users@glassfish.java.net

Re: enabling the security manager on a ruby on rails application

From: Mathijs Kwik <bluescreen303_at_gmail.com>
Date: Wed, 6 Jan 2010 19:21:21 +0100

well in that case I can just as well disable security manager (no overhead)
the point is... I want security manager, to restrict which parts of
the filesystem my app is allowed to access.

So I would like a way to find out what permission rails is violating,
so I can add that and start adding/removing the restrictions I want.


Thanks for trying to help though

2010/1/6 Felipe Gaúcho <fgaucho_at_gmail.com>:
> you can appeal to the extreme "AllPermission":
>
> grant codeBase "file:/home/fgaucho/.hudson/-" {
>    permission java.security.AllPermission;
> };
>
> where "file:/home/fgaucho/.hudson/-" is the path to your
> application...............
>
>
>
> On Wed, Jan 6, 2010 at 7:12 PM, Mathijs Kwik <bluescreen303_at_gmail.com> wrote:
>> Thank, but
>> I already did that :)
>>
>> So jruby itself works fine.
>> The problem arises when rails tries to render the flash (which uses
>> the session):
>>
>> [#|2010-01-06T18:07:56.392+0100|INFO|glassfishv3.0|com.sun.grizzly.jruby.rack.JRubyRuntime|_ThreadID=25;_ThreadName=Thread-1;|
>>
>> Processing PostsController#index (for 127.0.0.1 at 2010-01-06 18:07:56) [GET]
>> Rendering template within layouts/posts
>> Rendering posts/index
>>
>> ActionView::TemplateError (missing provider) on line #12 of
>> app/views/layouts/posts.html.erb:
>> 9: </head>
>> 10: <body>
>> 11:
>> 12: <p style="color: green"><%= flash[:notice] %></p>
>> 13:
>> 14: <%= yield %>
>> 15:
>>
>>    app/views/layouts/posts.html.erb:12
>>    app/controllers/posts_controller.rb:7:in `index'
>>    file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/adapter/rails.rb:133:in
>> `call'
>>    file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/handler/grizzly.rb:55:in
>> `call'
>>    :1
>>
>> Rendering rescues/layout (internal_server_error)
>> |#]
>>
>>
>> and sometimes:
>>
>> [#|2010-01-06T17:59:32.513+0100|INFO|glassfishv3.0|com.sun.grizzly.jruby.rack.JRubyRuntime|_ThreadID=25;_ThreadName=Thread-1;|/!\
>> FAILSAFE /!\  Wed Jan 06 17:59:32 +0100 2010
>>  Status: 500 Internal Server Error
>>  missing provider
>>    /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/activesupport-2.3.4/lib/active_support/message_verifier.rb:56:in
>> `generate_digest'
>>    /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/activesupport-2.3.4/lib/active_support/message_verifier.rb:37:in
>> `generate'
>>    /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/cookie_store.rb:151:in
>> `marshal'
>>    /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/cookie_store.rb:100:in
>> `call'
>>    /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/failsafe.rb:26:in
>> `call'
>>    /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/dispatcher.rb:106:in
>> `call'
>>    file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/adapter/rails.rb:133:in
>> `call'
>>    file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/handler/grizzly.rb:55:in
>> `call'
>>    :1
>>
>>
>> Processing PostsController#index (for 127.0.0.1 at 2010-01-06 17:59:32) [GET]
>> Rendering template within layouts/posts
>> Rendering posts/index
>> Completed in 9ms (View: 4, DB: 1) | 200 OK [http://flatser.dev/posts]
>> |#]
>>
>>
>> So the policy changes make sure jruby works, but rails obviously needs
>> some extra persmissions to access the session.
>>
>> On Wed, Jan 6, 2010 at 6:13 PM, Vivek Pandey <Vivek.Pandey_at_sun.com> wrote:
>>> Yes with security manager on you should be able to deploy Rails, see
>>> https://glassfish.dev.java.net/issues/show_bug.cgi?id=10271.
>>>
>>> In server.policy file, there are security policies for JRuby. It assumes
>>> that JRuby is installation is at glassfishv3/glassfish/jruby. You should
>>> change it by the JRuby location you have on your local machine.
>>>
>>> Here is the excerpt from server.policy file:
>>>
>>> //JRuby security permissions
>>> grant  codeBase "file:${com.sun.aas.installRoot}/jruby/lib/-"{
>>>   permission java.io.FilePermission       "<<ALL FILES>>", "read";
>>>   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
>>>     permission java.util.PropertyPermission "jruby.*", "read";
>>>   permission java.lang.RuntimePermission "accessClassInPackage.*";
>>>   permission java.lang.RuntimePermission "createClassLoader";
>>>   permission java.lang.RuntimePermission "defineClassInPackage.*";
>>>   permission java.lang.RuntimePermission "getClassLoader";
>>>   permission java.lang.RuntimePermission "accessDeclaredMembers";
>>>   permission java.lang.RuntimePermission "getenv.*";
>>> };
>>>
>>> Above, you should replace '${com.sun.aas.installRoot}/jruby/lib/' by your
>>> 'jruby-install-dir/lib' if its not glassfishv3/glassfish/jruby. You can find
>>> the server.policy policy file inside your domain's config directory. For
>>> example, glassfishv3/glassfish/domains/domain1/config.
>>>
>>>
>>> -vivek.
>>>
>>> Mathijs Kwik wrote:
>>>>
>>>> Hi all,
>>>>
>>>> Has anyone succeeded in enabling the security manager and still being
>>>> able to run rails applications?
>>>> I'm running glassfish v3
>>>> I deployed a rails app using the directory deployer (asadmin deploy .)
>>>> Everything works fine without security manager, but after enabling it,
>>>> I get 500's
>>>>
>>>> Judging by the rails error log, I suspect it to be unable to access
>>>> the session or some cookie.
>>>>
>>>> I tried to find the audit log, but couldn't find it anywhere.
>>>>
>>>>
>>>> I have 3 questions:
>>>> - How can I enable logging of security violations and where do I find the
>>>> logs?
>>>> - Is anyone aware of a good default jruby+rails permission set? or a
>>>> list of possible grant options? or documentation for the security
>>>> system?
>>>> - I will be running multiple apps (on multiple virtual hosts) and I
>>>> don't want them to access the filesystem directories belonging to
>>>> other apps. Do I need to run different domains for this? or is it
>>>> possible to do per-app security configuration and just use 1 domain?
>>>>
>>>> thanks,
>>>> Mathijs
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>
>
>
> --
> ------------------------------------------
>   Felipe Gaúcho
>   10+ Java Programmer
>   CEJUG Senior Advisor
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>