle Database 12c Attack VectorsMartin Toshev
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesPostgreSQL Experts, Inc.
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksState of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksLucidworks
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018Abul Khayer
 
Apache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting AccessApache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting AccessWildan Maulana
 
Security Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformSecurity Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformMartin Toshev
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
Maven basics (Android & IntelliJ)
Maven basics (Android & IntelliJ)Maven basics (Android & IntelliJ)
Maven basics (Android & IntelliJ)Hussain Mansoor
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesZuzannaKornecka
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Lucidworks
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013Chris Hales
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci CompliaceDenish Patel
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...RootedCON
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)Anatoliy Okhotnikov
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Java security
Java securityJava security
Java securityAnkush Kumar
 
Remote Notifications
Remote NotificationsRemote Notifications
Remote NotificationsJosef Cacek
 

More Related Content

What's hot

Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksState of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksLucidworks
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018Abul Khayer
 
Apache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting AccessApache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting AccessWildan Maulana
 
Security Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformSecurity Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformMartin Toshev
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSECVic Hargrave
 
Maven basics (Android & IntelliJ)
Maven basics (Android & IntelliJ)Maven basics (Android & IntelliJ)
Maven basics (Android & IntelliJ)Hussain Mansoor
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesZuzannaKornecka
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Lucidworks
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013Chris Hales
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci CompliaceDenish Patel
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...RootedCON
 

What's hot (20)

Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal Site
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, LucidworksState of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018
 
Apache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting AccessApache2 BootCamp : Restricting Access
Apache2 BootCamp : Restricting Access
 
Security Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java PlatformSecurity Аrchitecture of Тhe Java Platform
Security Аrchitecture of Тhe Java Platform
 
Securing Hadoop with OSSEC
Securing Hadoop with OSSECSecuring Hadoop with OSSEC
Securing Hadoop with OSSEC
 
Maven basics (Android & IntelliJ)
Maven basics (Android & IntelliJ)Maven basics (Android & IntelliJ)
Maven basics (Android & IntelliJ)
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
Secure Search - Using Apache Sentry to Add Authentication and Authorization S...
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
 
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
Daniel Kachakil - Android's Download Provider: Discovering and exploiting thr...
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 

Viewers also liked

Remote Notifications
Remote NotificationsRemote Notifications
Remote NotificationsJosef Cacek
 
JBoss Negotiation in AS7
JBoss Negotiation in AS7JBoss Negotiation in AS7
JBoss Negotiation in AS7Josef Cacek
 
3. planning in situational calculas
3. planning in situational calculas3. planning in situational calculas
3. planning in situational calculasAnkush Kumar
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platformMartin Toshev
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Security via Java
Security via JavaSecurity via Java
Security via JavaBahaa Zaid
 
Election algorithms
Election algorithmsElection algorithms
Election algorithmsAnkush Kumar
 
Introduction to soft computing
Introduction to soft computingIntroduction to soft computing
Introduction to soft computingAnkush Kumar
 

Viewers also liked (14)

Java security
Java securityJava security
Java security
 
Remote Notifications
Remote NotificationsRemote Notifications
Remote Notifications
 
JBoss Negotiation in AS7
JBoss Negotiation in AS7JBoss Negotiation in AS7
JBoss Negotiation in AS7
 
Jar signing
Jar signingJar signing
Jar signing
 
3. planning in situational calculas
3. planning in situational calculas3. planning in situational calculas
3. planning in situational calculas
 
415212 415212
415212 415212415212 415212
415212 415212
 
Security Architecture of the Java platform
Security Architecture of the Java platformSecurity Architecture of the Java platform
Security Architecture of the Java platform
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
CIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIsCIS14: Best Practices You Must Apply to Secure Your APIs
CIS14: Best Practices You Must Apply to Secure Your APIs
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Javantura v4 - Security architecture of the Java platform - Martin Toshev
Javantura v4 - Security architecture of the Java platform - Martin ToshevJavantura v4 - Security architecture of the Java platform - Martin Toshev
Javantura v4 - Security architecture of the Java platform - Martin Toshev
 
Security via Java
Security via JavaSecurity via Java
Security via Java
 
Election algorithms
Election algorithmsElection algorithms
Election algorithms
 
Introduction to soft computing
Introduction to soft computingIntroduction to soft computing
Introduction to soft computing
 

Similar to Java Security Manager Reloaded - jOpenSpace Lightning Talk

Granular Protections Management with Triggers
Granular Protections Management with TriggersGranular Protections Management with Triggers
Granular Protections Management with TriggersPerforce
 
Role based access control
Role based access controlRole based access control
Role based access controlPeter Edwards
 
Tollas Ferenc - Java security
Tollas Ferenc - Java securityTollas Ferenc - Java security
Tollas Ferenc - Java securityveszpremimeetup
 
4.5 manage file permissions and ownership v3
4.5 manage file permissions and ownership v34.5 manage file permissions and ownership v3
4.5 manage file permissions and ownership v3Acácio Oliveira
 
Practical security In a modular world
Practical security In a modular worldPractical security In a modular world
Practical security In a modular worldMartin Toshev
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
101 4.5 manage file permissions and ownership v3
101 4.5 manage file permissions and ownership v3101 4.5 manage file permissions and ownership v3
101 4.5 manage file permissions and ownership v3Acácio Oliveira
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Clustersmalltown
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsyncHazel Smith
 
Pluggable authentication modules
Pluggable authentication modulesPluggable authentication modules
Pluggable authentication modulesYahia Kandeel
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.pptHaymanotTadese
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateAlex Pop
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
2015 09-18-jug summer camp
2015 09-18-jug summer camp2015 09-18-jug summer camp
2015 09-18-jug summer campSebastien Gioria
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....Sebastien Gioria
 
StorageQuery: federated querying on object stores, powered by Alluxio and Presto
StorageQuery: federated querying on object stores, powered by Alluxio and PrestoStorageQuery: federated querying on object stores, powered by Alluxio and Presto
StorageQuery: federated querying on object stores, powered by Alluxio and PrestoAlluxio, Inc.
 
CRESTCon Asia 2018 - Config Password Encryption Gone Wrong
CRESTCon Asia 2018 - Config Password Encryption Gone WrongCRESTCon Asia 2018 - Config Password Encryption Gone Wrong
CRESTCon Asia 2018 - Config Password Encryption Gone WrongKeith Lee
 

Similar to Java Security Manager Reloaded - jOpenSpace Lightning Talk (20)

Granular Protections Management with Triggers
Granular Protections Management with TriggersGranular Protections Management with Triggers
Granular Protections Management with Triggers
 
Role based access control
Role based access controlRole based access control
Role based access control
 
Tollas Ferenc - Java security
Tollas Ferenc - Java securityTollas Ferenc - Java security
Tollas Ferenc - Java security
 
4.5 manage file permissions and ownership v3
4.5 manage file permissions and ownership v34.5 manage file permissions and ownership v3
4.5 manage file permissions and ownership v3
 
Download It
Download ItDownload It
Download It
 
Practical security In a modular world
Practical security In a modular worldPractical security In a modular world
Practical security In a modular world
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
 
101 4.5 manage file permissions and ownership v3
101 4.5 manage file permissions and ownership v3101 4.5 manage file permissions and ownership v3
101 4.5 manage file permissions and ownership v3
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes ClusterKubernetes Summit 2019 - Harden Your Kubernetes Cluster
Kubernetes Summit 2019 - Harden Your Kubernetes Cluster
 
006.itsecurity bcp v1
006.itsecurity bcp v1006.itsecurity bcp v1
006.itsecurity bcp v1
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsync
 
Pluggable authentication modules
Pluggable authentication modulesPluggable authentication modules
Pluggable authentication modules
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.ppt
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
2015 09-18-jug summer camp
2015 09-18-jug summer camp2015 09-18-jug summer camp
2015 09-18-jug summer camp
 
42 minutes to secure your code....
42 minutes to secure your code....42 minutes to secure your code....
42 minutes to secure your code....
 
StorageQuery: federated querying on object stores, powered by Alluxio and Presto
StorageQuery: federated querying on object stores, powered by Alluxio and PrestoStorageQuery: federated querying on object stores, powered by Alluxio and Presto
StorageQuery: federated querying on object stores, powered by Alluxio and Presto
 
CRESTCon Asia 2018 - Config Password Encryption Gone Wrong
CRESTCon Asia 2018 - Config Password Encryption Gone WrongCRESTCon Asia 2018 - Config Password Encryption Gone Wrong
CRESTCon Asia 2018 - Config Password Encryption Gone Wrong
 

Recently uploaded

WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2
 
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 

Recently uploaded (20)

WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
 
WSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AIWSO2CON 2024 Slides - Unlocking Value with AI
WSO2CON 2024 Slides - Unlocking Value with AI
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & InnovationWSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
WSO2CON 2024 - OSU & WSO2: A Decade Journey in Integration & Innovation
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 

Java Security Manager Reloaded - jOpenSpace Lightning Talk

  • 1. Java Security Manager Reloaded Josef Cacek Senior Quality Engineer Red Hat / JBoss
  • 2. Agenda 2 ● Java Security Manager – quickstart – issues ● Reloaded – there is an easier way – pro-grade library
  • 3. 3 Do you run ?
  • 4. 4 Do you run Java Applications ?
  • 5. YYoouu sshhoouulldd bbee aaffffrraaiidd YYoouu aarree ttrreeaatteenneedd!!
  • 6. Threats 6 ● bugs in libraries – lazy programmers ● hidden features – evil programmers ● man-in-the-middle – The Hackers
  • 7. JJaavvaa hhaass aa ssoolluuttiioonn
  • 8. 8 Java Security Manager (JSM) checks if the caller has permissions to run protected actions.
  • 9. Terminology Sensitive code calls extends java.lang.SecurityManager 9 Security Manager enforces Policy Permissions extends java.security.Policy extends java.security.Permission
  • 10. Example: Sensitive code calling JSM 10 SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache"));
  • 11. Example: Sensitive code calling JSM 11 SecurityManager sm = System.getSecurityManager(); if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache"));
  • 12. Policy ● keeps which protected actions are allowed 12 – No action by default ● defined in policy file ● grant entries assigns Permissions to – code path [codeBase] – signed classes [signedBy] – authenticated user [principal]
  • 13. Example: Policy file keystore "/opt/redhat.keystore"; grant { 13 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
  • 14. Example: Policy file keystore "/opt/redhat.keystore"; grant { 14 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
  • 15. Example: Policy file keystore "/opt/redhat.keystore"; grant { 15 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
  • 16. Example: Policy file keystore "/opt/redhat.keystore"; grant { 16 permission java.io.FilePermission "/tmp/-", "read,write"; }; grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write"; }; grant signedBy "jboss" { permission java.security.AllPermission; };
  • 17. Permission ● represents access right to a protected action ● has a type and target ● may have actions ● java.lang.AllPermission 17 – unrestricted access to all resources – automatically granted to system classes
  • 18. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 18
  • 19. Example: Read a file ● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”) 19
  • 20. JSM quickstart ● set java.security.manager system property 20 – no value → default implementation – class name → custom SecurityManager implementation ● set java.security.policy system property – path to text file with permission mappings ● set java.security.debug system property (optional)
  • 21. Example: Run Application with JSM enabled 21 java -Djava.security.manager -Djava.security.policy=/opt/jEdit/jEdit.policy -Djava.security.debug=access:failure -jar /opt/jEdit/jedit.jar /etc/passwd
  • 22. 22 Protect your systems Use Java Security Manager!
  • 24. JSM issues - #1 performance 24
  • 25. JSM issues - #2 policy file tooling 25
  • 26. 26 JSM Reloaded pro-grade library Set of SecurityManager and Policy implementations.
  • 27. pro-grade library ● Java Security Manager made easy(ier) ● authors 27 – Ondřej Lukáš – Josef Cacek ● Apache License http://pro-grade.sourceforge.net/
  • 28. pro-grade components #1 policy with deny entries #2 policy file generator #3 missing permissions debugger 28
  • 29. #1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions 29 Policy Rules Of Granting And DEnying
  • 30. #1 pro-grade policy with deny rules ● “subtracting” permissions from the granted ones ● helps to decrease count of mapped permissions // grant full access to /tmp folder grant { 30 permission java.io.FilePermission "/tmp/-", "read,write"; }; // deny write access to the static subfolder of /tmp deny { permission java.io.FilePermission "/tmp/static/-", "write"; };
  • 31. #2 pro-grade policy file generator ● policytool on (a)steroids ● No GUI is better than any GUI! ● doesn't throw the AccessControlException 31
  • 32. #3 pro-grade permissions debugger ● lightweigh alternative to java.security.debug ● info about missing permissions to error stream ● doesn't throw the AccessControlException >> Denied permission java.io.FilePermission "/etc/passwd", "read"; >>> CodeSource: (file:/tmp/app-lib.jar <no signer certificates>) 32
  • 33. It's demo time! Security policy for Java EE server in 3 minutes.
  • 34. 34 Use Java Security Manager!
  • 35. 35 Use Java Security Manager!
  • 36. 36 Use Java Security Manager! Make it easy with pro-grade
  • 37. pro-grade fighting JSM issues ● performance → deny rules helps ● policy file tooling → generator – fully automated → debugger – quick check what's missing 37
  • 38. 38 Josef Cacek @jckwart josef.cacek@gmail.com http://javlog.cacek.cz http://pro-grade.sourceforge.net http://github.com/pro-grade/pro-grade http://docs.oracle.com/javase/8/docs/technotes/guides/security/ Q & A
  • 39. Credits ● public domain images 39 – pixabay.com ● public domain drawings – openclipart.org No pony was hurt in the preparation of this presentation.