wood burning stoves 2.0*
The moose likes Java in General and the fly likes Question on Policy Object and Static Methods. Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Spring in Action this week in the Spring forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "Question on Policy Object and Static Methods." Watch "Question on Policy Object and Static Methods." New topic
Author

Question on Policy Object and Static Methods.

Robert Paris
Ranch Hand

Joined: Jul 28, 2002
Posts: 585
Given our recent discussion of static methods and how they can't be overriden but only hidden ( http://www.coderanch.com/t/324412/java/java/methods-static-final ) and that in the "new" java security, your only option (since they're phasing out securitymanager) for security implementation is the Policy object, why is this method static?
The java security implementation is very inadequate, however that wasn't a problem when securitymanager was the sole "parent" because you could provide your own implementation. Now you can't. All you have is policy, and there's almost nothing you can do there! What gives?
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
Originally posted by Robert Paris:
The java security implementation is very inadequate [...]
Heck, Robert, in practical terms what are you trying to do? You've posted more security questions that I've got the time to answer (unfortunately), expressing your impatience with the Java security implementation at every opportunity, but it isn't clear to me what you're trying to achieve. Maybe it's possible out of the box. Maybe not. Rather than going into awfully messy detail about how to tinker with Java security, it might be worth looking at what needs doing before worrying about how to do it.
- Peter
Robert Paris
Ranch Hand

Joined: Jul 28, 2002
Posts: 585
I need to have applications that run in the same VM, yet are completely isolated security-wise and class-knowledge-wise. I think I'm actually pretty close to being able to do it. The big problem is with security. Let me explain:
Let's say we have App1 running in my VM, and they want to use the security policy:
grant { permission java.security.AllPermission };
In other words, EVERYTHING, ANYWHERE gets all permission. No problem. Now I load in App2, but App2's grant says that everything gets read-only permission to files and all code signed with "Robert" gets full permissions. Now we've got a problem.
So my question is, how do I solve this?
Let's even take it another step. Let's say the two apps are actually the same application (maybe MySocketListener). The first is listening on port 25, the second on port 80 (it may be dumb, but it's an example ), but they're the same exact code, just two diff. installations of the same app. Now the first has a grant:

and the second has the grant:


While the first allows the second, it's allowing more than the second wants, and the second would hurt some of what #1 might want to do. Now I can't do permission based on codebase, since they're from the same file! Further, I can't do it based on principal since (let's say) I didn't write these apps, and so I can't change the principal of what's running (let's say they hardcoded that in to the app, and it's the same in both). So what's my option?
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
Finally I have the time to return to this. Robert, I see you made a fair bit of progress since asking this question, so I don't know how relevant this still is.
Nice problem you've got on your hands, by the way...
What you want is to effectively run multiple applications inside the same JVM, or the same application multiple times, with different sets of permissions. The different application instances have different levels of trust, presumably because they impersonate different entities. As a consequence, I believe the best mapping to the Java security model is the Principal-based security that is part of JAAS. This model is an integral part of the Java core platform as of v1.4.
What it boils down to is that when granting permissions in your security policy file you can not only set them for a given code base and signer, but also a given Principal. You can have more than one Principal running the same code; each will have different permissions. See java.security.Subject, in particular Subject.doAs(), and also the Principal and SubjectDomainCombiner classes.
We can go into more detail, if you wish; I wrote a chapter about this (among other things) in Wrox' Beginning Java Networking. But first let's see if this model would work and whether it's still necessary in the first place.
HTH
- Peter
[ February 15, 2003: Message edited by: Peter den Haan ]
Robert Paris
Ranch Hand

Joined: Jul 28, 2002
Posts: 585
Thanks for the reply, but unfortunately it's not quite right. The applications that I'll be running, I have no control over the code, nor what type of security they wish to use. I want it so if they want to install a custom security manager, they can (within their isolated context). So if they didn't want a principal-based security policy, that'd still work. Basically, I want it to be transparent (100% if possible) that the app is running in the same VM as other apps.
Peter den Haan
author
Ranch Hand

Joined: Apr 20, 2000
Posts: 3252
Originally posted by Robert Paris:
[...] The applications that I'll be running, I have no control over the code, nor what type of security they wish to use. I want it so if they want to install a custom security manager, they can (within their isolated context).
Yikes. But that's horrible; applications that insist on installing their own SecurityManager make the assumption that they'll be the only inhabitants of the JVM.
Apart from that, it'd be no problem. You are bootstrapping the applications, right? So you determine who they run as. The applications themselves needn't know about your doAs().
So if they didn't want a principal-based security policy, that'd still work. Basically, I want it to be transparent (100% if possible) that the app is running in the same VM as other apps.
Applications have no say in the matter -- the policy is always there. It would be transparent. Unless the application would want to completely replace SecurityManager, that is.
I hate to ask this, but if you need complete virtualisation of a Java runtime, then, erm, why can't you run multiple JVMs?
- Peter
 
 
subject: Question on Policy Object and Static Methods.