Skip to main content

[javaee-spec users] [jsr342-experts] Re: spec changes for new security manager requirements

  • From: Bill Shannon <bill.shannon@...>
  • To: jsr342-experts@...
  • Subject: [javaee-spec users] [jsr342-experts] Re: spec changes for new security manager requirements
  • Date: Tue, 15 May 2012 11:45:57 -0700
  • List-id: <jsr342-experts.javaee-spec.java.net>

It seems unlikely that the applications security requirements would change from test to production.  More likely the binding to the external security infrastructure (authentication, authorization) would change.

Werner Keil wrote on 05/11/12 05:20:
Bill/all,

Aside from questions the other EGs shall be able to discuss (e.g. if the likes of 351 would pick up a Java EE SecurityManager or need to declare their own JSR-specific one) I strongly agree with the separate file location at least as an alternative to inside an application archive (WAR, EAR,...)

This makes it much easier, for real life build and configuration management teams to adjust that e.g. from a stage like "Test" to "PreProd" or "Prod" without having to rebuild the entire application, if security is the only one that changes.

Werner

On Fri, May 11, 2012 at 7:15 AM, Markus Eisele <myfear@...> wrote:
Hi Bill,
hi all,

Thanks for the effort! It looks great. Here is my feedback:

- I like (!) the short tag names! :) And I still like to have a
 <xs:element type="xs:string" name="description" minOccurs="0"/> in
the schema. Some admin UI will display the permissions.xml in a
beautified format and would be happy to have this tag.

- I checked with some installations I know and the property expansion
still is something I believe is of value here. Going further looking
at EE.6-2 and the [1] comment I would propose to define a couple of
default properties that should be available.
a) application specific temp dir (the javax.servlet.context.tempdir)
b) application working directory (expanded deployments)
c) "user home" (to read additional, external configuration files)
Any further ideas/thoughts here?

- The permission declarations has to be a separate file. And I like
the idea to expand this mechanism to library jars subsequently.

- there is one thing that I would like to discuss further:
EE.6.2.2.1 => 4th §:
"If an application module does not contain a declaration of required
security permissions and deployment otherwise succeeds, the Java EE product
must grant the application components the permissions established by
the security
policy of the installation. "

and 5th §
Note that, on some installations of Java EE products, the security
policy of the installation may be such that applications are granted
fewer permissions than
those defined in Table EE 6-2 and ...

I strongly believe that the minimum rights for an application missing
a permissions.xml should be the EE 7 platform default (Table EE.6-2).
It doesn't make any sense to me to successfully deploy an application
which isn't able to run because of the security policy of the
installation. And yes, I have read the 2nd § in the same chapter and
you are right. So I am with Adam here, that we

> "force" the application server vendor to provide a prepared policy with the restrictions defined in the Java EE / EJB specs.

And I would even go further and define one for each profile.

#1 reason is to make it dead simple for developers to install a server
with the appropriate (minimum Java EE 7) rights. Messing around with
such a detailed security configuration is something that shouldn't
hinder anybody writing a Java EE 7 application. Security isn't funny
and never will be. Let's hide it as much as possible.

- M



On 10 May 2012 23:44, Bill Shannon <bill.shannon@...> wrote:
> Larry McCay, Ron Monzillo, and I have drafted updates to the platform
> spec to describe the new security manager requirements we've previously
> agreed on.  It turned out to be surprisingly difficult to write these
> requirements in a way that captures some of the subtlety involved.
> Please review these updated spec sections carefully and ask questions
> if you're not sure exactly what the requirements are.
>
> The proposed spec updates are here, and will be folded into the draft
> spec soon (obviously the numbering and such will be fixed at that point):
>
> http://java.net/projects/javaee-spec/downloads/download/ee-sec-mgr-00-ljm.pdf
>
> Thanks.




[javaee-spec users] [jsr342-experts] spec changes for new security manager requirements

Bill Shannon 05/10/2012

[javaee-spec users] [jsr342-experts] Re: spec changes for new security manager requirements

Werner Keil 05/10/2012

[javaee-spec users] [jsr342-experts] Re: spec changes for new security manager requirements

Bill Shannon 05/10/2012

[javaee-spec users] [jsr342-experts] Re: spec changes for new security manager requirements

Werner Keil 05/10/2012

[javaee-spec users] [jsr342-experts] Re: spec changes for new security manager requirements

Markus Eisele 05/11/2012

[javaee-spec users] [jsr342-experts] Re: spec changes for new security manager requirements

Werner Keil 05/11/2012

[javaee-spec users] [jsr342-experts] Re: spec changes for new security manager requirements

Bill Shannon 05/15/2012

[javaee-spec users] [jsr342-experts] Re: spec changes for new security manager requirements

Bill Shannon 05/15/2012
 
 
Close
loading
Please Confirm
Close