|
|
Start of Tutorial > Start of Trail > Start of Lesson |
Search
Feedback Form |
If a security manager is in force, the following conditions must be met to enable any software, including extension software, to perform security-sensitive operations:
- The security-sensitive code in the extension must be wrapped in a
PrivilegedActionobject.- The security policy implemented by the security manager must grant the appropriate permission to the extension. By default, installed extensions are granted all security permissions as if they were part of the core platform API. The permissions granted by the security policy apply only to code wrapped in the
PrivilegedActioninstance.Let's look at each of these conditions in a little more detail, with some examples.
Suppose that you want to modify theRectangleAreaclass in the extension example of the previous lesson to write rectangle areas to a file rather than to stdout. Writing to a file, however, is a security-sensitive operation, so if your software is going to be running under a security manager, you'll need to mark your code as being privileged. There are two steps you need to take to do so:
- You need to place code that performs security-sensitive operations within the
runmethod of an object of typejava.security.PrivilegedAction.- You must use that
PrivilegedActionobject as the argument in a call to thedoPrivilegedmethod ofjava.security.AccessController.If we apply those guidelines to the
RectangleAreaclass, our class definition would look something like this:import java.io.*; import java.security.*; public final class RectangleArea { public static void writeArea(final java.awt.Rectangle r) { AccessController.doPrivileged(new PrivilegedAction() { public Object run() { try { int area = r.width * r.height; FileWriter fw = new FileWriter("/tmp/AreaOutput"); fw.write("The rectangle's area is " + area); fw.flush(); fw.close(); } catch(IOException ioe) { System.err.println(ioe); } return null; } }); } }The single method in this class,
writeArea, computes the area of a rectangle, and writes the area to a file calledAreaOutputin the/tmpdirectory.The security-sensitive statements dealing with the output file are placed within the
runmethod of a new instance ofPrivilegedAction. (Note thatrunrequires that anObjectinstance be returned. The returned object can benull.) The newPrivilegedActioninstance is then passed as an argument in a call toAccessController.doPrivileged.For more information about using
doPrivileged, see New API for Privileged Blocksin the JDKTM documentation.
Wrapping security-sensitive code in a
PrivilegedActionobject in this manner is the first requirement for enabling an extension to perform security-sensitive operations. The second requirement is: getting the security manager to grant the privileged code the appropriate permissions.
The security policy in force at runtime is specified by a policy file. The default policy is set by the filelib/security/java.policyin the JRE software.The policy file assigns security privileges to software by using grant entries. The policy file can contain any number of grant entries. The default policy file has this grant entry for installed extensions:
This entry specifies that files at the locationgrant codeBase "file:${java.home}/lib/ext/" { permission java.security.AllPermission; };file:${java.home}/lib/ext/are to be granted the permission calledjava.security.AllPermission. (Note that in the Java 1.2 Java platform,java.homerefers to thejredirectory.) It's not too hard to guess thatjava.security.AllPermissiongrants installed extensions all the security privileges that it's possible to grant.By default, then, installed extensions have no security restrictions. Extension software can perform security-sensitive operations as if there were no security manager installed, provided that security-sensitive code is contained in an instance of
PrivilegedActionpassed as an argument in adoPrivilegedcall.To limit the privileges granted to extensions, you need to modify the policy file. To deny all privileges to all extensions, you could simply remove the above grant entry.
Not all permissions are as comprehensive as the
java.security.AllPermissionsgranted by default. After deleting the default grant entry, you can enter a new grant entry for one or more of the following limited permissions:
java.awt.AWTPermissionjava.io.FilePermissionjava.net.NetPermissionjava.util.PropertyPermissionjava.lang.reflect.ReflectPermissionjava.lang.RuntimePermissionjava.security.SecurityPermissionjava.io.SerializablePermissionjava.net.SocketPermissionThe Policy Permissions
file in the JDK documentation provides details about each of these permissions. Let's look at just one,
java.io.FilePermission, as an example.The only permission that the
RectangleArea.writeAreamethod really needs is the permission to write to a file. Assuming that theRectangleAreaclass is bundled in the filearea.jar, you could grant write privileges by adding this entry to the policy file:Thegrant codeBase "file:${java.home}/lib/ext/area.jar" { permission java.io.FilePermission "/tmp/*", "write"; };codeBase "file:${java.home}/lib/ext/area.jar"part of this entry guarantees that any permissions specified by this entry will apply only to your JAR file. Thejava.io.FilePermissionpermits access to files. The first string argument,"/tmp/*", indicates thatarea.jaris being granted permission to access all files in the/tmpdirectory. The second argument indicates that the file access being granted is only for writing. (Other choices for the second argument are"read","delete", and"execute".)
You can use the policy file to place additional restrictions on the permissions granted to extensions by requiring them to be signed by a trusted entity. (For a review of signing and verifying JAR files, see the JAR File Format trail in this tutorial.)To allow signature verification of extensions or other software in conjunction with granting permissions, the policy file must contain a keystore entry. The keystore entry specifies which keystore is to be used in the verification. Keystore entries have the form
The URL keystore_url is either an absolute or relative. If it's relative, the URL is relative to the location of the policy file.keystore "keystore_url";To indicate that an extension must be signed in order to be granted security privileges, you use the
signedByfield. For example, the following entry indicates that the extensionarea.jaris to be granted write privileges only if it is signed by the users identified in the keystore by the aliases Robert and Rita:If thegrant signedBy "Robert,Rita", codeBase "file:${java.home}/lib/ext/area.jar" { permission java.io.FilePermission "*", "write"; };codeBasefield is omitted, as in the following "grant", the permissions are granted to any software, including installed or download extensions, that are signed by "Robert" or "Rita":grant signedBy "Robert,Rita" { permission java.io.FilePermission "*", "write"; };For further details about the policy file format, see section 3.3.1 of the Security Architecture Specification
in the JDK documentation.
|
|
Start of Tutorial > Start of Trail > Start of Lesson |
Search
Feedback Form |
Copyright 1995-2004 Sun Microsystems, Inc. All rights reserved.