Java Security Manager Reloaded - jOpenSpace Lightning Talk
-
Upload
josef-cacek -
Category
Software
-
view
306 -
download
5
description
Transcript of Java Security Manager Reloaded - jOpenSpace Lightning Talk
![Page 1: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/1.jpg)
Java Security Manager Reloaded
Josef CacekSenior Quality EngineerRed Hat / JBoss
![Page 2: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/2.jpg)
2
Agenda
● Java Security Manager– quickstart
– issues
● Reloaded– there is an easier way
– pro-grade library
![Page 3: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/3.jpg)
3
Do you run
?
![Page 4: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/4.jpg)
4
Do you run
Java Applications
?
![Page 5: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/5.jpg)
You should be affraidYou should be affraid
You are treatened!You are treatened!
![Page 6: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/6.jpg)
6
Threats
● bugs in libraries– lazy programmers
● hidden features– evil programmers
● man-in-the-middle– The Hackers
![Page 7: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/7.jpg)
Java has a solutionJava has a solution
![Page 8: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/8.jpg)
8
Java Security Manager (JSM)
checks if the caller has permissionsto run protected actions.
![Page 9: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/9.jpg)
9
Terminology
Security Manager
Policy
Permissions
enforces
Sensitive code calls extends java.lang.SecurityManager
extends java.security.Policy
extends java.security.Permission
![Page 10: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/10.jpg)
10
SecurityManager sm = System.getSecurityManager();
if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache"));
Example: Sensitive code calling JSM
![Page 11: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/11.jpg)
11
SecurityManager sm = System.getSecurityManager();
if (sm != null) sm.checkPermission( new org.jboss.SimplePermission("getCache"));
Example: Sensitive code calling JSM
![Page 12: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/12.jpg)
12
Policy
● keeps which protected actions are allowed – No action by default
● defined in policy file
● grant entries assigns Permissions to
– code path [codeBase]
– signed classes [signedBy]
– authenticated user [principal]
![Page 13: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/13.jpg)
13
keystore "/opt/redhat.keystore";
grant { permission java.io.FilePermission "/tmp/-", "read,write";};
grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write";};
grant signedBy "jboss" { permission java.security.AllPermission;};
Example: Policy file
![Page 14: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/14.jpg)
14
keystore "/opt/redhat.keystore";
grant { permission java.io.FilePermission "/tmp/-", "read,write";};
grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write";};
grant signedBy "jboss" { permission java.security.AllPermission;};
Example: Policy file
![Page 15: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/15.jpg)
15
keystore "/opt/redhat.keystore";
grant { permission java.io.FilePermission "/tmp/-", "read,write";};
grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write";};
grant signedBy "jboss" { permission java.security.AllPermission;};
Example: Policy file
![Page 16: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/16.jpg)
16
keystore "/opt/redhat.keystore";
grant { permission java.io.FilePermission "/tmp/-", "read,write";};
grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" { permission java.lang.RuntimePermission "getStackTrace"; permission java.util.PropertyPermission "*", "read,write";};
grant signedBy "jboss" { permission java.security.AllPermission;};
Example: Policy file
![Page 17: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/17.jpg)
17
Permission
● represents access right to a protected action● has a type and target● may have actions
● java.lang.AllPermission – unrestricted access to all resources
– automatically granted to system classes
![Page 18: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/18.jpg)
18
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”)
Example: Read a file
![Page 19: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/19.jpg)
19
● App [app.jar] → Utils [app-lib.jar]→ FileReader(“/etc/passwd”)
Example: Read a file
![Page 20: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/20.jpg)
20
JSM quickstart
● set java.security.manager system property– no value → default implementation
– class name → custom SecurityManager implementation
● set java.security.policy system property– path to text file with permission mappings
● set java.security.debug system property (optional)
![Page 21: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/21.jpg)
21
java \ -Djava.security.manager \ -Djava.security.policy=/opt/jEdit/jEdit.policy \ -Djava.security.debug=access:failure \ -jar /opt/jEdit/jedit.jar /etc/passwd
Example: Run Application with JSM enabled
![Page 22: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/22.jpg)
22
Protect your systems
Use Java Security Manager!
![Page 23: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/23.jpg)
23
However ...
![Page 24: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/24.jpg)
24
JSM issues - #1 performance
![Page 25: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/25.jpg)
25
JSM issues - #2 policy file tooling
![Page 26: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/26.jpg)
26
JSM Reloaded
pro-grade library
Set of SecurityManager and Policy implementations.
![Page 27: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/27.jpg)
27
pro-grade library
● Java Security Manager made easy(ier)● authors
– Ondřej Lukáš
– Josef Cacek
● Apache License
http://pro-grade.sourceforge.net/
![Page 28: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/28.jpg)
28
pro-grade components
#1 policy with deny entries
#2 policy file generator
#3 missing permissions debugger
![Page 29: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/29.jpg)
29
#1 pro-grade policy with deny rules
● “subtracting” permissions from the granted ones● helps to decrease count of mapped permissions
Policy Rules Of Granting And DEnying
![Page 30: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/30.jpg)
30
// grant full access to /tmp foldergrant { permission java.io.FilePermission "/tmp/-", "read,write";};
// deny write access to the static subfolder of /tmpdeny { permission java.io.FilePermission "/tmp/static/-", "write";};
#1 pro-grade policy with deny rules
● “subtracting” permissions from the granted ones● helps to decrease count of mapped permissions
![Page 31: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/31.jpg)
31
#2 pro-grade policy file generator
● policytool on (a)steroids ● No GUI is better than any GUI!
● doesn't throw theAccessControlException
![Page 32: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/32.jpg)
32
#3 pro-grade permissions debugger
● lightweigh alternative to java.security.debug● info about missing permissions to error stream
● doesn't throw the AccessControlException
>> Denied permission java.io.FilePermission "/etc/passwd", "read";>>> CodeSource: (file:/tmp/app-lib.jar <no signer certificates>)
![Page 33: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/33.jpg)
It's demo time!
Security policy for Java EE serverin 3 minutes.
![Page 34: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/34.jpg)
34
Use Java Security Manager!
![Page 35: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/35.jpg)
35
Use Java Security Manager!
![Page 36: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/36.jpg)
36
Use Java Security Manager!
Make it easy with pro-grade
![Page 37: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/37.jpg)
37
pro-grade fighting JSM issues
● performance→ deny rules helps
● policy file tooling → generator – fully automated→ debugger – quick check what's missing
![Page 38: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/38.jpg)
38
Josef Cacek
@[email protected]://javlog.cacek.cz
http://pro-grade.sourceforge.net
http://github.com/pro-grade/pro-grade
http://docs.oracle.com/javase/8/docs/technotes/guides/security/
Q & A
![Page 39: Java Security Manager Reloaded - jOpenSpace Lightning Talk](https://reader034.fdocuments.us/reader034/viewer/2022052620/55756fd0d8b42a2e248b504d/html5/thumbnails/39.jpg)
39
Credits
● public domain images
– pixabay.com
● public domain drawings
– openclipart.org
No pony was hurt in the preparation of this presentation.