users@glassfish.java.net

Re: enabling the security manager on a ruby on rails application

From: Vivek Pandey <Vivek.Pandey_at_Sun.COM>
Date: Wed, 06 Jan 2010 10:58:29 -0800

Rails 2.x default session store is cookie based so the file system does
not get in to picture.Rails 1.x default session store was file system
based and upgrading to 2.x would not automatically change that.

I guess you would need to give per application file system read/write
permission so that Rails can do read/write. It might be tmp directory
inside your Rails app or maybe different incase there are static
resource caches such as stylesheet/javascript caches.
> - I will be running multiple apps (on multiple virtual hosts) and I
> don't want them to access the filesystem directories belonging to
> other apps. Do I need to run different domains for this? or is it
> possible to do per-app security configuration and just use 1 domain?

The JRuby specific permissions could be generic as defined in the
server.policy file. I am not aware of any deployment feature where one
can specify application specific policies that gets merged with the
server.policy settings. So I guess if there are application specific
security permissions you might need different domains for each app.

-vivek.


Vivek Pandey wrote:
> Mathijs Kwik wrote:
>> Thank, but
>> I already did that :)
>>
>>
> Ah, I did not realize that.
>> So jruby itself works fine.
>> The problem arises when rails tries to render the flash (which uses
>> the session):
>>
> Well, JRuby compiles Rails in to java bytecodes so the permission
> given to JRuby should take care of running Rails or any ruby code.
>
> Whats the session store in your case? I guess in your case the session
> store is somewhere on the file system and it needs to be given the
> required permission. Could you try making the DB as your session store?
>
> -vivek.
>> [#|2010-01-06T18:07:56.392+0100|INFO|glassfishv3.0|com.sun.grizzly.jruby.rack.JRubyRuntime|_ThreadID=25;_ThreadName=Thread-1;|
>>
>>
>> Processing PostsController#index (for 127.0.0.1 at 2010-01-06
>> 18:07:56) [GET]
>> Rendering template within layouts/posts
>> Rendering posts/index
>>
>> ActionView::TemplateError (missing provider) on line #12 of
>> app/views/layouts/posts.html.erb:
>> 9: </head>
>> 10: <body>
>> 11:
>> 12: <p style="color: green"><%= flash[:notice] %></p>
>> 13:
>> 14: <%= yield %>
>> 15:
>>
>> app/views/layouts/posts.html.erb:12
>> app/controllers/posts_controller.rb:7:in `index'
>>
>> file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/adapter/rails.rb:133:in
>>
>> `call'
>>
>> file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/handler/grizzly.rb:55:in
>>
>> `call'
>> :1
>>
>> Rendering rescues/layout (internal_server_error)
>> |#]
>>
>>
>> and sometimes:
>>
>> [#|2010-01-06T17:59:32.513+0100|INFO|glassfishv3.0|com.sun.grizzly.jruby.rack.JRubyRuntime|_ThreadID=25;_ThreadName=Thread-1;|/!\
>>
>> FAILSAFE /!\ Wed Jan 06 17:59:32 +0100 2010
>> Status: 500 Internal Server Error
>> missing provider
>>
>> /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/activesupport-2.3.4/lib/active_support/message_verifier.rb:56:in
>>
>> `generate_digest'
>>
>> /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/activesupport-2.3.4/lib/active_support/message_verifier.rb:37:in
>>
>> `generate'
>>
>> /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/cookie_store.rb:151:in
>>
>> `marshal'
>>
>> /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/cookie_store.rb:100:in
>>
>> `call'
>>
>> /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/failsafe.rb:26:in
>>
>> `call'
>>
>> /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/dispatcher.rb:106:in
>>
>> `call'
>>
>> file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/adapter/rails.rb:133:in
>>
>> `call'
>>
>> file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/handler/grizzly.rb:55:in
>>
>> `call'
>> :1
>>
>>
>> Processing PostsController#index (for 127.0.0.1 at 2010-01-06
>> 17:59:32) [GET]
>> Rendering template within layouts/posts
>> Rendering posts/index
>> Completed in 9ms (View: 4, DB: 1) | 200 OK [http://flatser.dev/posts]
>> |#]
>>
>>
>> So the policy changes make sure jruby works, but rails obviously needs
>> some extra persmissions to access the session.
>>
>> On Wed, Jan 6, 2010 at 6:13 PM, Vivek Pandey <Vivek.Pandey_at_sun.com>
>> wrote:
>>
>>> Yes with security manager on you should be able to deploy Rails, see
>>> https://glassfish.dev.java.net/issues/show_bug.cgi?id=10271.
>>>
>>> In server.policy file, there are security policies for JRuby. It
>>> assumes
>>> that JRuby is installation is at glassfishv3/glassfish/jruby. You
>>> should
>>> change it by the JRuby location you have on your local machine.
>>>
>>> Here is the excerpt from server.policy file:
>>>
>>> //JRuby security permissions
>>> grant codeBase "file:${com.sun.aas.installRoot}/jruby/lib/-"{
>>> permission java.io.FilePermission "<<ALL FILES>>", "read";
>>> permission java.lang.reflect.ReflectPermission
>>> "suppressAccessChecks";
>>> permission java.util.PropertyPermission "jruby.*", "read";
>>> permission java.lang.RuntimePermission "accessClassInPackage.*";
>>> permission java.lang.RuntimePermission "createClassLoader";
>>> permission java.lang.RuntimePermission "defineClassInPackage.*";
>>> permission java.lang.RuntimePermission "getClassLoader";
>>> permission java.lang.RuntimePermission "accessDeclaredMembers";
>>> permission java.lang.RuntimePermission "getenv.*";
>>> };
>>>
>>> Above, you should replace '${com.sun.aas.installRoot}/jruby/lib/' by
>>> your
>>> 'jruby-install-dir/lib' if its not glassfishv3/glassfish/jruby. You
>>> can find
>>> the server.policy policy file inside your domain's config directory.
>>> For
>>> example, glassfishv3/glassfish/domains/domain1/config.
>>>
>>>
>>> -vivek.
>>>
>>> Mathijs Kwik wrote:
>>>
>>>> Hi all,
>>>>
>>>> Has anyone succeeded in enabling the security manager and still being
>>>> able to run rails applications?
>>>> I'm running glassfish v3
>>>> I deployed a rails app using the directory deployer (asadmin deploy .)
>>>> Everything works fine without security manager, but after enabling it,
>>>> I get 500's
>>>>
>>>> Judging by the rails error log, I suspect it to be unable to access
>>>> the session or some cookie.
>>>>
>>>> I tried to find the audit log, but couldn't find it anywhere.
>>>>
>>>>
>>>> I have 3 questions:
>>>> - How can I enable logging of security violations and where do I
>>>> find the
>>>> logs?
>>>> - Is anyone aware of a good default jruby+rails permission set? or a
>>>> list of possible grant options? or documentation for the security
>>>> system?
>>>> - I will be running multiple apps (on multiple virtual hosts) and I
>>>> don't want them to access the filesystem directories belonging to
>>>> other apps. Do I need to run different domains for this? or is it
>>>> possible to do per-app security configuration and just use 1 domain?
>>>>
>>>> thanks,
>>>> Mathijs
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>