users@glassfish.java.net

Re: enabling the security manager on a ruby on rails application

From: Mathijs Kwik <bluescreen303_at_gmail.com>
Date: Thu, 7 Jan 2010 13:25:15 +0100

I found the problem.
the jruby-openssl gem wants to connect to some openssl HMAC thing
which isn't allowed.
removing the gem made my app run under security manager again.

Now I would like to start restricting apps, so I took away fs
permissions on most dirs.
Adding them per app seems to be possible in
domains/domain1/generated/policy/appname/granted.policy
(see http://blogs.sun.com/paulsen/entry/configuring_the_security_manager_in )

Thanks for all help
Mathijs



On Wed, Jan 6, 2010 at 7:58 PM, Vivek Pandey <Vivek.Pandey_at_sun.com> wrote:
> Rails 2.x default session store is cookie based so the file system does not
> get in to picture.Rails 1.x default session store was file system based and
> upgrading to 2.x would not automatically change that.
>
> I guess you would need to give per application file system read/write
> permission so that Rails can do read/write. It might be tmp directory inside
> your Rails app or maybe different incase there are static resource caches
> such as stylesheet/javascript caches.
>>
>> - I will be running multiple apps (on multiple virtual hosts) and I
>> don't want them to access the filesystem directories belonging to
>> other apps. Do I need to run different domains for this? or is it
>> possible to do per-app security configuration and just use 1 domain?
>
> The JRuby specific permissions could be generic as defined in the
> server.policy file.  I am not aware of any deployment feature where one can
> specify application specific policies that gets merged with the
> server.policy settings. So I guess if there are application specific
> security permissions you might need different domains for each app.
>
> -vivek.
>
>
> Vivek Pandey wrote:
>>
>> Mathijs Kwik wrote:
>>>
>>> Thank, but
>>> I already did that :)
>>>
>>>
>>
>> Ah, I did not realize that.
>>>
>>> So jruby itself works fine.
>>> The problem arises when rails tries to render the flash (which uses
>>> the session):
>>>
>>
>> Well, JRuby compiles Rails in to java bytecodes so the permission given to
>> JRuby should take care of running Rails or any ruby code.
>>
>> Whats the session store in your case? I guess in your case the session
>> store is somewhere on the file system and it needs to be given the required
>> permission. Could you try making the DB as your session store?
>>
>> -vivek.
>>>
>>>
>>> [#|2010-01-06T18:07:56.392+0100|INFO|glassfishv3.0|com.sun.grizzly.jruby.rack.JRubyRuntime|_ThreadID=25;_ThreadName=Thread-1;|
>>>
>>> Processing PostsController#index (for 127.0.0.1 at 2010-01-06 18:07:56)
>>> [GET]
>>> Rendering template within layouts/posts
>>> Rendering posts/index
>>>
>>> ActionView::TemplateError (missing provider) on line #12 of
>>> app/views/layouts/posts.html.erb:
>>> 9: </head>
>>> 10: <body>
>>> 11:
>>> 12: <p style="color: green"><%= flash[:notice] %></p>
>>> 13:
>>> 14: <%= yield %>
>>> 15:
>>>
>>>    app/views/layouts/posts.html.erb:12
>>>    app/controllers/posts_controller.rb:7:in `index'
>>>
>>>  file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/adapter/rails.rb:133:in
>>> `call'
>>>
>>>  file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/handler/grizzly.rb:55:in
>>> `call'
>>>    :1
>>>
>>> Rendering rescues/layout (internal_server_error)
>>> |#]
>>>
>>>
>>> and sometimes:
>>>
>>>
>>> [#|2010-01-06T17:59:32.513+0100|INFO|glassfishv3.0|com.sun.grizzly.jruby.rack.JRubyRuntime|_ThreadID=25;_ThreadName=Thread-1;|/!\
>>> FAILSAFE /!\  Wed Jan 06 17:59:32 +0100 2010
>>>  Status: 500 Internal Server Error
>>>  missing provider
>>>
>>>  /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/activesupport-2.3.4/lib/active_support/message_verifier.rb:56:in
>>> `generate_digest'
>>>
>>>  /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/activesupport-2.3.4/lib/active_support/message_verifier.rb:37:in
>>> `generate'
>>>
>>>  /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/cookie_store.rb:151:in
>>> `marshal'
>>>
>>>  /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/session/cookie_store.rb:100:in
>>> `call'
>>>
>>>  /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/failsafe.rb:26:in
>>> `call'
>>>
>>>  /opt/jruby-1.4.0/lib/ruby/gems/1.8/gems/actionpack-2.3.4/lib/action_controller/dispatcher.rb:106:in
>>> `call'
>>>
>>>  file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/adapter/rails.rb:133:in
>>> `call'
>>>
>>>  file:/home/mathijs/tmp/glassfishv3/glassfish/modules/grizzly-jruby.jar!/rack/handler/grizzly.rb:55:in
>>> `call'
>>>    :1
>>>
>>>
>>> Processing PostsController#index (for 127.0.0.1 at 2010-01-06 17:59:32)
>>> [GET]
>>> Rendering template within layouts/posts
>>> Rendering posts/index
>>> Completed in 9ms (View: 4, DB: 1) | 200 OK [http://flatser.dev/posts]
>>> |#]
>>>
>>>
>>> So the policy changes make sure jruby works, but rails obviously needs
>>> some extra persmissions to access the session.
>>>
>>> On Wed, Jan 6, 2010 at 6:13 PM, Vivek Pandey <Vivek.Pandey_at_sun.com>
>>> wrote:
>>>
>>>>
>>>> Yes with security manager on you should be able to deploy Rails, see
>>>> https://glassfish.dev.java.net/issues/show_bug.cgi?id=10271.
>>>>
>>>> In server.policy file, there are security policies for JRuby. It assumes
>>>> that JRuby is installation is at glassfishv3/glassfish/jruby. You should
>>>> change it by the JRuby location you have on your local machine.
>>>>
>>>> Here is the excerpt from server.policy file:
>>>>
>>>> //JRuby security permissions
>>>> grant  codeBase "file:${com.sun.aas.installRoot}/jruby/lib/-"{
>>>>  permission java.io.FilePermission       "<<ALL FILES>>", "read";
>>>>  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
>>>>    permission java.util.PropertyPermission "jruby.*", "read";
>>>>  permission java.lang.RuntimePermission "accessClassInPackage.*";
>>>>  permission java.lang.RuntimePermission "createClassLoader";
>>>>  permission java.lang.RuntimePermission "defineClassInPackage.*";
>>>>  permission java.lang.RuntimePermission "getClassLoader";
>>>>  permission java.lang.RuntimePermission "accessDeclaredMembers";
>>>>  permission java.lang.RuntimePermission "getenv.*";
>>>> };
>>>>
>>>> Above, you should replace '${com.sun.aas.installRoot}/jruby/lib/' by
>>>> your
>>>> 'jruby-install-dir/lib' if its not glassfishv3/glassfish/jruby. You can
>>>> find
>>>> the server.policy policy file inside your domain's config directory. For
>>>> example, glassfishv3/glassfish/domains/domain1/config.
>>>>
>>>>
>>>> -vivek.
>>>>
>>>> Mathijs Kwik wrote:
>>>>
>>>>>
>>>>> Hi all,
>>>>>
>>>>> Has anyone succeeded in enabling the security manager and still being
>>>>> able to run rails applications?
>>>>> I'm running glassfish v3
>>>>> I deployed a rails app using the directory deployer (asadmin deploy .)
>>>>> Everything works fine without security manager, but after enabling it,
>>>>> I get 500's
>>>>>
>>>>> Judging by the rails error log, I suspect it to be unable to access
>>>>> the session or some cookie.
>>>>>
>>>>> I tried to find the audit log, but couldn't find it anywhere.
>>>>>
>>>>>
>>>>> I have 3 questions:
>>>>> - How can I enable logging of security violations and where do I find
>>>>> the
>>>>> logs?
>>>>> - Is anyone aware of a good default jruby+rails permission set? or a
>>>>> list of possible grant options? or documentation for the security
>>>>> system?
>>>>> - I will be running multiple apps (on multiple virtual hosts) and I
>>>>> don't want them to access the filesystem directories belonging to
>>>>> other apps. Do I need to run different domains for this? or is it
>>>>> possible to do per-app security configuration and just use 1 domain?
>>>>>
>>>>> thanks,
>>>>> Mathijs
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>