users@glassfish.java.net

Re: enabling the security manager on a ruby on rails application

From: Vivek Pandey <Vivek.Pandey_at_Sun.COM>
Date: Wed, 06 Jan 2010 09:13:39 -0800

Yes with security manager on you should be able to deploy Rails, see
https://glassfish.dev.java.net/issues/show_bug.cgi?id=10271.

In server.policy file, there are security policies for JRuby. It assumes
that JRuby is installation is at glassfishv3/glassfish/jruby. You should
change it by the JRuby location you have on your local machine.

Here is the excerpt from server.policy file:

//JRuby security permissions
grant codeBase "file:${com.sun.aas.installRoot}/jruby/lib/-"{
    permission java.io.FilePermission "<<ALL FILES>>", "read";
    permission java.lang.reflect.ReflectPermission
"suppressAccessChecks";
    permission java.util.PropertyPermission "jruby.*", "read";
    permission java.lang.RuntimePermission "accessClassInPackage.*";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "defineClassInPackage.*";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.lang.RuntimePermission "getenv.*";
};

Above, you should replace '${com.sun.aas.installRoot}/jruby/lib/' by
your 'jruby-install-dir/lib' if its not glassfishv3/glassfish/jruby. You
can find the server.policy policy file inside your domain's config
directory. For example, glassfishv3/glassfish/domains/domain1/config.


-vivek.

Mathijs Kwik wrote:
> Hi all,
>
> Has anyone succeeded in enabling the security manager and still being
> able to run rails applications?
> I'm running glassfish v3
> I deployed a rails app using the directory deployer (asadmin deploy .)
> Everything works fine without security manager, but after enabling it,
> I get 500's
>
> Judging by the rails error log, I suspect it to be unable to access
> the session or some cookie.
>
> I tried to find the audit log, but couldn't find it anywhere.
>
>
> I have 3 questions:
> - How can I enable logging of security violations and where do I find the logs?
> - Is anyone aware of a good default jruby+rails permission set? or a
> list of possible grant options? or documentation for the security
> system?
> - I will be running multiple apps (on multiple virtual hosts) and I
> don't want them to access the filesystem directories belonging to
> other apps. Do I need to run different domains for this? or is it
> possible to do per-app security configuration and just use 1 domain?
>
> thanks,
> Mathijs
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>