The document discusses Java security and how to configure a security manager and policy in Java. It explains that a security manager creates a sandbox for Java applications and uses a security policy to define permissions. The policy grants or denies permissions to code based on code location, trust via signing, and the user running the code. It provides examples of policy syntax and common permissions.
2. • Provide the Java platform as a secure, ready-built platform on
which to run Java-enabled applications in a secure fashion.
• Provide security tools and services implemented in the Java
programming language that enable a wider range of security-
sensitive applications, for example, in the enterprise world.
3.
4. • Variables are initialized before they are used.
• Method calls match the types of object references.
• Rules for accessing private data and methods are not
violated.
• Local variable accesses fall within the runtime stack.
• The runtime stack does not overflow.
5.
6.
7.
8.
9. • To create a sandbox environment for a given Java
application Java Security Manager must be engaged.
• System.setSecurityManager(new SecurityManager());
• java –Djava.security.SecurityManager MainClass
10. • If no policy is explicitly specified Java Security Manager
uses its default security policy.
• The location of the default security policy is picked from
JAVA_HOME/lib/security/java.security file.
#The default is to have a single system-wide policy file,
# and a policy file in the user's home directory.
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy
11. • By default everything is denied!
• Explicitly grants permissions for the code in execution.
• Permission = Resource (Target) + Action
grant {
permission java.io.FilePermission “mytext.txt", "read,write”;
};
29. • Based on the location of the code
• Based on the trust (code has to be signed)
• Based on the user who runs the code
30. • Based on the location of the code
grant codeBase "file:${my.code.base}/-" {
permission java.security.AllPermission;
};
grant codeBase "file://java-security/org.wso2.java.security/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.ext.dirs}/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/ext/area.jar" {
permission java.io.PropertyPermission "user.home”,"read";
permission java.io.FilePermission "${user.home}${/}test${/}*", "write";
};
31. • Based on the user who runs the code
grant principal com.sun.security.auth.UnixPrincipal "prabath" {
permission java.security.AllPermission;
};
grant principal javax.security.auth.x500.X500Principal "cn=Alice" {
permission java.io.FilePermission "/home/Alice", "read, write";
};
32. • Based on the trust (code has to be signed)
grant signedBy "wso2carbon" {
permission java.security.AllPermission;
};
keystore "file:///java-security/org.wso2.java.security/wso2carbon.jks";
keystorePasswordURL "file:///org.wso2.java.security/wso2carbon.pwd";