ConfiguringAJavaSecurityManager

How to Run JBoss with a Java Security Manager

By default the JBoss server does not start with a Java 2 security manager. If you want to restrict privileges of code using Java 2 permissions you need to configure the JBoss server to run under a security manager. This is done by configuring the Java VM options in the run.bat or run.sh scripts in the JBoss server distribution bin directory. The two required VM options are as follows:

 

  • java.security.manager: This is used without any value to specify that the default security manager should be used. This is the preferred security manager. You can also pass a value to the java.security.manager option to specify a custom security manager implementation. The value must be the fully qualified class name of a subclass of java.lang.SecurityManager. This form specifies that the policy file should augment the default security policy as configured by the VM installation.

  • java.security.policy: This is used to specify the policy file that will augment the default security policy information for the VM. This option takes two forms: java.security.policy=policyFileURL and java.security.policy==policyFileURL. The first form specifies that the policy file should augment the default security policy as configured by the VM installation. The second form specifies that only the indicated policy file should be used. The policyFileURL value can be any URL for which a protocol handler exists, or a file path specification.

 

Both the run.bat and run.sh start scripts reference an JAVA_OPTS variable which you can use to set the security manager properties.

 

Enabling Java 2 security is the easy part. The difficult part of Java 2 security is establishing the allowed permissions. A sample server.policy file that is used as part of the testsuite is the following:

 

// The Java2 security policy for the securitymgr tests
// Install with -Djava.security.policy==server.policy
// and -Djboss.home.dir=path_to_jboss_distribution
// and -Djboss.server.home.dir=path_to_jboss_server_home

// Trusted core Java code
grant codeBase "file:${java.home}/lib/ext/-" {
   permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/*" {
   permission java.security.AllPermission;
};
// For java.home pointing to the JDK jre directory
grant codeBase "file:${java.home}/../lib/*" {
   permission java.security.AllPermission;
};

// Trusted core Jboss code
grant codeBase "file:${jboss.home.dir}/bin/-" {
   permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/lib/-" {
   permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/lib/-" {
   permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/deploy/-" {
   permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/work/-" {
   permission java.security.AllPermission;
};

// Minimal permissions are allowed to everyone else
grant {
   permission java.util.PropertyPermission "*", "read";
   permission java.lang.RuntimePermission "queuePrintJob";
   permission java.net.SocketPermission "*", "connect";
   permission java.lang.RuntimePermission "accessClassInPackage.*";
   permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getSubject";
   permission javax.management.MBeanServerPermission "findMBeanServer";
   permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*";
   permission javax.security.auth.AuthPermission "createLoginContext.*";
};

 

An example JAVA_OPTS enhancement example is:

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=${build.resources}/securitymgr/server.policy"
JAVA_OPTS="$JAVA_OPTS -Djboss.home.dir=/releases/jboss-4.0.3SP1"
JAVA_OPTS="$JAVA_OPTS -Djboss.server.home.dir=/releases/jboss-4.0.3SP1/server/default"

 

Client applications should be deployed outside of the server distribution or under a directory other than ${jboss.server.home.dir}/deploy to only receive the minimal permissions grant, and this URL added to the URLDeploymentScanner URLs attribute conf:

 

   <!-- An mbean for hot deployment/undeployment of archives.
   -->
   <mbean code="org.jboss.deployment.scanner.URLDeploymentScanner"
      name="jboss.deployment:type=DeploymentScanner,flavor=URL">

...
      <attribute name="URLs">
         deploy/,apps-deploy/
      </attribute>

 

This would pickup deployments from the usual ${jboss.server.home.dir}/deploy directory as well as from a custom ${jboss.server.home.dir}/apps-deploy directory.