*
The moose likes Developer Certification (SCJD/OCMJD) and the fly likes Do we need a server-side policy file? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Certification » Developer Certification (SCJD/OCMJD)
Bookmark "Do we need a server-side policy file?" Watch "Do we need a server-side policy file?" New topic
Author

Do we need a server-side policy file?

Holmes Wong
Ranch Hand

Joined: Feb 18, 2002
Posts: 163
Hi, Ranchers:
I am wondering if we need a server-side policy file, several people mentioned this file, and I don't know why we need it. Is a cilet side policy file enough for our assignment? Thanks.
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

Yes, the client side is good enough. You can even be fine without any on either side. as we have found out.
Mark


Perfect World Programming, LLC - Two Laptop Bag - Tube Organizer
How to Ask Questions the Smart Way FAQ
Leonardo Wang
Greenhorn

Joined: Feb 19, 2002
Posts: 17
I have a policy file in client side primarily for RMI- SocketPermission , and don't have policy file for the server.
SCJD2, SCJP2
Wickes Potgieter
Ranch Hand

Joined: Apr 05, 2002
Posts: 68
So basically we don't need any policy file at all??


Wickes Potgieter<br />SCJP<br />BEA Certified Specialist: Server, Integration, Portal, Tuxedo<br />BEA WebLogic Server 7 Certified Enterprise Developer<br />BEA Certified Architect<br /><a href="http://www.bea.com" target="_blank" rel="nofollow">www.bea.com</a>
Robin Underwood
Ranch Hand

Joined: May 01, 2002
Posts: 117
My code has been running fine without any security policy at all, but I wonder if it will hurt my score. Does anyone know if you lose points for not having a security policy?
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

No Robin, it won't hurt your score.
Mark
Ramesh kumaar
Ranch Hand

Joined: Mar 19, 2002
Posts: 146
Hello All,

Any of u please explain me what is the need of policy file and how to configure it.
-rameshkumar
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

A policy file is a file with Permissions. It basically sets up the permissions the "User" has on the system. Like can they read or write to a particular file. Can they see other directories. and other Security Permissions. If you have a SecurityManager you need a policy file.
Mark
Ramesh kumaar
Ranch Hand

Joined: Mar 19, 2002
Posts: 146
Hi Mark,
Mark wrote
------------------------------------------------
If you have a SecurityManager you need a policy file.
------------------------------------------------
Could u please explain me about SecurityManager in detail like what is the need of having a securitymanager, How to implement it.
Thanks & regards,
-rameshkumar.
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

Well in the case of RMI, it is the RMISecurityManager class. It basically is your security. Security is allowing or disallowing a user to do something. Like for instance you have a file that you only want certian people to be able to open, or a file that you want to be only read-only to users. That is security.
I would suggest going to Sun's Java Tutorials. And going to the Security section to learn more.
Mark
Ramesh kumaar
Ranch Hand

Joined: Mar 19, 2002
Posts: 146
Hi Mark,
I read the following from the Java API docs.
RMISecurityManager provides an example security manager for use by RMI applications that use downloaded code. RMI's class loader will not
download any classes from remote locations if no security manager has been set.
If we need to load any class dynamically then I think The above may be usefull.
But as per our requirement we can have our own securityManager class by just extending SecurityManager class as follows.
public class FBNSecurityMgr extends SecurityManager
{
public FBNSecurityMgr()
{
// What where u like to have
}
public void checkAccess(String host,int port)
{
//
}
public void checkAccept(String host,int port)
{
}
}
The above securityMgr will be used in the RMIImplementation class as follows.
public class FBNRMIImpl extends Unicas...
{
public FBNRMIImpl()
{
System.setSecurityManager(new FBNSecurityMgr());
}
}

Mark i just like to confirm that the above approch is correct.
thanks & regards,
-rameshkumar
Sai Prasad
Ranch Hand

Joined: Feb 25, 2002
Posts: 560
But as per our requirement we can have our own securityManager class by just extending SecurityManager class as follows.

I don't think this is mentioned in the requirement. May be you are refering to the allowed command line configuration parameters. I suggest not to use RMI Security Manager or java.policy file for this assignment. Also you need to defend your choice in the design documentation.
Ramesh kumaar
Ranch Hand

Joined: Mar 19, 2002
Posts: 146
Hi Sai,
--------------------------------------------------
Also you need to defend your choice in the design documentation.
--------------------------------------------------
Give me some good reasons for not implementing the SecurityManager.
thanks & regards,
-rameshkumar
Mark Spritzler
ranger
Sheriff

Joined: Feb 05, 2001
Posts: 17249
    
    6

One reason, because it does not specifically require you to have one. Second, you are not dynamically downloading, so you don't need one at the server. The server is started by the server admin, who already has access to all the stuff you might want to protect. So the only place where there might be a rogue/hacker, is at the client end. You can put one there, but why go through the extra 5 minutes when you don't have to.
Mark
Sai Prasad
Ranch Hand

Joined: Feb 25, 2002
Posts: 560
Since _stub instances are bundled along with the client files, you don't have to have a RMI Security Manager to watch for the codebase.
The reasons for bundling the _Stub instances are that you don't want to have a HTTP server or use a file URL. Having said that, people cleverly used file URL by reading the current directory inside the server side program and set the system property.
Basically if you are not using codebase and budle the _stub class files in the client jar, you don't have to use java.policy or RMI Security Manager.
Ramesh kumaar
Ranch Hand

Joined: Mar 19, 2002
Posts: 146
Thanks Mark,Prasad.

I desided not to use SecurityManager. Thanks a lot for ur immediate reply.
-rameshkumar
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Do we need a server-side policy file?
 
Similar Threads
ERROR in WS client
Java Client (axis 1.4) invoking a secured .NET web service (WS-Security)
policy file
Need to write to file but policy doesn't allow it
How important is codebase and security