Implementing an Authorization framework on Java.

Peter Firmstone peter.firmstone at zeus.net.au
Tue Feb 7 02:53:22 UTC 2023


Hello OpenJDK folk,

SecurityManager, AccessController and AccessControlContext will be 
removed in a future version of Java.

Just briefly: Our software is heavily dependant on Java's Authorization 
framework, we use ProtectionDomain's to represent remote services for 
authorization decisions.  We are working out how to implement a new 
authorization framework after SecurityManager's removal.

Many libraries call AccessController#doPrivileged methods, when these 
methods are removed, we're going to have a big problem with viral 
permissions.   Restricted authorization will become meaningless if it 
has to be granted to all domains on a call stack.

https://github.com/opensearch-project/OpenSearch/issues/1687

Retaining methods in the platform that developers can instrument will 
provide a common frame of reference for authorization decisions, that's 
runtime backward non-breaking, without burdening OpenJDK with maintenance.

I'm requesting retaining the DomainController interface, 
AccessController, AccessControlContext and Subject methods as no-op's 
for instrumentation?    Please leave them deprecated as no-op's, but not 
"deprecated for removal".

https://github.com/pfirmstone/HighPerformanceSecurity

Some thoughts:

 1. Ability to disable finalizers in Java 18 onwards is important to
    prevent finalizer attacks when instrumenting constructors to throw a
    RuntimeException.
 2. Guard#check methods can be no-op's for instrumentation.   If I can
    replace all instances of SecurityManager#checkPermission in OpenJDK
    with Guard#check, I can contribute the patches, this will assist
    greatly in the transition process of retaining existing hooks, while
    developing replacements.
 3. Reduce the size of the Java Platform's trusted computing base by
    giving all system ProtectionDomain's a CodeSource with a non-null
    meaningful URL.   Unfortunately Java Serialization is in the base
    module, so we cannot authorize it's use with a permission check, as
    the base module needs AllPermission, it has to be managed with
    serial filters
    (https://dzone.com/articles/a-first-look-into-javas-new-serialization-filterin
    - perhaps someone will write a serialfilter generation tool that
    works similarly to our POLP policy generation tool?). Privileges
    cannot be elevated by an authenticated Subject, when all domains on
    the call stack are already privileged.  If Serialization was in a
    different ProtectionDomain, then we could prevent de-serialization
    for unauthenticated Subject's. Perhaps OpenJDK might consider moving
    Serialization into a different module in future before it's eventual
    removal?
 4. Instrument all data parsing methods with guard checks, eg XML.  
    This allows authorization decisions to parse remote data based on
    the Principal's of the remotely authenticated Subject, to prevent
    injection attacks.
 5. We already have principle of least privilege policy generation tools
    and efficient policy checking tools for authorization in place.  
    These allow for simple policy file generation, auditing, editing and
    deployment.

-- 
Regards,
  
Peter Firmstone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20230207/5982e87a/attachment.htm>


More information about the security-dev mailing list