GnuDeveloper.com

Securing a Web Application with Security Manager

Run with least privilege or Principle of Least Authority
Provide access to only the necessary resources,permissions which the application is required to work properly.
we need to clearly know the required resources, type of action will be performed by our application.
Define the minimum access permission for each resource that the application required to run.
Security Manager
The Principle of Least Privilege is achieved achieved using the sandbox. In Java Sandbox security model is achieved by using the security manager.
The security manager is enabled at the server startup by the JVM parameter which is applicable at server level.
This settings is common for all the web application deployed in that server. Security manager is a java class available in java.lang.SecurityManager package.
Hence in shared hosting it is difficult to get it.
Policy File
The File will define the Resource along with permission. The security manager will take decision to allow or deny on resource access based on this policy file.
Define the polciy is critical to the security of the application.
This can be easily added using the policytool available as part of jdk.
Example for file system resource as below
Resource : File system
Permission: read
permission java.io.FilePermission "I:\\www.gnudeveloper.com\\content\\msg.txt", "read";
The few permission and its action as below.
  • java.security.AllPermission: Never us this permission since it will provide Full permission to the application hence defeating the sand box approach.
  • java.io.FilePermission : The file system resource will have possible action as read, write, delete, execute.
  • java.net.SocketPermission : The socket resource will have action as accept, connect, listen, resolve.
  • java.util.PropertyPermission: The possible action are read (Allows System.getProperty), write(Allows System.setProperty )
  • java.lang.reflect.ReflectPermission

Security Manager control flow for File System resource

Enabling the Security Manager in eclipse

	package com.gnudeveloper.sandbox;
 
	import java.io.BufferedReader;
	import java.io.FileNotFoundException;
	import java.io.FileReader;
	import java.io.IOException;
 
	import javax.servlet.http.HttpServlet;
	import javax.servlet.http.HttpServletRequest;
	import javax.servlet.http.HttpServletResponse;
 
	public class FileAccessServlet extends HttpServlet {
 
		private static final long serialVersionUID = 1L;
		String message = null;
 
		public void loadMessage() {
 
			try (BufferedReader br = new BufferedReader(new FileReader(
					"I:\\www.gnudeveloper.com\\content\\msg.txt"))) {
				message = br.readLine();
				System.out.println("message" + message);
			} catch (FileNotFoundException e) {
				System.out.println("file not found ");
				e.printStackTrace();
			} catch (IOException e) {
				System.out.println("file not found io exception ");
 
			}
		}
 
		public void init() {
			loadMessage();
			System.out.println("this is init");
 
		}
 
		protected void doGet(HttpServletRequest request,
				HttpServletResponse response) throws IOException {
 
			response.getOutputStream().print("message=" + message);
		}
	}
 

catalina.policy

	/* AUTOMATICALLY GENERATED ON Thu Dec 17 06:01:58 IST 2015*/
	/* DO NOT EDIT */
 
	grant codeBase "file:${java.home}/lib/-" {
	  permission java.security.AllPermission;
	};
 
	grant codeBase "file:${java.home}/jre/lib/ext/-" {
	  permission java.security.AllPermission;
	};
 
	grant codeBase "file:${java.home}/../lib/-" {
	  permission java.security.AllPermission;
	};
 
	grant codeBase "file:${java.home}/lib/ext/-" {
	  permission java.security.AllPermission;
	};
 
	grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
	  permission java.security.AllPermission;
	};
 
	grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
	  permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
	  permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
	  permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
	  permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
	  permission java.lang.RuntimePermission "shutdownHooks";
	  permission java.lang.RuntimePermission "getClassLoader";
	  permission java.lang.RuntimePermission "setContextClassLoader";
	  permission java.util.logging.LoggingPermission "control";
	  permission java.util.PropertyPermission "java.util.logging.config.class", "read";
	  permission java.util.PropertyPermission "java.util.logging.config.file", "read";
	  permission java.util.PropertyPermission "org.apache.juli.ClassLoaderLogManager.debug", "read";
	  permission java.util.PropertyPermission "catalina.base", "read";
	};
 
	grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
	  permission java.security.AllPermission;
	};
 
	grant codeBase "file:${catalina.home}/lib/-" {
	  permission java.security.AllPermission;
	};
 
	grant {
	  permission java.util.PropertyPermission "java.home", "read";
	  permission java.util.PropertyPermission "java.naming.*", "read";
	  permission java.util.PropertyPermission "javax.sql.*", "read";
	  permission java.util.PropertyPermission "os.name", "read";
	  permission java.util.PropertyPermission "os.version", "read";
	  permission java.util.PropertyPermission "os.arch", "read";
	  permission java.util.PropertyPermission "file.separator", "read";
	  permission java.util.PropertyPermission "path.separator", "read";
	  permission java.util.PropertyPermission "line.separator", "read";
	  permission java.util.PropertyPermission "java.version", "read";
	  permission java.util.PropertyPermission "java.vendor", "read";
	  permission java.util.PropertyPermission "java.vendor.url", "read";
	  permission java.util.PropertyPermission "java.class.version", "read";
	  permission java.util.PropertyPermission "java.specification.version", "read";
	  permission java.util.PropertyPermission "java.specification.vendor", "read";
	  permission java.util.PropertyPermission "java.specification.name", "read";
	  permission java.util.PropertyPermission "java.vm.specification.version", "read";
	  permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
	  permission java.util.PropertyPermission "java.vm.specification.name", "read";
	  permission java.util.PropertyPermission "java.vm.version", "read";
	  permission java.util.PropertyPermission "java.vm.vendor", "read";
	  permission java.util.PropertyPermission "java.vm.name", "read";
	  permission java.lang.RuntimePermission "getAttribute";
	  permission java.util.PropertyPermission "jaxp.debug", "read";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
	  permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
	  permission java.util.PropertyPermission "org.apache.el.parser.COERCE_TO_ZERO", "read";
	  permission java.util.PropertyPermission "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
	  permission java.util.PropertyPermission "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
	  permission java.util.PropertyPermission "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.websocket";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
	  permission java.io.FilePermission "I:\\www.gnudeveloper.com\\content\\msg.txt", "read";
	};
 
	grant codeBase "file:${catalina.base}/webapps/manager/-" {
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
	};
 
	grant codeBase "file:${catalina.home}/webapps/manager/-" {
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
	  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
	};
 

Downloads
Groups: