File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes how do we grant a code certain permissions? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "how do we grant a code certain permissions?" Watch "how do we grant a code certain permissions?" New topic
Author

how do we grant a code certain permissions?

H Melua
Ranch Hand

Joined: Jan 04, 2005
Posts: 172
Hello

Lets say i have 2 directories... one that is classified as a server directory, and another as client!



i want both to be able to make connections freely!

now if a file in the client directory is trying to access a file in the server directory, shouldn't it be prevented from doing so since I'm not explicitly letting it access the file system?

(baring in mind that files running in the client dir. will be on a different VM to those running from the server dir.)

When the server is started, a security manager is installed...

Thank you
HannaH
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41600
    
  55
now if a file in the client directory is trying to access a file in the server directory, shouldn't it be prevented from doing so since I'm not explicitly letting it access the file system?

That depends on the security manager being used by the client. If this is a desktop application then by default no security manager is active, and the application can do what it wants.


Ping & DNS - my free Android networking tools app
H Melua
Ranch Hand

Joined: Jan 04, 2005
Posts: 172
Well, both the server and the client install the security manager in their main methods... and they have access to the same policy file!
(I know i can seperate them, but for simplicity i'm leaving it like that, especially that i'm not granting either more than the other!)

but why would it depend on the client? the client file will be running inside the server's compute engine (i.e. the server will download the file into its VM), which means the policy implemented by the server should control what the client can access?

I dont know if i'm making any sense?

Thanks a lot
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41600
    
  55
Now I'm confused. Didn't you earlier say that the client and the server run in different JVMs?
H Melua
Ranch Hand

Joined: Jan 04, 2005
Posts: 172
Well they start on different machines!

I shouldnt have said that , because the main intereste is in what happens when the server runs the client code!
Nitesh Kant
Bartender

Joined: Feb 25, 2007
Posts: 1638

H Melua:
because the main intereste is in what happens when the server runs the client code!


Its strange that this sounds interesting to you.
I dont have any idea what are you trying to do, but, if your server is running client code then there is something hopelessly wrong in your design/terminology.

Regarding the permissions, are you specifying an "additional" policy file using the VM parameter:
java.security.policy

If this is the case, then have you provided some permissions in the default java policy file to all codebases?

What is it that you expect to fail and it is not failing? Can you provide us the code that you expect to fail?


apigee, a better way to API!
H Melua
Ranch Hand

Joined: Jan 04, 2005
Posts: 172
I didn't say its interesting

I said my main interest, or what I'm interested in knowing... or i have to know!!

You see its an RMI program, the server is a compute engine that performs Task computation for clients, and so if we want to find two very large prime numbers, we often cant use the regular computers since they aren't powerful enough! So we make a powerful machine do the work for us and send the results back...

I'm using the default Java.policy in my user directory, just editing that one.. and no i didnt change the default one at all other than the few statements i quoted in my first post...

One of the tasks which originates from the client directory attempts to access the file system, and since I only gave the codebase in that directory to access the network, i thought it should have failed accessing anything else! (i.e. the file system!)

Here is the client code

<blockquote>code:
<pre name="code" class="core"> package client;

import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import compute.Compute;
import java.io.*;

public class ComputeFile {
public static void main(String args[]) {
if (System.getSecurityManager() == null) {
System.setSecurityManager(new SecurityManager());
}
try {
String name = "Compute";
Registry registry = LocateRegistry.getRegistry(args[0]);
Compute comp = (Compute) registry.lookup(name);
File1 task = new File1();
File f = comp.executeTask(task);
System.out.println(f);
} catch (Exception e) {
System.err.println("ComputeFile exception:");
e.printStackTrace();
}
}
}
</pre>
</blockquote>

The class File1 is simply a normal class that attempts to read the file system system using FileInputStream class...

Thanks for your patience
HannaH
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how do we grant a code certain permissions?