users@javaee-spec.java.net

[javaee-spec users] [jsr342-experts] Re: security manager requirements in Java EE

From: Jevgeni Kabanov <jevgeni_at_zeroturnaround.com>
Date: Fri, 9 Mar 2012 08:24:17 +0000

A good reason against security manager in PaaS is that as you said, it
cannot guarantee resource isolation, but will break a lot of existing
framework code.

Sent from my iPhone

On 09.03.2012, at 6:29, "Jason T. Greene" <jason.greene_at_redhat.com> wrote:

> On 2/10/12 4:01 PM, Bill Shannon wrote:
>> ***** Unless there are objections, we intend to make this
>> ***** requirement explicit in the EE 7 spec.
>
> Agreed.
>
>> ***** Would you support a requirement to be able to run
>> ***** applications with a restricted set of permissions?
>
> Yes.
>
>>
>>
>> We think it's especially likely that a Java EE cloud product
>> will use a security manager to maintain control over the
>> operational environment. Remember, our target is PaaS, not
>> Middleware over IaaS:
>> http://blogs.oracle.com/rezashafii/entry/paas_is_not_middleware_over
>>
>> In a true PaaS environment, application permissions are likely
>> to be restricted to only what's needed. In such an environment,
>> it may be useful to know if the application needs any permissions
>> beyond the minimum that the platform spec guarantees.
>>
>> Something we've been considering for quite some time is to provide
>> a way for an application to include a list of these additional
>> permissions it needs. The platform implementation could then
>> evaluate these permissions and ensure that the application is
>> granted what it needs, or reject deployment of the application.
>>
>> ***** Would you support including such a capability in Java EE?
>
> IMO I think sandboxing at the process level is really the only safe way to do this. As the JVM stands today, a security policy will fall short of PAAS environment's complete needs. There is simply no way to limit heap and cpu usage, so you already have to do this at the OS level. That said, I don't see a problem with another layer of protection based on this.
>
> As to application developer producing a list of desired perms, it's hard for me to see how this is particularly useful. I guess the aim is simply to fail fast as opposed to after it's running for awhile?
>
>>
>> Other than the first item above, we're not sure how many of these
>> items we can address for EE 7, but we wanted to see if there was
>> support in principle for these items before we moved forward.
>>
>> Let us know what you think.
>
>
> --
> Jason T. Greene
> JBoss AS Lead / EAP Platform Architect
> JBoss, a division of Red Hat