users@glassfish.java.net

Re: enabling the security manager on a ruby on rails application

From: Vivek Pandey <Vivek.Pandey_at_Sun.COM>
Date: Wed, 06 Jan 2010 10:23:07 -0800

Mathijs Kwik wrote:
> Thank, but
> I already did that :)
>
>
Ah, I did not realize that.
> So jruby itself works fine.
> The problem arises when rails tries to render the flash (which uses
> the session):
>
Well, JRuby compiles Rails in to java bytecodes so the permission given
to JRuby should take care of running Rails or any ruby code.

Whats the session store in your case? I guess in your case the session
store is somewhere on the file system and it needs to be given the
required permission. Could you try making the DB as your session store?

-vivek.
> [#|2010-01-06T18:07:56.392+0100|INFO|glassfishv3.0|com.sun.grizzly.jruby.rack.JRubyRuntime|_ThreadID=25;_ThreadName=Thread-1;|
>
> Processing PostsController#index (for 127.0.0.1 at 2010-01-06 18:07:56) [GET]
> Rendering template within layouts/posts
> Rendering posts/index
>
> ActionView::TemplateError (missing provider) on line #12 of
> app/views/layouts/posts.html.erb:
> 9: </head>
> 10: <body>
> 11:
> 12: <p style="color: green"><%= flash[:notice] %></p>
> 13:
> 14: <%= yield %>
> 15:
>
> app/views/layouts/posts.html.erb:12
> app/controllers/posts_controller.rb:7:in `index'
> file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/adapter/rails.rb:133:in
> `call'
> file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/handler/grizzly.rb:55:in
> `call'
> :1
>
> Rendering rescues/layout (internal_server_error)
> |#]
>
>
> and sometimes:
>
> [#|2010-01-06T17:59:32.513+0100|INFO|glassfishv3.0|com.sun.grizzly.jruby.rack.JRubyRuntime|_ThreadID=25;_ThreadName=Thread-1;|/!\
> FAILSAFE /!\ Wed Jan 06 17:59:32 +0100 2010
> Status: 500 Internal Server Error
> missing provider
> /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/activesupport-2.3.4/lib/active_support/message_verifier.rb:56:in
> `generate_digest'
> /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/activesupport-2.3.4/lib/active_support/message_verifier.rb:37:in
> `generate'
> /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/cookie_store.rb:151:in
> `marshal'
> /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/cookie_store.rb:100:in
> `call'
> /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/failsafe.rb:26:in
> `call'
> /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/dispatcher.rb:106:in
> `call'
> file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/adapter/rails.rb:133:in
> `call'
> file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/handler/grizzly.rb:55:in
> `call'
> :1
>
>
> Processing PostsController#index (for 127.0.0.1 at 2010-01-06 17:59:32) [GET]
> Rendering template within layouts/posts
> Rendering posts/index
> Completed in 9ms (View: 4, DB: 1) | 200 OK [http://flatser.dev/posts]
> |#]
>
>
> So the policy changes make sure jruby works, but rails obviously needs
> some extra persmissions to access the session.
>
> On Wed, Jan 6, 2010 at 6:13 PM, Vivek Pandey <Vivek.Pandey_at_sun.com> wrote:
>
>> Yes with security manager on you should be able to deploy Rails, see
>> https://glassfish.dev.java.net/issues/show_bug.cgi?id=10271.
>>
>> In server.policy file, there are security policies for JRuby. It assumes
>> that JRuby is installation is at glassfishv3/glassfish/jruby. You should
>> change it by the JRuby location you have on your local machine.
>>
>> Here is the excerpt from server.policy file:
>>
>> //JRuby security permissions
>> grant codeBase "file:${com.sun.aas.installRoot}/jruby/lib/-"{
>> permission java.io.FilePermission "<<ALL FILES>>", "read";
>> permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
>> permission java.util.PropertyPermission "jruby.*", "read";
>> permission java.lang.RuntimePermission "accessClassInPackage.*";
>> permission java.lang.RuntimePermission "createClassLoader";
>> permission java.lang.RuntimePermission "defineClassInPackage.*";
>> permission java.lang.RuntimePermission "getClassLoader";
>> permission java.lang.RuntimePermission "accessDeclaredMembers";
>> permission java.lang.RuntimePermission "getenv.*";
>> };
>>
>> Above, you should replace '${com.sun.aas.installRoot}/jruby/lib/' by your
>> 'jruby-install-dir/lib' if its not glassfishv3/glassfish/jruby. You can find
>> the server.policy policy file inside your domain's config directory. For
>> example, glassfishv3/glassfish/domains/domain1/config.
>>
>>
>> -vivek.
>>
>> Mathijs Kwik wrote:
>>
>>> Hi all,
>>>
>>> Has anyone succeeded in enabling the security manager and still being
>>> able to run rails applications?
>>> I'm running glassfish v3
>>> I deployed a rails app using the directory deployer (asadmin deploy .)
>>> Everything works fine without security manager, but after enabling it,
>>> I get 500's
>>>
>>> Judging by the rails error log, I suspect it to be unable to access
>>> the session or some cookie.
>>>
>>> I tried to find the audit log, but couldn't find it anywhere.
>>>
>>>
>>> I have 3 questions:
>>> - How can I enable logging of security violations and where do I find the
>>> logs?
>>> - Is anyone aware of a good default jruby+rails permission set? or a
>>> list of possible grant options? or documentation for the security
>>> system?
>>> - I will be running multiple apps (on multiple virtual hosts) and I
>>> don't want them to access the filesystem directories belonging to
>>> other apps. Do I need to run different domains for this? or is it
>>> possible to do per-app security configuration and just use 1 domain?
>>>
>>> thanks,
>>> Mathijs
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>