JBoss AS7: Security : Running under a Java Security Manager

    This article will discuss ways by which you can run a JBoss AS 7.1 instance under the Java Security Manager.

     

    Prerequisites

     

    A general understanding about configuring security permissions in a Java Security Manager policy file.

     

    Configuration

     

    We need the following two mandatory system properties

    1. -Djava.security.manager
    2. -Djava.security.policy

     

     

    The following is what I have at the end of the standalone.conf file

     

    JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$PWD/.. -Djava.security.policy==$PWD/server.policy -Djava.security.debug=failure"
    

     

     

    Note here that I pass in the java.security.policy property a server.policy file that is in the bin directory. (I created the server.policy file)

     

    I also pass in a jboss.home.dir system property that references the JBoss AS distribution root directory.  I use this system property in the server.policy file.

     

     

    server.policy file

     

    Remember to pass in the jboss.home.dir system property. (See above block).

     

     

    // ***************************************
    // Trusted core Java code
    //***************************************
    grant codeBase "file:${java.home}/lib/ext/-" {
       permission java.security.AllPermission;
    };
    grant codeBase "file:${java.home}/lib/*" {
       permission java.security.AllPermission;
    };
    // For java.home pointing to the JDK jre directory
    grant codeBase "file:${java.home}/../lib/*" {
       permission java.security.AllPermission;
    };
    
    
    //********************************************
    // Trusted core JBoss code
    //********************************************
    grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" {
       permission java.security.AllPermission;
    };
    
    //********************************************
    // Trusted JBoss AS Modules
    //********************************************
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/jmx/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/server/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/process-controller/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/controller/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/controller-client/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/connector/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/clustering/infinispan/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/deployment-repository/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/remoting/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/platform-mbean/main/-" {
       permission java.security.AllPermission;
    };
    
    //********************************************
    // Trusted JBoss Modules
    //********************************************
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/logmanager/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/logmanager/log4j/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/logging/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/stdio/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/msc/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/threads/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/vfs/main/-" {
       permission java.security.AllPermission;
    };
    
    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/staxmapper/main/-" {
       permission java.security.AllPermission;
    };
    
    //********************************************
    // Trusted 3rd Party Modules
    //********************************************
    grant codeBase "file:${jboss.home.dir}/modules/org/apache/log4j/main/-" {
       permission java.security.AllPermission;
    };
    
    

     

    Troubleshooting

    I do not know how to debug the permission problems.

     

    Add extra parameters to the -Djava.security.debug system property as shown below

     

    JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djboss.home.dir=$PWD/.. -Djava.security.policy==$PWD/server.policy -Djava.security.debug=failure,access,policy"
    

     

     

    When this happens, you will see errors such as following:

     

    )
    12:46:33,368 ERROR [stderr] policy: evaluation (codesource) failed
    12:46:33,368 ERROR [stderr] access: domain that failed ProtectionDomain  (jar:file:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules/org/jboss/as/clustering/infinispan/main/jboss-as-clustering-infinispan-7.1.0.CR1-SNAPSHOT.jar!/ <no signer certificates>)
    12:46:33,368 ERROR [stderr]  ModuleClassLoader for Module "org.jboss.as.clustering.infinispan:main" from local module loader @3e89c3 (roots: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules)
    12:46:33,368 ERROR [stderr]  <no principals>
    12:46:33,368 ERROR [stderr]  java.security.Permissions@1f07597 (
    12:46:33,368 ERROR [stderr] )
    12:46:33,368 ERROR [stderr] 
    
    ....
    
    Caused by: java.security.AccessControlException: access denied (java.io.FilePermission /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules/org/apache/commons/pool/main/module.xml read)
            at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) [:1.6.0_23]
            at java.security.AccessController.checkPermission(AccessController.java:546) [:1.6.0_23]
            at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) [:1.6.0_23]
            at java.lang.SecurityManager.checkRead(SecurityManager.java:871) [:1.6.0_23]
            at java.io.File.exists(File.java:731) [:1.6.0_23]
            at org.jboss.modules.LocalModuleLoader.findModule(LocalModuleLoader.java:121) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.ModuleLoader.loadModuleLocal(ModuleLoader.java:265) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.ModuleLoader.preloadModule(ModuleLoader.java:212) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.LocalModuleLoader.preloadModule(LocalModuleLoader.java:94) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.Module.addPaths(Module.java:790) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.Module.link(Module.java:997) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.Module.getPaths(Module.java:971) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.Module.getPathsUnchecked(Module.java:982) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.Module.loadModuleClass(Module.java:495) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:182) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:485) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:444) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:421) [jboss-modules.jar:1.1.0.CR4]
            at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:143) [jboss-modules.jar:1.1.0.CR4]
            at java.lang.ClassLoader.defineClass1(Native Method) [:1.6.0_23]
            at java.lang.ClassLoader.defineClassCond(ClassLoader.java:632) [:1.6.0_23]
    

     

    Here you have a security exception.   The key is to look for the protection domain that failed.

     

    In this example, the line that matters is:

     

    access: domain that failed ProtectionDomain  (jar:file:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules/org/jboss/as/clustering/infinispan/main/jboss-as-clustering-infinispan-7.1.0.CR1-SNAPSHOT.jar!/ <no signer certificates>)
    12:46:33,376 ERROR [stderr]  ModuleClassLoader for Module "org.jboss.as.clustering.infinispan:main" from local module loader @3e89c3 (roots: /home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules)
    12:46:33,376 ERROR [stderr]  <no principals>
    12:46:33,376 ERROR [stderr]  java.security.Permissions@1b8119a (
    12:46:33,376 ERROR [stderr] )
    

     

     

    So basically we are looking at 

    jar:file:/home/anil/as7/jboss-as/build/target/jboss-as-7.1.0.CR1-SNAPSHOT/modules/org/jboss/as/clustering/infinispan/main/jboss-as-clustering-infinispan-7.1.0.CR1-SNAPSHOT.jar!/

     

    For this reason, I added the following into the server.policy file:

     

    grant codeBase "file:${jboss.home.dir}/modules/org/jboss/as/clustering/infinispan/main/-" {
       permission java.security.AllPermission;
    };
    

     

    This statement block gives all permissions to the jars that exist in the main directory of the module "org.jboss.as.clustering.infinispan"

     

    In an ideal world, you would like to qualify the statement block with permissions such as SocketPermission, RuntimePermission etc rather than a AllPermission.