This week's book giveaway is in the Java 8 forum.
We're giving away four copies of Java 8 in Action and have Raoul-Gabriel Urma, Mario Fusco, and Alan Mycroft on-line!
See this thread for details.
The moose likes Security and the fly likes how do we deploy app with security manager to clients? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "how do we deploy app with security manager to clients?" Watch "how do we deploy app with security manager to clients?" New topic
Author

how do we deploy app with security manager to clients?

H Melua
Ranch Hand

Joined: Jan 04, 2005
Posts: 172
Hi

When i write a desktop application in Java, and i want to deploy it to clients, and within the application I install a security manager (the default one!); now if we assume the program needs to read and write into the file system, and also needs to access the network... and by default the client application does not provide me with these permissions!
in other words, the application will keep throwing security exceptions, and surely i cant change the policy file in the client since i don't have permission to do so!

how do we go about that?

thank you
HannaH
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39576
    
  27
Why would the application install a security manager that does not allow it to do what it needs to do?


Ping & DNS - updated with new look and Ping home screen widget
H Melua
Ranch Hand

Joined: Jan 04, 2005
Posts: 172
can you elaborate more...

if i want to make my application more secure, and only performs in its own protection domain, and so does not try to do something with out permissions from the client, then how can we achieve that?

I'm actually against programmers running their applications with full permissions on client machines, because that means if the application contains a security hole, then the attacker can make use of all the permissions granted to the application!

now i dont want my application to be completely free to play in the client machine! but i only want it to contain the least possible permissions it needs to run!
[ July 11, 2008: Message edited by: H Melua ]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39576
    
  27
In that case, write a SecurityManager that grants precisely those permission the application needs, and denies all others. See here for a simple example of how to do that.
H Melua
Ranch Hand

Joined: Jan 04, 2005
Posts: 172
I seeeee, thank you, i was actually wondering, why does java let you write your own security manager, and also warns you not to do so unless you really really need to!!! It seems like it should be very common that programmers write their own!!

and if thats the case, they should be encouraging programmers to make their programs run with "least privilege"!!

That was very helpful, i thank you very much again

HannaH
[ July 11, 2008: Message edited by: H Melua ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how do we deploy app with security manager to clients?
 
Similar Threads
Problem with customizing client authentication (Tomcat 5.5)
Custom Policy, Security Manager? Best approaches?
NX: Questions about properties and security manager.
how do we grant a code certain permissions?
RMI binding