Security Manager with Resin
Resin 3.1
Documentation
Examples
Changes
Overview
Installation
Configuration
Quercus
SOA/IoC
JSP
Servlets and Filters
Admin (JMX)
EJB
Amber
Security
Performance
Hessian
XML and XSLT
Third-party
Troubleshooting/FAQ
Authentication
Digest Passwords
Authorization
SSL
Security Manager
Malicious Attacks
FAQ
Scrapbook
SSL
Security
Malicious Attacks

In ISP environments, it's important that each user have restricted permissions to use the server. Normally, the web server will be run as a non-root user so the users can't read system files, but that user will still have read access. The use of RMI also requires a security manager.

Don't use a security manager if you're not in an ISP environment or using RMI. There's no need for it and the security manager does slow the server down somewhat.

Adding a Java security manager puts each web-app into a "sandbox" where Java limits the things that can be done from code within th web-app.

The security manager is enabled by adding a security-manager tag in the resin.conf.

enabling security-manager in resin.conf
<resin xmlns="http://caucho.com/ns/resin"
       xmlns:resin="http://caucho.com/ns/resin/core">

  <security-manager/>

  ...

java.policy

The security manager determines a policy that applies to the current virtual machine. The security manager is controlled by policy file's.

The simplest way to change the policy is to change one of the default policy file's. There are two default policy files that are used by the JDK: 


${'${'}java.home}/lib/security/java.policy
${'${'}user.home}/.java.policy

An additional policy file can be set using the java.security.policy system property at the command line: 

unix$ bin/httpd.sh -Djava.security.policy=file:/path/to/java.policy
win$ bin/httpd.exe -Djava.security.policy=file:/path/to/java.policy

The resulting policy for the virtual machine is the union of all granted permissions in all policy files.

java.policy syntax

A useful resource is Sun's documentation about security, in particular the policy permissions and policy file syntax files are useful.

Each web-app automatically has permissions to read, write and delete any file under the web-app's directory, including WEB-INF. It also has read permission for the classpath, including <classpath> from the <host> and <server> contexts.

sample java.policy
#
# Permissions allowed for everyone.
#
grant {
  permission java.util.PropertyPermission "*", "read";
  permission java.lang.RuntimePermission "accessClassInPackage.*";
  permission java.net.SocketPermission "mysql.myhost.com:3306" "connect";
  permission java.io.FilePermission "/opt/resin/xsl/*", "read";
};

#
# Give the system and Resin classes all permissions
#
grant codeBase "file:${'${'}resin.home}/lib/-" {
	permission java.security.AllPermission;
};

grant codeBase "file:${'${'}java.home}/lib/-" {
	permission java.security.AllPermission;
};

grant codeBase "file:${'${'}java.home}/jre/lib/-" {
	permission java.security.AllPermission;
};

#
# Give a specific web-app additional permissions.
#
grant codeBase "file:/opt/web/webapps/ejb/WEB-INF/-" {
	permission java.io.FilePermission "/opt/web/doc/*", "read";
};
SSL
Security
Malicious Attacks
Copyright © 1998-2006 Caucho Technology, Inc. All rights reserved.
Resin ® is a registered trademark, and Quercustm, Ambertm, and Hessiantm are trademarks of Caucho Technology.