jsr342-experts@javaee-spec.java.net

[jsr342-experts] Re: security manager requirements in Java EE

From: Deepak Anupalli <deepak_at_pramati.com>
Date: Fri, 17 Feb 2012 12:36:19 +0530

(Comments Inline)

> -----Original Message-----
> From: Bill Shannon [mailto:bill.shannon_at_oracle.com]
> Sent: 11 February 2012 03:32
> To: jsr342-experts_at_javaee-spec.java.net
> Subject: [jsr342-experts] security manager requirements in Java EE
>
> Security has always been a key part of the Java EE platform.
> From the beginning we defined the Java security permissions that an
> application should expect to have, and we expected that application
servers
> would want to control what permissions applications should have. Several
> releases ago we clarified the requirements so that application servers may
> run without a security manager. This was commonly used in development
> environments, and in non-Java EE application servers such as Tomcat.
>
> Unfortunately, what we failed to do was to make it clear that Java EE
> applications servers were also required to be able to run *with* a
security
> manager, and to be able to enforce Java security permissions.
>
> ***** Unless there are objections, we intend to make this
> ***** requirement explicit in the EE 7 spec.
>
>
> One of the reasons this issue comes up is that some library and framework
> developers seem to assume that they can do anything they want with any
> Java API. Users then complain when these libraries or frameworks don't
> work in an application server that uses a security manager.
>
> A degenerate way that an application server could meet the requirement to
> be able to run with a security manager would be to simply grant all
> applications all permissions all the time. Obviously that wouldn't
address the
> core problem. Thus, we believe we also need a clear requirement that the
> application server be able to
> *restrict* the set of permissions granted to an application.
>
> Defining a requirement in this area is a bit tricky. While it might seem
> attractive to require that an application server be able to run
applications
> with *only* the minimum permissions defined in the spec, it's possible
that
> there could be product specific (non-standard) permissions that are
needed.
> Still, it seems like it would be good to define some boundaries here.
>
> ***** Would you support a requirement to be able to run
> ***** applications with a restricted set of permissions?

Most App Servers do have Java Policy configuration and run the Server VM in
a security sandbox. AFAIK, Java EE TCK verifies an existing set of Java EE
security permissions defined in the Java EE platform specification EE.6.2.3.

How different is this new set going to be from the existing one?

>
>
> We think it's especially likely that a Java EE cloud product will use a
security
> manager to maintain control over the operational environment. Remember,
> our target is PaaS, not Middleware over IaaS:
> http://blogs.oracle.com/rezashafii/entry/paas_is_not_middleware_over
>
> In a true PaaS environment, application permissions are likely to be
restricted
> to only what's needed. In such an environment, it may be useful to know
if
> the application needs any permissions beyond the minimum that the
> platform spec guarantees.
>
> Something we've been considering for quite some time is to provide a way
> for an application to include a list of these additional permissions it
needs.
> The platform implementation could then evaluate these permissions and
> ensure that the application is granted what it needs, or reject deployment
of
> the application.
>
> ***** Would you support including such a capability in Java EE?

This is an area with possible impedance mismatch between Paas Provider and
the PaaS Customer in terms of expected configuration. But, I strongly feel
we should leave it out to the Paas Provider to figure out contract for
enforcing required security policy for their Customers.

Just some thoughts, not sure if we talked about this earlier. Can the same
VM/Instance host applications belonging to different tenants with separate
set of VM/platform/vendor-specific configurations?

To elaborate a little bit, each application can have an entirely different
memory footprint OR for web applications tuning parameters like socket
pools, thread pools, buffer sizes, denial of service(DOS) etc. could be
entirely different. When we are talking about multi-tenancy at platform, can
these applications with different config requirements be provisioned on the
same containers?

If not, what's the guarantee an application be provisioned or deployed on
the PaaS platform. In order to truly envision multi-tenancy of the platform,
there should be some guarantee on the environment/configuration a PaaS
provider makes to its customers.
 
>
>
> Other than the first item above, we're not sure how many of these items we
> can address for EE 7, but we wanted to see if there was support in
principle
> for these items before we moved forward.
>
> Let us know what you think.

-Deepak