RE: Privileged file access for Java EE applications

From: Martin Gainty <mgainty_at_hotmail.com>
Date: Tue, 5 Jul 2011 20:00:18 -0400

your RMI jar entities are secure but all other GF services are not secured
to broaden the scope try enabling SSL on the default connector

http://markmail.org/message/3jfr7xgp64zrlpck
http://blogs.oracle.com/enterprisetechtips/entry/using_ssl_with_glassfish_v2
http://download.oracle.com/javaee/1.4/tutorial/doc/Security6.html#wp157241

enabling SSL on GF server would allow you to assign users to profiles (where profile assigns permissions to requested resource)
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de d�ni et de confidentialit�

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut �tre privil�gi�. Si vous n'�tes pas le destinataire pr�vu, nous te demandons avec bont� que pour satisfaire informez l'exp�diteur. N'importe quelle diffusion non autoris�e ou la copie de ceci est interdite. Ce message sert � l'information seulement et n'aura pas n'importe quel effet l�galement obligatoire. �tant donn� que les email peuvent facilement �tre sujets � la manipulation, nous ne pouvons accepter aucune responsabilit� pour le contenu fourni.

From: rcbiczok_at_googlemail.com
To: users_at_glassfish.java.net
Subject: Privileged file access for Java EE applications
Date: Mon, 4 Jul 2011 08:01:45 +0200

Dear Apache Tomcat members
I�m working on a new Java EE application that operates as a common UI for our native UNIX applications. These UNIX applications are installed on single server instance with several file servers attached to it and the UNIX profiles for our customers are also on that server instance � and that�s the problem.

Any application call and file access made by the Java application server (Glassfish) will be performed as www user, which is in fact not that what we want. And becoming another user on a UNIX server is not that easy, because the setuid system call requires a root privileged process (and running Glassfish or any other application server/servlet container as root is also not that what we want).

The work-around I developed out looks like this: � Create a native application which calls setuid and creates another process with the user privileges. This application will take a path to a JAR file.� This JAR file is an executable JAR and creates a RMI server.� The EJB inside Glassfish establishes a secure RMI connection to the RMI server and performs some operations.� The helper-process will be killed at the same time where the user-session expires.
Because this sounds a bit tricky and dirty, I would be really grateful for any suggestion you can give. I look forward to receiving your reply.
Regards,
Rudolf Biczok