THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
By default, Java application code and the Tuscany code base run in an unsecure environment with no security manager. This gives the Java application access to all system resources. The application may read and write all system properties, open and read any system files, and do all sorts of unprotected actions. All Tuscany code will run unhindered in this environment. And all All malicious Tuscany users will also run unhindered in this environment. Users may not welcome this and we need to therefore think about how to provide secure code to block malicious usage.
You may turn security on by running your Tuscany application with the -Djava.security.manager option on the command line. The default security manager delegates access control decisions to java.security.AccessController. The AccessController determines access authority for your Java code by consulting the permissions in a java.security.Policy class usually specified in the default security.policy file.
who are you talking to here? Is this the extension developer or user running an app on Tuscany?
There is only one Policy object installed into a Java runtime at any given time. The default behavior for Java is to load the authorization data from one or more security policy files, but Tuscany users may add to or replace the policy by running with additional policy information on the command line. For instance "-Djava.security.manager -Djava.security.policy=tuscany.policy -Dpolicy.allowSystemProperty=true" will add the permissions in the tuscany.policy file to the default Java permissions. If you specify "-Djava.security.policy==tuscany.policy" you replace the default policy with those specified in the Tuscany policy file. When Tuscany is run by an application server (whether it be WebSphere, Geronimo, or other), the policy of the server will form the starting point for Tuscany's security policy.
What is a policy object?
Again, who is the 'tuscany user'? I am asking this because in the 2nd parag. you mentioned this is written for extension developers and not users
Each policy file will contain a list of grant statements. A grant tells the runtime where the code came from (a URL specifying the code base), who signed the code (a list of signer certificates), and what permissions are given. The permissions can be read/write permissions to the file system, access to system properties, or class loading privileges.
An example of a granting all permission to an unsigned Tuscany code base is given here:
...
In summary, with security on, Tuscany class XYZ can access a secured resource only if the Is this Java security manager security manager's AccessController has determined the proper permissions are available in the security policy. Tuscany code that calls a protected Java API will only work with an AccessController doPrivileged block and the proper permissions in place. Otherwise, the Tuscany code will not run properly with security on, and it will throw SecurityExceptions left and right. Many times these SecurityExceptions will be passed back to the Tuscany runtime and then be wrappered in a ServiceRuntimeException and presented to the user. Not good.
...
Identifiying the common Java APIs That Require Security Enablement
What are some of the Java APIs that might cause your Tuscany code to produce a SecurityException? In the Java API Reference, any Java API that throws a SecurityException is a candidate.
For instance, notice that java.lang.System.getProperty(String) may throw a security exception. With security on, you are allowed to read some System properties (such as java.version or os.name) but by default you will get a SecurityException on other properties (such as user.home or java.home). In general, this makes sense because we do not want any intruders to have a map of the file system. A concise list of APIs with security checks is located at Methods and the Permissions They Require.
...
To be a little more concrete to for Tuscany developers, let's go through some common API groups that they are likely to use.
...
This article shows just a few techniques that cover many of the security issues that arise in the Tuscany code base. If you are aware of the Java security architecture and how to control access to guarded resources, you can guard against malicious users who might use the Tuscany code base for no good.