Security

[mark.reinhold at oracle.com]

2015/3/10 6:50 -0700, david.lloyd at redhat.com:
> On 3/9/15 9:51 PM, Tim Boudreau wrote:
>> ...
>> 
>> I don't think it works to discuss permissions in the abstract without an
>> explicit use case or two to understand what you're after and why.
> 
> In addition to being able to support Java EE, I think that the use cases 
> overlap heavily with those of, say, javaws applications.  I don't think 
> we can really discuss a module distribution mechanism without 
> considering the security aspects that informed previous distribution 
> mechanisms.

The Applet and Java Web Start (aka JNLP, JSR 56) security model remains
very simple: Code either runs in a highly-restricted sandbox, or it has
all permissions.  It is possible to grant permissions to specific code
bases or code-base origins, or specific code signers, via system-wide or
user-specific policy files; so far as I know, however, this is rarely
done in practice.  There is no way to indicate, in an applet tag or JAR,
or a JNLP file, that specific fine-grained permissions are required.

OSGi has a sophisticated mechanism for managing the permissions granted
to bundles, but unless I've missed something it does not have a way to
indicate, in a bundle's definition, that the bundle requires specific
permissions.

The Java EE 7 use case is somewhere between these two in scope and
complexity (see my reply nearby).

> We have users who have used security managers not just for untrusted 
> code, but also as a tripwire for trusted code for bug prevention as well 
> as exploitation detection.  I'm not sure I'm really the right person to 
> justify the existence of the security manager, but the fact is that 
> people do think they need it, and they do use it, including Java EE 
> permissions.xml files as well as our own per-module permission 
> declaration system.

Aside from JBoss modules, are there any other examples of systems in
which the definition of a module describes the permissions that the
module requires?

- Mark