• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
  • Mikalai Zaikin

How to Enable security manager for Spring and Hibernate

Posts: 2
Python Oracle Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
1. Tomcat security manager.

The basis of Java security is to enable the security manager.
The security manager allows you to associate a given code (a webapp, a .class, a jar, etc) to one or more authorizations (ex. write on disk, connect to distant host, read properties, use reflection, etc).
The complete list can be found here

The problem with the Java security manager is that contrary to the C language, the Java language security is not on the front scene. Most Java developers don’t know anything about Java (real) security and it is very difficult to find some information about how to setup a security manager policy file.

On a Tomcat application server, the config file that is used by the security manager can be found at $TOMCAT_HOME/conf/catalina.policy.
I suggest you make a copy of this file before editing it, for example on a GNU Linux system :

Note: Remember that tomcat must be started with the -security option to activate the security manager.

You can read more info related to Tomcat security manager here.

2. Permissions for Spring and Hibernate

The Spring  and the Hibernate framework are widely used in modern J2SE and JEE applications. However it is very difficult to find some information related to "Wish permissions should be authorized for Spring or Hibernate?".

That is why I will give you the configurations I successfully tried.
To try the next code on Tomcat; you should edit your catalina.policy file and add the following lines at the end of the file (you do not need to modify default permissions).

2.1 System properties access

A particularity in the Hibernate code oblige us to give read and write access permissions to all system properties to the Hibernate and Spring jar.

2.2 Allow dependency injection.

Spring as well as Hibernate need access to the highly sensitive permissions that are reflection and runtime access to class members.

2.3 Allow aspect programming.

2.4 Enable database connection.

Hibernate is compatible with most databases. To enable database connexion you need to enable a java.net.SocketPermission on the correct jars for the given host and port.

3. At the End

Configuring a security manager is a basic important part when you set up security environment for Java. However it is not easy at all. When you try to fulfill this task, your first job is to find the permissions you need (which is quite easy, just look at the security exception log). Next, you need to find which jar needs which permissions and this is the difficult part, it requires you to have a careful look to the security exception stacktrace and to run a lot of tests!.

Source: sevagas
Whip out those weird instruments of science and probe away! I think it's a tiny ad:
a bit of art, as a gift, that will fit in a stocking
    Bookmark Topic Watch Topic
  • New Topic