This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Developer Certification (SCJD/OCMJD) and the fly likes Do we need a policy file and a security manager at all? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Certification » Developer Certification (SCJD/OCMJD)
Bookmark "Do we need a policy file and a security manager at all?" Watch "Do we need a policy file and a security manager at all?" New topic
Author

Do we need a policy file and a security manager at all?

Roman Rytov
Ranch Hand

Joined: Jun 04, 2001
Posts: 75
I found that for some reason my server and client work fine w/o a policy file and a sec. manager. What's the point behind this fact? Do I need them at all?


SCJA, SCJD, MCSD
Bal Sharma
Ranch Hand

Joined: Sep 19, 2001
Posts: 273
Do I need them at all?
Of course not. If it works without it. But look the scenario what they gave to us. It is client server programming. Isn't it? Some where someplace security problems occures. Does not it? Better to have to be in safe side. My $0.02 suggestion.
-Bal
Roman Rytov
Ranch Hand

Joined: Jun 04, 2001
Posts: 75
I totally agree. But the question is whether to supply fully unsecure policy file or not. As I see in the forum a lot of people did it (I mean the policy file with java.security.AllPermission property). But the point is how can I test it:-) If on my mashines it works fine w/o policy file what's the way to check correctness of the file and other syntax?
Najib Coutya
Greenhorn

Joined: Dec 18, 2001
Posts: 28
Are you running security manager from within your client and server?
Bal Sharma
Ranch Hand

Joined: Sep 19, 2001
Posts: 273
...But the point is how can I test it:-) If on my mashines it works fine w/o policy file what's the way to check correctness of the file and other syntax?
Roman:
I am confused here. How does it work if you have set Security feature both in server and client side as below:?

It is right, I do have fully unsecure policy file like this.
grant {
Permission java.security.AllPermission;
};
When I want run in remote mode, man! I got to type long louzy command to start server and as well as I got key in louzy command to run client. My command are as follows.

If I misspell anyone, it won't run server OR client. It complains a lot. But in local mode I just key in easy one:
c:\scjd>java -jar client.jar
Hope it helps.
-Bal
[ February 19, 2002: Message edited by: Bal Sharma ]
Roman Rytov
Ranch Hand

Joined: Jun 04, 2001
Posts: 75
Bal, sorry for delay with answer. I got your point.
I tried my deployment in two ways. First one is to put all necessary server's stubs into the client's jar. In this case there is no reason to use downloading of classes and hence no need for RMISecurityManager, polciy file and codebase property.
Aother way isi not to put any remote stubs into the client jar but in this case we need codebase, RMISecurityManager and policy file (in my case for running the server and for client also).
So I chose the firs case. Not to put stubs into the clien jar and provide necessary instructions for a tester how to change all options in the command line.
What do u think?
[ February 22, 2002: Message edited by: Roman Rytov ]
Bal Sharma
Ranch Hand

Joined: Sep 19, 2001
Posts: 273
Roman:
Choice is yours. You are the boss. This is your project and it is your company. Our goal is XXX/155, right! Watch out for my score XXX
Just for hint. This is my personal opinion, it is possible, lot of people may not agree this. Minimum requirements must be met, this is my apporach . Addtional features it depends on you.
My instruction reads ...command lines only take configuration parameters selected form this list, Last two are:
  • java.rmi.server.codebase
  • security manager policy file


  • I may be wrong, you could right. I took it as implied must requirement, because it is client server application. If there is no security features in a multiple clients environment, are not we inviting hacker, cracker to break our system? I am silly, I thought RMISecurityManager got to be there; although it works without it. I do not know.
    Good luck Roman, whatever you do, it does not matter, there are multiple right answer. But what you do strongly defend it that you think was the best available choice.
    -Bal
    [ February 22, 2002: Message edited by: Bal Sharma ]
     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: Do we need a policy file and a security manager at all?
     
    Similar Threads
    What kind of Policy file ?
    SecurityManager in RMI
    How important is codebase and security
    NX: What's wrong with me server?
    RMI stub classes