SecurityManager environments
Robert Muir
rcmuir at gmail.com
Fri Apr 7 02:54:08 UTC 2017
>
> As regards the security manager then it's hard to see how it fits into the
> discussion. To be honest, we don't see a lot of security manager usage on
> the server side these days. I look at a lot of bug reports and error logs
> that include the command line and I don't see -Djava.security.manager very
> often.
Not to be negative nancy, but that's because SecurityManager is
totally unfriendly for server-side usage, as others have pointed out
in this thread.
To me, it always seemed geared at a desktop/applet use-case. On the
other hand for a server (e.g. long-lived daemon-process), its
basically useless to set -Djava.security.manager, you get almost zero
protection, because of the nature of the beast.
I think its generally accepted that such use-cases require a lot of
privileges up-front initially (e.g. bind to network ports and so on),
then they drop them. This is pretty common in other programming
languages, java just screws it up, its really hard to do such a thing
with securitymanager out of box without writing tons of custom code. I
won't even mention the low level nuances such as the the fact the
default security policy shipped with java allows tons of bogus crap
like binding to network ports, Thread.stop, etc :)
The second problem is that so many common java libraries don't care
about this stuff and just call internal apis and do all kinds of bogus
crap (e.g. setAccessible) without any care to the world. They are
doing this cowboy-style so of course such usages are generally not
contained/well-protected, they probably dont even know how
doPrivileged() works at all.
Because of these problems, if you are a server-side app, even if you
understand this stuff and want to do the right thing, its really hard
to avoid simply granting all kinds of horrible permissions globally to
all code. In my experience the worst problems are the internal api
usage issues, so it would be nice to "give jigsaw a chance" to see if
it makes the situation better. SecurityManager is really great if you
want to prevent common security issues such as directory traversal,
but its too hard for a server side app right now.
More information about the jigsaw-dev
mailing list