Security

David M. Lloyd david.lloyd at redhat.com
Tue Mar 10 13:50:10 UTC 2015 

On 3/9/15 9:51 PM, Tim Boudreau wrote:
>     > I think there is definitely value in the module knowing what permissions
>     > it needs to function, and to be shipped with those permissions.  I think
>     > that if this is combined with a configuration-specific verification
>     > mechanism, this could allow users to express a level of trust the way
>     > they do today for signed JARs, and/or perhaps be able to verify (at
>     > install time) whether or not they want to go ahead with installing a
>     > module with certain permissions.
>
>     I can imagine building something like this, but would anyone use it?
>
>
> Umm... no.
>
> David, could you give a concrete example of what you're looking for?
> Permissions like creating classloaders or accessing files or network -
> i.e. security-manager applet-style stuff, or something else?

I'm talking about the J2SE security manager architecture and 
java.security.Permission and its subclasses.

> I don't think it works to discuss permissions in the abstract without an
> explicit use case or two to understand what you're after and why.

In addition to being able to support Java EE, I think that the use cases 
overlap heavily with those of, say, javaws applications.  I don't think 
we can really discuss a module distribution mechanism without 
considering the security aspects that informed previous distribution 
mechanisms.

We have users who have used security managers not just for untrusted 
code, but also as a tripwire for trusted code for bug prevention as well 
as exploitation detection.  I'm not sure I'm really the right person to 
justify the existence of the security manager, but the fact is that 
people do think they need it, and they do use it, including Java EE 
permissions.xml files as well as our own per-module permission 
declaration system.

>     I've seen little evidence over the years of broad use of the
>     fine-grained
>     security model introduced way back in JDK 1.2.  Do we really need to
>     complicate the module system with permission declarations?
>
>
> My instinct would be to make sure a module can provide metadata beyond
> just what's in the spec, as you can with module manifests, so if someone
> wants that they can implement it and do a tree of per-module
> SecurityManagers or whatever;  if it proves of broad value, it'd be a
> fine subject for its own subsequent JSR.  Happy to be convinced otherwise.

I don't think it really needs to be more complicated than using the 
existing ProtectionDomain mechanism to assign permissions to each 
module/code source/whatever unit of granularity makes the most sense.

-- 
- DML

More information about the jpms-spec-experts mailing list