JBoss AS7: Security : Running under a Java Security Manager

This article will discuss ways by which you can run a JBoss AS 7.1 instance under the Java Security Manager.

 

Prerequisites

 

A general understanding about configuring security permissions in a Java Security Manager policy file.

 

Configuration

 

We need the following two mandatory system properties

  1. -Djava.security.manager
  2. -Djava.security.policy

 

 

The following is what I have at the end of the standalone.conf file

 

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$PWD/.. -Djava.security.policy==$PWD/server.policy -Djava.security.debug=failure"

 

 

Note here that I pass in the java.security.policy property a server.policy file that is in the bin directory. (I created the server.policy file)

 

I also pass in a jboss.home.dir system property that references the JBoss AS distribution root directory.  I use this system property in the server.policy file.

 

 

server.policy file

 

Remember to pass in the jboss.home.dir system property. (See above block).

 

 

// ***************************************
// Trusted core Java code
//***************************************
grant codeBase "file:${java.home}/lib/ext/-" {
   permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/*" {
   permission java.security.AllPermission;
};
// For java.home pointing to the JDK jre directory
grant codeBase "file:${java.home}/../lib/*" {
   permission java.security.AllPermission;
};


//********************************************
// Trusted core JBoss code
//********************************************
grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" {
   permission java.security.AllPermission;
};

//********************************************
// Trusted JBoss AS Modules
//********************************************
grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/jmx/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/server/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/process-controller/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/controller/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/controller-client/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/connector/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/clustering/infinispan/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/deployment-repository/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/remoting/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/platform-mbean/main/-" {
   permission java.security.AllPermission;
};

//********************************************
// Trusted JBoss Modules
//********************************************

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/logmanager/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/logmanager/log4j/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/logging/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/stdio/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/msc/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/threads/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/vfs/main/-" {
   permission java.security.AllPermission;
};

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/staxmapper/main/-" {
   permission java.security.AllPermission;
};

//********************************************
// Trusted 3rd Party Modules
//********************************************
grant codeBase "file:${jboss.home.dir}/modules/org/apache/log4j/main/-" {
   permission java.security.AllPermission;
};

 

Troubleshooting

I do not know how to debug the permission problems.

 

Add extra parameters to the -Djava.security.debug system property as shown below

 

JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$PWD/.. -Djava.security.policy==$PWD/server.policy -Djava.security.debug=failure,access,policy"

 

 

When this happens, you will see errors such as following:

 

)
12:46:33,368 ERROR [stderr] policy: evaluation (codesource) failed
12:46:33,368 ERROR [stderr] access: domain that failed ProtectionDomain  (jar:file:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules/org/jboss/as/clustering/infinispan/main/jboss-as-clustering-infinispan-7.1.0.CR1-SNAPSHOT.jar!/ <no signer certificates>)
12:46:33,368 ERROR [stderr]  ModuleClassLoader for Module "org.jboss.as.clustering.infinispan:main" from local module loader @3e89c3 (roots: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules)
12:46:33,368 ERROR [stderr]  <no principals>
12:46:33,368 ERROR [stderr]  java.security.Permissions@1f07597 (
12:46:33,368 ERROR [stderr] )
12:46:33,368 ERROR [stderr] 

....

Caused by: java.security.AccessControlException: access denied (java.io.FilePermission /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules/org/apache/commons/pool/main/module.xml read)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) [:1.6.0_23]
        at java.security.AccessController.checkPermission(AccessController.java:546) [:1.6.0_23]
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) [:1.6.0_23]
        at java.lang.SecurityManager.checkRead(SecurityManager.java:871) [:1.6.0_23]
        at java.io.File.exists(File.java:731) [:1.6.0_23]
        at org.jboss.modules.LocalModuleLoader.findModule(LocalModuleLoader.java:121) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.ModuleLoader.loadModuleLocal(ModuleLoader.java:265) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.ModuleLoader.preloadModule(ModuleLoader.java:212) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.LocalModuleLoader.preloadModule(LocalModuleLoader.java:94) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.Module.addPaths(Module.java:790) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.Module.link(Module.java:997) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.Module.getPaths(Module.java:971) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.Module.getPathsUnchecked(Module.java:982) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.Module.loadModuleClass(Module.java:495) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:182) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:485) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:444) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:421) [jboss-modules.jar:1.1.0.CR4]
        at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:143) [jboss-modules.jar:1.1.0.CR4]
        at java.lang.ClassLoader.defineClass1(Native Method) [:1.6.0_23]
        at java.lang.ClassLoader.defineClassCond(ClassLoader.java:632) [:1.6.0_23]

 

Here you have a security exception.   The key is to look for the protection domain that failed.

 

In this example, the line that matters is:

 

access: domain that failed ProtectionDomain  (jar:file:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules/org/jboss/as/clustering/infinispan/main/jboss-as-clustering-infinispan-7.1.0.CR1-SNAPSHOT.jar!/ <no signer certificates>)
12:46:33,376 ERROR [stderr]  ModuleClassLoader for Module "org.jboss.as.clustering.infinispan:main" from local module loader @3e89c3 (roots: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules)
12:46:33,376 ERROR [stderr]  <no principals>
12:46:33,376 ERROR [stderr]  java.security.Permissions@1b8119a (
12:46:33,376 ERROR [stderr] )

 

 

So basically we are looking at 

jar:file:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules/org/jboss/as/clustering/infinispan/main/jboss-as-clustering-infinispan-7.1.0.CR1-SNAPSHOT.jar!/

 

For this reason, I added the following into the server.policy file:

 

grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/clustering/infinispan/main/-" {
   permission java.security.AllPermission;
};

 

This statement block gives all permissions to the jars that exist in the main directory of the module "org.jboss.as.clustering.infinispan"

 

In an ideal world, you would like to qualify the statement block with permissions such as SocketPermission, RuntimePermission etc rather than a AllPermission.