The Security Manager
Everything you never wanted to know but have been forced to ask
Presentation Prepared By: david.lloyd@redhat.com >
What is it good for?
Protecting against access to certain JVM facilities...
Restricting filesystem access (as long as only JDK APIs are used)
Restricting network access (directly or via services like JDBC, HTTP, etc.)
Restricting access to security facilities (JAAS authentication, etc.)
Running trusted or mostly trusted code
What is it not good for?
Cannot protect against runaway CPU consumption
Cannot restrict memory consumption
Running truly untrusted code
Only the OS can truly provide this protection
Why use it?
Some orgs have hard requirements for various reasons
Common Criteria certification
Can be used to catch bugs, theoretically
How do you use it?
Establish a security policy
Use a standard policy file
Use JBoss Modules <permissions> blocks in your modules
Use Java EE 7 permissions.xml files in an EE 7 container
Use Java EE 7 specified, container-defined global default permission policies
In WildFly, this lives in the security-manager subsystem
Enable the security manager
In a standalone JVM, -Djava.security.manager
In a standalone JBoss Modules application, -secmgr
In WildFly 8, just configure the security-manager subsystem
In WildFly 9+ and EAP 6.4+ and 7+, set SECMGR to "true" in standalone.conf or pass -secmgr to the start script (with or without the subsystem configured)
permissions.xml only works with the subsystem though!
How are permissions assigned?
Every class is associated with a protection domain , which consists of:
A link to the defining class loader of the class
A code source (a URL that identifies the code)
A permission collection (a set of assigned permissions)
An array of principals, specific to JAAS
The protection domain permissions are built from the security policy (whatever its source)
How are permissions checked?
The security manager examines the current access control context
This is the accumulation of the protection domains of classes from the call stack
The permission check passes only if all the security domains in the
access control context have granted the permission
How do you diagnose access problems?
WildFly Security Manager to the rescue
Gives permission that failed, the code source that lacked the permission, and its class loader in the exception message
Logs all access violations (with complete stack trace) at level DEBUG in category org.wildfly.security.access
How do you solve access problems?
Identify the code performing the checked action
Identify the code source of the denial
Choose one resolution:
Grant the missing permission to the denied code source
Replace your common unprivileged operation with one of the privileged versions from the WildFly Security Manager
getPropertyPrivilegedgetClassLoaderPrivilegedgetCurrentContextClassLoaderPrivilegedThese only work when the WildFly Security Manager is the active Security Manager
Add a doPrivileged block into the intervening call stack
Carefully
And only as a last resort
Being safe with privilege
For better or worse, many users rely on the security manager to actually provide some measure of security
It is easy to accidentally defeat the security manager
Also known as a security vulnerability
There are some important guidelines to follow to avoid introducing vulnerabilities
Being safe with privilege: Guidelines
Never perform a privileged action that isn't in turn protected by another permission check
Never execute privileged actions from strangers
You cannot assume that potentially harmful privileged actions only come from untrusted code
We ship dozens of them out of the box as public classes in code bases routinely granted AllPermission
Never assume AccessControlContexts are "honest"
They are trivially constructable with arbitrary protection domains
Untrusted ACCs are particularly dangerous in combination with untrusted privileged actions
AccessController.doPrivileged() gets away with this by merging in the caller's permissions
If you need a captured ACC, capture it yourself with AccessController.getContext()
example: a method to access arbitrary files on the file system
Authoring custom permissions
Must extend java.security.Permission
Must have two constructors
YourPermission(String name)YourPermission(String name, String actions)
Even if you don't support actions
Custom permission guidelines
Use BasicPermission for simple, hierarchical names
org.wildfly.security.permission.PermissionActions
Permission serializability
Permissions are serializable
Fixed serialVersionUID
Compatibility
What happens when new names/actions are added?
WildFly Security Manager Features
Unchecked mode
Executes privileged action blocks with permission checking turned off
Used in performance-sensitive internal code
Requires the caller to have a specific permission
Use very carefully
WildFly Security Manager Features
Parameterized privileged actions
Pass a parameter in to a privileged action
Avoid allocations in some cases
Only faster if WFSM is installed
WildFly Security Manager Features
Non-throwing permission checks
Avoid overhead of access exception for simple tests
Only faster if WFSM is installed
WildFly Security Manager Features
Caller checking utility methods
Perform common actions without privileged blocks, like:
Get/set/clear system properties
Get a class' class loader
Get/set the TCCL
Only faster if WFSM is installed
WildFly Security Manager Features
Stack inspector
A common API to determine the calling class
Automatically chooses the fastest available method
Requires permission to acquire the inspector instance
WildFly Security Manager Features
Collection of common privileged actions
Future of WildFly Security Manager
Security Manager related features in Java 8
Security Manager related features in Java 9
Not much determined yet...
It is likely that protection domain permissions will be bound to whole modules instead of individual classes (similarly to how JBoss Modules behaves)
However it is also likely that individual classes will be able to be "lowered" to a more restricted permission set