 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / November 2005Extending SecurityManager
I'm using my own SecurityManager in my Java application because of two reasons: - RMI requires the SecurityManager to be installed - my application accepts telnet-like connections from remote users, and I want to maintain a "whitelist" of the IPs from which users can connect to the application I'm currently overriding the checkAccept method to implement the whitelist. However, I've found out that I also need to override the checkPermission method, and basically allow everything in order to get my application to be able to do anything. I know that the best security is implemented by disallowing everything and then allowing only the things that are used, but when I checked what calls checkPermission I got a ton of output; it's impossible to examine and allow all those things one-by-one. But if I allow everything, I'm wondering if I'm allowing anything I shouldn't. So my question is basically what is allowed if there's no security manager installed - everything? What do I do when I want to use default security, and restrict only one part of the system (incoming connections)? Domchi > I know that the best security is implemented by disallowing everything > and then allowing only the things that are used, but when I checked > what calls checkPermission I got a ton of output; it's impossible to > examine and allow all those things one-by-one. Don't. Just do what I did with my app. Run it, wait for it to moan about a lack of permission, fix it, repeat. This took me about 20-30 goes to get right on a 30000-40000 line app. ymmv. You might well be suprised how useful an exercise it is for uncovering things that shouldn't be there in the first place. > So my question is basically what is allowed if there's no security > manager installed - everything? Yes. > What do I do when I want to use default security, and restrict > only one part of the system (incoming connections)? Try two codebases. e.g. two packages com.foo.stuffitrust and com.foo.stuffidonttrust grant codebase com.foo.stuffitrust { java.security.AllPermission; } grant codebase com.foo.stuffidonttrust { java.net.SocketPermission "localhost:8888", "accept,resolve"; } Or something similar. There's probably some syntax errors in the above, but you should get the idea, Richard >> I know that the best security is implemented by disallowing everything >> and then allowing only the things that are used, but when I checked [quoted text clipped - 4 lines] >about a lack of permission, fix it, repeat. This took me about 20-30 >goes to get right on a 30000-40000 line app. ymmv. There is a way do it without restarting. Install your security manager, and override checkPermission: public void checkPermission(Permission perm) throws SecurityException { System.out.println("Requested permission: " perm.getName()); } Then run the app, scroll through the output and make a list. :) >> So my question is basically what is allowed if there's no security >> manager installed - everything? > >Yes. Excellent, that's what I needed to know. Thanks for your help. Domchi >public void checkPermission(Permission perm) throws SecurityException >{ > System.out.println("Requested permission: " perm.getName()); >} This line should be: System.out.println("Requested permission: " + perm.getName()); :) Domchi Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.