JEP411: Restricting/logging library usages using a SecurityManager
Alan Bateman
Alan.Bateman at oracle.com
Tue Apr 20 18:15:53 UTC 2021
On 15/04/2021 22:10, Roel Spilker wrote:
> :
>
> But on my server application, we use libraries. And I'm very
> interested on how they behave.
>
> I would like to log or restrict the following actions:
> - Spawning new processes
> - Unexpected file access
> - Unexpected network traffic
>
> Currently, our application sets a custom written security manager to
> restrict or log those aspects.
It's possible to use bytecode instrumentation and a Java agent to
instrument the API classes that support these operations and that may be
an alternative. One thing that would be interesting to expand on is what
you mean by "restrict"? Do you grant socket permissions to connect to
specific hosts or just set your own security manager to log the socket
permissions?
For Runtime.exec/ProcessBuilder, there are API additions in the works
that should help with this too.
>
> For example, we would block all XXE attacks by just having our
> security manager.
>
Someone else asked about this a few days ago too. The Security
Developer's Guide has a good chapter on this topic [1] as there many
configuration knobs to restrict or disable "external access" that don't
require setting a SecurityManager.
-Alan.
[1]
https://docs.oracle.com/en/java/javase/16/security/java-api-xml-processing-jaxp-security-guide.html
More information about the security-dev
mailing list